Go Back   Cyber Tech Help Support Forums > Software > Malware Removal Forum

Notices

Closed Topic
 
Topic Tools
  #1  
Old March 8th, 2012, 04:15 PM
lcyber lcyber is offline
CTH Subscriber
 
Join Date: Feb 2003
O/S: Windows 7 64-bit
Location: uk
Posts: 1,066
PC running slowly again

I have defraged,scanned for malware and viruses .closed down unnecessary programmes but it still runs extrememly slowly.I notice the resource monitor dial on my desktop shows some activity while all the delay is going on.What can I check for now


  #2  
Old March 9th, 2012, 12:36 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,119
Hello lcyber,

Let's take a look. Quick FYI - defragging was truly beneficial on Windows 98, but with the advent of the NTFS file system, and newer and faster system devices, is less valuable to do. Once every 6 months may be a good choice.


If the system is Vista/Windows7, when running any of the scan files we use, be sure to right click the file, then select "Run as administrator" to start the scan/tool.

And To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

-------

Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please.

-----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • If you can have an open Internet connection, and allow it to download the latest Avast engine detections.
  • If avast! antivirus is already installed, just do the next step.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


A lot, but comprehensive, and will make sure we get a good view of everything.
  #3  
Old March 9th, 2012, 12:15 PM
lcyber lcyber is offline
CTH Subscriber
 
Join Date: Feb 2003
O/S: Windows 7 64-bit
Location: uk
Posts: 1,066
Hi
Trying to turn Windows Defender off but can't find it listed in All Programmes.In search, it is shown to be running, but don't seem to have a facility to turn on or off,it simply refers me to All Programmes if I need to turn on or off.I need to turn off in order to do scans
  #4  
Old March 9th, 2012, 08:03 PM
lcyber lcyber is offline
CTH Subscriber
 
Join Date: Feb 2003
O/S: Windows 7 64-bit
Location: uk
Posts: 1,066
OTL logfile created on: 09/03/2012 18:06:54 - Run 4
OTL by OldTimer - Version 3.2.36.2 Folder = C:\Users\user\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.24 Gb Total Physical Memory | 1.81 Gb Available Physical Memory | 55.79% Memory free
6.48 Gb Paging File | 5.10 Gb Available in Paging File | 78.67% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 76.59 Gb Total Space | 49.61 Gb Free Space | 64.77% Space Free | Partition Type: NTFS
Drive F: | 149.01 Gb Total Space | 88.84 Gb Free Space | 59.62% Space Free | Partition Type: FAT32

Computer Name: USER-PC | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/09 18:06:39 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\user\Desktop\OTL.exe
PRC - [2012/02/23 16:23:24 | 004,031,368 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/02/23 16:23:21 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/01/13 14:53:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/01/03 13:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/11/07 21:28:26 | 001,652,536 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2011/11/07 21:28:26 | 000,931,640 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2011/04/29 09:30:27 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 12:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/07 21:30:22 | 000,516,368 | ---- | M] () -- C:\ProgramData\Trusteer\Rapport\store\exts\Rapport MS\baseline\RapportMS.dll
MOD - [2011/10/30 20:57:06 | 000,557,056 | ---- | M] () -- C:\Program Files\Trusteer\Rapport\bin\js32.dll
MOD - [2011/05/28 21:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/02/23 16:23:21 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012/02/23 16:23:20 | 000,131,288 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\afwServ.exe -- (avast! Firewall)
SRV - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/01/03 13:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/11/07 21:28:26 | 000,931,640 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2011/03/24 21:02:15 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/07/14 01:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 01:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 01:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (VGPU)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (tsusbhub)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Synth3dVsc)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (cpuz134)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (catchme)
DRV - [2012/02/23 16:13:00 | 000,112,984 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswFW.sys -- (aswFW)
DRV - [2012/02/23 16:12:28 | 000,610,648 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/02/23 16:12:16 | 000,337,112 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/02/23 16:12:01 | 000,196,440 | ---- | M] (AVAST Software) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswNdis2.sys -- (aswNdis2)
DRV - [2012/02/23 16:11:24 | 000,024,408 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswKbd.sys -- (aswKbd)
DRV - [2012/02/23 16:10:59 | 000,044,376 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\Drivers\aswrdr2.sys -- (aswRdr)
DRV - [2012/02/23 16:10:39 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/02/23 16:10:34 | 000,057,688 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2012/02/23 16:10:16 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/02/23 15:54:51 | 000,012,112 | ---- | M] (ALWIL Software) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\aswNdis.sys -- (aswNdis)
DRV - [2011/12/15 17:08:25 | 000,228,208 | ---- | M] () [Kernel | System | Running] -- C:\ProgramData\Trusteer\Rapport\store\exts\Rapport Cerberus\34302\RapportCerberus32_34302.sys -- (RapportCerberus_34302)
DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/11/07 21:30:22 | 000,021,520 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Running] -- c:\ProgramData\Trusteer\Rapport\store\exts\Rapport MS\baseline\RapportIaso.sys -- (RapportIaso)
DRV - [2011/11/07 21:28:40 | 000,071,440 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2011/11/07 21:28:38 | 000,164,112 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2011/11/07 21:28:38 | 000,056,208 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2010/11/26 18:02:22 | 000,015,672 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\SmartDefragDriver.sys -- (SmartDefragDriver)
DRV - [2010/11/20 12:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 12:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 12:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 10:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 10:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 09:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 09:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 23:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009/07/13 22:02:47 | 000,050,688 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C) NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=179&systemid=406&sr=0&q={searchTe rms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59}: "URL" = http://search.imesh.com/web?src=ieb&systemid=1&q={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&cti d=CT2475029

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9E BE F8 A7 D1 97 CC 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {77f8c945-4b74-4bd6-a073-e0d1997edce8} - No CLSID value found
IE - HKCU\..\URLSearchHook: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}: "URL" = http://start.facemoods.com/?a=grupo&s={searchTerms}&f=4
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100489&mntrId=941 f3c7e0000000000001c6f65705093
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=FTB&o=41648107&src=kw&q={sea rchTerms}&locale=en_UK&apn_ptnrs=9D&apn_dtid=YYYYY YYYGB&apn_uid=039E5075-AAE6-4521-8C99-E5B772795371&apn_sauid=5F0705DA-1BBD-472F-82B9-4639B2C2ED1C&
IE - HKCU\..\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}: "URL" = http://search.alot.com/web?q={searchTerms}&pr=prov&client_id=574C02E001CC 4B8300CA1374&install_time=2011-07-26T11:01:53Z&src_id=12287&camp_id=2586&tb_version= 2.5.20000.3
IE - HKCU\..\SearchScopes\{80D0D368-780B-4BAE-8A6B-C8EC832E474B}: "URL" = http://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&type=685749&p={searchTerms}
IE - HKCU\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=179&systemid=406&sr=0&q={searchTe rms}
IE - HKCU\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59}: "URL" = http://search.imesh.com/web?src=ieb&systemid=1&q={searchTerms}
IE - HKCU\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://toolbar.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80135 &lng=en
IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredimail.com/mb68/?search={searchTerms}&loc=search_box&u=92823419176 732906
IE - HKCU\..\SearchScopes\{E5DA3E03-D40E-4A8E-92D5-24973B70C1EC}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:{language}:{referrer:source}&ie={inputEncoding ?}&oe={outputEncoding?}
IE - HKCU\..\SearchScopes\{E89CCB64-AED9-406B-8ECD-B2213C904848}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&cti d=CT2795622
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: E:\Picasa3\npPicasa3.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)


[2011/03/30 22:45:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\user\AppData\Roaming\Mozilla\Extensions

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:accepte dSuggestion}{google:originalQueryForSuggestion}{go ogle:searchFieldtrialParameter}{google:instantFiel dTrialGroupParameter}sourceid=chrome&ie={inputEnco ding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldt rialParameter}{google:instantFieldTrialGroupParame ter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.56\ppGoog leNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.56\pdf.dl l
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.56\gcswf3 2.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 7 (Enabled) = C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldk acnbeo\4.2_0\
CHR - Extension: Google Search = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljnie djpjpf\0.0.0.14_0\
CHR - Extension: avast! WebRep = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnp ncnbda\6.0.1407_0\
CHR - Extension: Gmail = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoe jaedia\6.1.3_0\

O1 HOSTS File: ([2011/11/24 10:30:57 | 000,435,628 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15020 more lines...
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - !{D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - {98889811-442D-49dd-99D7-DC866BE87DBC} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {77F8C945-4B74-4BD6-A073-E0D1997EDCE8} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jin...ndows-i586.cab (Java Plug-in 10.0.0)
O16 - DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jin...ndows-i586.cab (Java Plug-in 1.7.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jin...ndows-i586.cab (Java Plug-in 1.7.0)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{2DA66059-73EF-43F1-ADBA-DA389CBA88B4}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.ex e (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 21:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/09 18:06:32 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Users\user\Desktop\OTL.exe
[2012/03/09 10:26:02 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{DA1E9E60-797C-4283-A20F-8648299EA165}
[2012/03/09 10:25:56 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{35DF1A4A-8BD7-44A5-B65C-E6CA0071BEFE}
[2012/03/08 22:25:50 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{69DFEBCC-E8B7-4C57-B683-970BE4BC4AC4}
[2012/03/08 22:25:44 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{8339C240-4BDC-4F94-941E-40AA1ACFF344}
[2012/03/08 10:13:59 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{F92F8E4B-4808-4C01-9E94-C53C8D882674}
[2012/03/08 10:13:53 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{E1335FFC-4830-43D7-89A9-9B6EF53414BB}
[2012/03/07 19:57:34 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{16F63384-0076-43D7-91E7-30769D8F3167}
[2012/03/07 19:57:20 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{43DC44C4-132D-4A00-B0C8-E175BF52EF54}
[2012/03/07 07:57:03 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{608FB246-6958-47A2-A40F-57953F587B14}
[2012/03/07 07:56:49 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{821FC202-64F7-469B-8B92-7CCE5AF25741}
[2012/03/06 19:56:31 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{7AC9A0BB-3E42-412E-8E7A-1ACC7E3A21E0}
[2012/03/06 19:56:26 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{CF23559D-1F81-4676-BD03-3A695FE3E2D3}
[2012/03/05 10:03:35 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{FA635762-6615-4D3F-887C-BECF2E44FF8E}
[2012/03/05 10:03:29 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{668F35D9-A6C1-43FF-B797-49ED1A9852A7}
[2012/03/04 19:47:04 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{DB475305-833D-4329-BF24-CC60B975C2DE}
[2012/03/04 19:44:52 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{E882BBE5-133B-48D1-AD7C-DEB3765B8D75}
[2012/03/03 13:16:17 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{1EBE75B2-02B7-4774-95FB-92EB2B3AF5DE}
[2012/03/03 13:13:10 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{9537AC29-30CE-47D3-8100-38F68E18A0BD}
[2012/03/02 09:19:37 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{0FA9E24D-2FFE-4328-824B-8B731022771F}
[2012/03/02 09:16:21 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{8100A53C-E583-4CA2-BFAC-3C5943B232EF}
[2012/03/01 13:25:13 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{6E9BD210-BA5F-412D-8797-99ADB5BA1541}
[2012/02/29 11:09:01 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{DDE186F0-A2C0-43F1-9FE9-FC7757339702}
[2012/02/29 11:06:33 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{BD26CDAD-9DEA-47F9-86F8-6EC98008B8B1}
[2012/02/29 10:03:08 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{910DA632-52A8-4FB3-A072-254557E2BEF9}
[2012/02/28 12:21:44 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{C7D887DA-B3C1-458C-B44C-8A6D67967EFC}
[2012/02/28 12:19:30 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{601D1C18-4E8D-4F37-8D3D-1CA800B02406}
[2012/02/27 19:59:32 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{0768F8BA-2E56-473C-9534-CA4C36E3BD18}
[2012/02/27 10:55:50 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{DF4295B0-B346-4AD8-99D0-DF269AE912B2}
[2012/02/27 10:53:50 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{D66843BB-D3DB-4EC4-8A8F-2B12F4E9C6DD}
[2012/02/26 23:08:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2012/02/26 14:36:31 | 000,112,984 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFW.sys
[2012/02/26 14:36:23 | 000,196,440 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswNdis2.sys
[2012/02/26 14:36:23 | 000,044,376 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr2.sys
[2012/02/26 14:36:22 | 000,024,408 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswKbd.sys
[2012/02/26 14:36:13 | 000,012,112 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswNdis.sys
[2012/02/26 14:32:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Internet Security
[2012/02/25 15:40:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
[2012/02/25 15:40:16 | 000,414,368 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/02/25 10:58:01 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{862BA5EA-5C25-4841-B821-DCFF08A4BD9C}
[2012/02/25 10:55:13 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{9C623E93-9C34-4FAA-A84F-E698A76B7371}
[2012/02/24 22:52:00 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{4C5BA1B9-36F2-4BA7-8FB7-E1BB8B0750BC}
[2012/02/24 22:48:50 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{5D3E62C3-9F1C-46A3-9CE8-B8DE0E293A12}
[2012/02/24 10:46:11 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{E9C36EA1-39CE-4439-B490-477661718972}
[2012/02/24 10:43:15 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{279880F5-E319-493F-A58B-091410369B51}
[2012/02/23 00:04:52 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{41B87861-D1A2-4142-A16A-674F705002AB}
[2012/02/22 10:59:16 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{3CBE3852-AEA4-475B-A802-199415AE34C2}
[2012/02/22 10:56:53 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{BB286382-FD44-40A6-B15D-ED3859DC7A68}
[2012/02/22 09:56:12 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{10CB6142-4192-4BD0-AA58-98704F50949A}
[2012/02/22 09:39:38 | 000,000,000 | R--D | C] -- C:\Users\user\Desktop\Documents
[2012/02/21 10:44:06 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{570CC288-8339-4914-9CFE-8C33B2E8D0AA}
[2012/02/21 10:42:04 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{C7D2A034-1E4D-4D05-96E8-1590DA19A666}
[2012/02/20 22:39:08 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{A208CEA4-A1B7-4BAD-B59E-4C0470CC7004}
[2012/02/20 22:36:07 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{43CDAA4E-1F09-4856-B456-0705CBDBBD39}
[2012/02/20 10:16:13 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{4878EDD7-FF70-4321-A408-01C41CD39EB1}
[2012/02/20 10:13:11 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{D69D5E5D-91A9-40C8-958B-4BB96901CB3E}
[2012/02/19 12:19:24 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{25E4B0C9-BE3B-49AC-B78B-8BA17E35C45B}
[2012/02/19 12:16:22 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{2C5483C2-8871-441C-A206-CB9B64C615DC}
[2012/02/19 11:47:24 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{708AE14F-271C-408D-B90A-706ADCC21044}
[2012/02/19 11:44:30 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{E644214C-F9B7-4CB3-8C80-659B56E88C54}
[2012/02/18 14:22:58 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{600F4E39-5395-4BA4-9B61-39FBB32E667C}
[2012/02/18 14:20:04 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{E410266B-4EC4-4CC3-87CE-848084A78A20}
[2012/02/18 10:24:49 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{04CA8653-8E22-470E-A07B-4369433163E6}
[2012/02/17 21:38:44 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{91264309-1AEF-418A-BD31-82B5EBC978CF}
[2012/02/17 21:35:47 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{D5D07503-E0FC-4654-B2FC-703A999095A4}
[2012/02/17 09:32:32 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{887BE49B-933D-43DC-8001-893A7531AB5B}
[2012/02/17 09:30:06 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{3BD7972A-0E0F-4132-9ED6-AA37D2E69683}
[2012/02/16 11:44:13 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{43537686-557C-41ED-B838-469CC2C7B853}
[2012/02/16 11:41:50 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{2785C88E-FBCD-40CB-9828-654F950E39BB}
[2012/02/15 23:59:31 | 000,000,000 | ---D | C] -- C:\7073191d4d97e081ba
[2012/02/15 23:56:57 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/02/15 23:56:55 | 001,798,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/02/15 23:56:55 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/02/15 23:56:54 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/02/15 23:56:54 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/02/15 23:56:51 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/02/15 23:09:39 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{D906312E-AE81-45DE-BABB-E90863C77027}
[2012/02/15 23:07:39 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{045834BD-8C7F-46F6-8C6F-03FCF49F7C38}
[2012/02/15 11:04:21 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{5897F63A-B45F-4000-84A7-D49E53B195B3}
[2012/02/15 11:01:19 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{13CA3830-FCA8-4BDA-B20D-E7E557CC59A8}
[2012/02/15 10:29:25 | 000,478,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\timedate.cpl
[2012/02/15 10:29:06 | 002,343,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012/02/14 22:58:02 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{2E3DEF7E-B0ED-44FE-8D18-297C3FC721BB}
[2012/02/14 22:54:56 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{22CDB7DB-F3BE-4B97-89E5-9328BF0DDA33}
[2012/02/14 10:51:39 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{A9FA6247-60AF-4DB6-9545-7187566C39D6}
[2012/02/14 10:48:37 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{C0A46B89-3382-42B9-ABE1-8144FA870244}
[2012/02/13 22:45:21 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{4A12D88E-F24E-46C8-B719-05E01ECDD6AE}
[2012/02/13 22:42:19 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{29FCBC15-B09E-4130-929A-4218BE7CDA56}
[2012/02/13 10:39:15 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{5BCF7112-ED73-41A3-86A7-80E70755E340}
[2012/02/13 10:36:05 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{28032CD7-B97C-4791-9CD7-E2178880A05E}
[2012/02/12 12:04:24 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{92E2EE54-EB07-4AD6-88CB-36BFA975883A}
[2012/02/12 12:02:09 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{58B0CACA-8255-4ACA-B621-C6CA699031FD}
[2012/02/11 09:58:49 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{F02FBFC5-AEF6-4266-9A43-2C9A3C92D1E5}
[2012/02/11 09:55:49 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{291F1095-E4E2-44B6-9447-CDBB150CA6FE}
[2012/02/10 11:51:23 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{7CD64AB7-38BC-4141-A041-A4861B6CA777}
[2012/02/10 11:48:23 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{F12B65CB-CF1E-4196-810F-7848E578BBDB}
[2012/02/09 23:30:09 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{69E66775-9087-4CF2-9BE6-CB299973DCA1}
[2012/02/09 23:29:41 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{7C883C04-75C8-4368-8526-232378FEDFA3}
[2012/02/09 11:29:07 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{9F7D0ABC-925B-4A8C-98BD-932E5699E810}
[2012/02/09 11:28:49 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{BC778A7E-E384-4320-A866-D1DCB9B82F80}
[2012/02/08 22:55:05 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{A05D76A2-C2C3-40AB-BEA8-5C01FE3FB5E0}
[2012/02/08 22:52:28 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{AA4F3FA5-4746-4899-9F94-DC7BE12FA151}

========== Files - Modified Within 30 Days ==========

[2012/03/09 18:06:39 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\user\Desktop\OTL.exe
[2012/03/09 17:50:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/09 15:50:00 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/09 03:05:52 | 000,017,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/09 03:05:52 | 000,017,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/08 20:51:02 | 000,002,174 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/03/08 13:16:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/08 13:16:04 | 2608,979,968 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/03 16:47:58 | 000,008,238 | ---- | M] () -- C:\Users\user\Desktop\Documents\chinese girl singin.odt
[2012/03/03 16:47:27 | 000,008,238 | ---- | M] () -- C:\Users\user\Desktop\Documents\Untitled 1.odt
[2012/02/29 11:05:52 | 000,013,193 | ---- | M] () -- C:\Users\user\Desktop\Documents\Complaint british gas.odt
[2012/02/26 14:36:22 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012/02/26 14:32:32 | 000,001,882 | ---- | M] () -- C:\Users\Public\Desktop\avast! Internet Security.lnk
[2012/02/25 15:40:16 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/02/23 16:23:26 | 000,041,184 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/02/23 16:23:21 | 000,201,352 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2012/02/23 16:13:00 | 000,112,984 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFW.sys
[2012/02/23 16:12:28 | 000,610,648 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2012/02/23 16:12:16 | 000,337,112 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2012/02/23 16:12:01 | 000,196,440 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswNdis2.sys
[2012/02/23 16:11:24 | 000,024,408 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswKbd.sys
[2012/02/23 16:10:59 | 000,044,376 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr2.sys
[2012/02/23 16:10:39 | 000,053,848 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2012/02/23 16:10:34 | 000,057,688 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2012/02/23 16:10:16 | 000,020,696 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2012/02/23 15:54:51 | 000,012,112 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswNdis.sys
[2012/02/23 09:18:36 | 000,237,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2012/02/23 00:38:04 | 000,007,635 | ---- | M] () -- C:\Users\user\AppData\Local\resmon.resmoncfg
[2012/02/22 18:00:55 | 000,096,983 | ---- | M] () -- C:\Users\user\Desktop\Documents\heliconia 3.jpg
[2012/02/22 17:54:15 | 000,061,274 | ---- | M] () -- C:\Users\user\Desktop\Documents\heliconia 2.jpg
[2012/02/22 12:03:52 | 000,254,154 | ---- | M] () -- C:\Users\user\Desktop\Documents\heliconia.jpg
[2012/02/22 11:35:30 | 000,628,024 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/02/22 11:35:30 | 000,110,208 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/02/19 12:29:21 | 000,000,925 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/02/19 03:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\ErrorEND.job
[2012/02/16 10:08:25 | 000,284,944 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2012/03/03 16:47:56 | 000,008,238 | ---- | C] () -- C:\Users\user\Desktop\Documents\chinese girl singin.odt
[2012/03/03 16:47:25 | 000,008,238 | ---- | C] () -- C:\Users\user\Desktop\Documents\Untitled 1.odt
[2012/02/29 11:05:50 | 000,013,193 | ---- | C] () -- C:\Users\user\Desktop\Documents\Complaint british gas.odt
[2012/02/26 23:08:50 | 000,002,174 | ---- | C] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/02/26 14:32:32 | 000,001,882 | ---- | C] () -- C:\Users\Public\Desktop\avast! Internet Security.lnk
[2012/02/25 15:40:35 | 000,000,882 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/25 15:40:34 | 000,000,878 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/22 17:55:47 | 000,096,983 | ---- | C] () -- C:\Users\user\Desktop\Documents\heliconia 3.jpg
[2012/02/22 12:09:54 | 000,061,274 | ---- | C] () -- C:\Users\user\Desktop\Documents\heliconia 2.jpg
[2012/02/22 11:56:59 | 000,254,154 | ---- | C] () -- C:\Users\user\Desktop\Documents\heliconia.jpg
[2011/11/30 15:46:24 | 000,017,828 | ---- | C] () -- C:\Users\user\AppData\Roaming\UserTile.png
[2011/11/25 19:19:22 | 000,098,304 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2011/09/10 21:53:16 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/09/10 21:53:16 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/09/10 21:53:16 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/09/06 19:08:46 | 000,007,635 | ---- | C] () -- C:\Users\user\AppData\Local\resmon.resmoncfg
[2011/08/04 08:25:42 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2011/08/04 08:25:36 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011/07/25 19:51:46 | 000,002,712 | ---- | C] () -- C:\Windows\System32\AVRedirector.ini
[2011/07/25 19:51:46 | 000,001,392 | ---- | C] () -- C:\Windows\System32\AVRedirectorOff.ini
[2011/06/15 09:50:22 | 000,000,286 | ---- | C] () -- C:\Windows\reimage.ini
[2011/06/06 20:06:53 | 000,000,144 | ---- | C] () -- C:\Users\user\AppData\Roaming\ohvoiryn.bat
[2011/02/28 11:48:11 | 000,028,496 | ---- | C] () -- C:\Windows\System32\SmartDefragBootTime.exe
[2011/02/28 11:48:11 | 000,015,672 | ---- | C] () -- C:\Windows\System32\drivers\SmartDefragDriver.sys
[2011/02/13 21:36:11 | 000,006,656 | ---- | C] () -- C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/08 16:09:10 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 1069 bytes -> C:\Users\Public\Documents\Statin users have a 48% higher risk of developing diabetes.eml:OECustomProperty

< End of rep
  #5  
Old March 10th, 2012, 12:30 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,119
The link in my first post shows how to disable Windows Defender. Do that, and be sure to run and post the rest of the requested logs.

If OTL did not create a second, Extras.Txt log (located in the same place as OTL.exe), download HijackThis from Here. Then click on the downloaded file, and install HijackThis.

In HijackThis, click Config - Misc Tools - Open Uninstall Manager.

Click on Save List, then save that to a location you can locate again (such as the desktop). Copy/paste the contents of that back here please.
  #6  
Old March 10th, 2012, 10:52 AM
lcyber lcyber is offline
CTH Subscriber
 
Join Date: Feb 2003
O/S: Windows 7 64-bit
Location: uk
Posts: 1,066
OTL Extras logfile created on: 07/09/2011 20:09:53 - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Users\user\Downloads
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.24 Gb Total Physical Memory | 2.31 Gb Available Physical Memory | 71.45% Memory free
6.48 Gb Paging File | 5.50 Gb Available in Paging File | 84.84% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 76.59 Gb Total Space | 54.06 Gb Free Space | 70.58% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1579020501-843201239-3247690963-1000\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\PublicPr ofile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall]
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{17504ED4-DB08-40A8-81C2-27D8C01581DA}" = Windows Live Remote Service Resources
"{19A4A990-5343-4FF7-B3B5-6F046C091EDF}" = Windows Live Remote Client
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{227E8782-B2F4-4E97-B0EE-49DE9CC1C0C0}" = Windows Live Remote Service
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 23
"{26A24AE4-039D-4CA4-87B4-2F83217000FF}" = Java(TM) 7
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{464B3406-A4D0-4914-910F-7CA4380DCC13}" = Windows Live Remote Client Resources
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{612AD33D-9824-4E87-8396-92374E91C4BB}_is1" = Inbox Toolbar
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{759142E8-25B0-42AE-B408-4215065D3F4B}" = Windows Live Family Safety
"{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
  #7  
Old March 10th, 2012, 10:53 AM
lcyber lcyber is offline
CTH Subscriber
 
Join Date: Feb 2003
O/S: Windows 7 64-bit
Location: uk
Posts: 1,066
"{82AF3E91-57E1-4754-84D0-40A46E2479AB}" = OpenOffice.org 3.3
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{8BCD7AE7-F713-4D50-BAB9-7839B9386870}" = ImageShack Uploader 2.2.0
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
"{BCF16F16-AC0E-4ABE-A9EF-412CF484BA51}" = Windows Live Family Safety
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Adobe AIR" = Adobe AIR
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"filehippo.com" = FileHippo.com Update Checker
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Karen's Clipboard Viewer" = Karen's Clipboard Viewer
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Picasa 3" = Picasa 3
"Protected Folder_is1" = Protected Folder
"Rapport_msi" = Rapport
"Revo Uninstaller" = Revo Uninstaller 1.92
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"TVWiz" = Intel(R) TV Wizard
"VLC media player" = VideoLAN VLC media player 0.8.6f
"WinASO Registry Optimizer_is1" = WinASO Registry Optimizer 4.7.2
"WinLiveSuite" = Windows Live Essentials
"WinRAR archiver" = WinRAR 4.01 (32-bit)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 07/09/2011 14:42:37 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary aswRdr. System Error: The system cannot find the file specified. .

Error - 07/09/2011 14:42:37 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary aswSnx. System Error: The system cannot find the file specified. .

Error - 07/09/2011 14:42:37 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary aswSP. System Error: The system cannot find the file specified. .

Error - 07/09/2011 14:42:37 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary avast! Network Shield Support. System Error: The system cannot find the
file specified. .

Error - 07/09/2011 14:47:42 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary aswFsBlk. System Error: The system cannot find the file specified. .

Error - 07/09/2011 14:47:42 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary aswMonFlt. System Error: The system cannot find the file specified. .

Error - 07/09/2011 14:47:42 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary aswRdr. System Error: The system cannot find the file specified. .

Error - 07/09/2011 14:47:42 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary aswSnx. System Error: The system cannot find the file specified. .

Error - 07/09/2011 14:47:42 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary aswSP. System Error: The system cannot find the file specified. .

Error - 07/09/2011 14:47:42 | Computer Name = user-PC | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image
of binary avast! Network Shield Support. System Error: The system cannot find the
file specified. .

[ System Events ]
Error - 06/09/2011 14:25:30 | Computer Name = user-PC | Source = DCOM | ID = 10016
Description =

Error - 06/09/2011 14:50:10 | Computer Name = user-PC | Source = volsnap | ID = 393252
Description = The shadow copies of volume C: were aborted because the shadow copy
storage could not grow due to a user imposed limit.

Error - 07/09/2011 03:01:29 | Computer Name = user-PC | Source = Service Control Manager | ID = 7000
Description = The IS360service service failed to start due to the following error:
%%3

Error - 07/09/2011 03:01:33 | Computer Name = user-PC | Source = Service Control Manager | ID = 7000
Description = The SBSD Security Center Service service failed to start due to the
following error: %%3

Error - 07/09/2011 03:01:36 | Computer Name = user-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
is3srv szkg5 szkgfs

Error - 07/09/2011 03:02:14 | Computer Name = user-PC | Source = Service Control Manager | ID = 7023
Description = The Superfetch service terminated with the following error: %%2

Error - 07/09/2011 14:54:03 | Computer Name = user-PC | Source = Service Control Manager | ID = 7000
Description = The IS360service service failed to start due to the following error:
%%3

Error - 07/09/2011 14:54:09 | Computer Name = user-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
is3srv szkg5 szkgfs

Error - 07/09/2011 14:54:47 | Computer Name = user-PC | Source = Service Control Manager | ID = 7023
Description = The Superfetch service terminated with the following error: %%2

Error - 07/09/2011 14:55:42 | Computer Name = user-PC | Source = WMPNetworkSvc | ID = 866300
Description =


< End of report >
  #8  
Old March 10th, 2012, 05:45 PM
lcyber lcyber is offline
CTH Subscriber
 
Join Date: Feb 2003
O/S: Windows 7 64-bit
Location: uk
Posts: 1,066
Hi
Your link suggests as follows; but Windows Defender is not shown in Programs at all,so I can't uncheck the Real Time Protection if I am unable to locate it. I read somewhere that MicroSoft had unistalled it and superceded it with their security system but it is still shown as being operated on my system. It doesn't appear either under >Start >Control Panel>Security,I can't find it to be able to disable it.
"
•Click Start > Programs > Windows Defender or launch from the system tray icon.

•Click on Tools & Settings > Options.

•Under Real-time protection options, uncheck the "Real-time protection" check box.

•Click Save.

•Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then
  #9  
Old March 10th, 2012, 05:48 PM
lcyber lcyber is offline
CTH Subscriber
 
Join Date: Feb 2003
O/S: Windows 7 64-bit
Location: uk
Posts: 1,066
Defender is now showing under Search as being Off,so please ignore my last message
  #10  
Old March 10th, 2012, 05:57 PM
lcyber lcyber is offline
CTH Subscriber
 
Join Date: Feb 2003
O/S: Windows 7 64-bit
Location: uk
Posts: 1,066
Adobe AIR
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.2)
avast! Internet Security
CCleaner
D3DX10
Easy Duplicate Finder v. 3.2
Google Chrome
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
Intel(R) TV Wizard
Java(TM) 6 Update 23
Java(TM) 7
Junk Mail filter update
Malwarebytes Anti-Malware version 1.60.1.1000
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSVCRT
OpenOffice.org 3.3
Rapport
Rapport
Revo Uninstaller 1.92
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
VideoLAN VLC media player 0.8.6f
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Family Safety
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Mail
Windows Live Mesh
Windows Live Mesh
Windows Live Messenger
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Photo Common
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.01 (32-bit)
  #11  
Old March 10th, 2012, 06:06 PM
lcyber lcyber is offline
CTH Subscriber
 
Join Date: Feb 2003
O/S: Windows 7 64-bit
Location: uk
Posts: 1,066
Rootkit scan 2012-03-09 18:34:00
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ExcelStor_Technology_J8080S rev.P21OAB3A
Running: rw3nck8l.exe; Driver: C:\Users\user\AppData\Local\Temp\kxldapob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x90A82DC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x91ED2904]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x9137C080]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x90A8825C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x90A882A8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x9137CBDE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x90A8839A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x90A881CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x90A882EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x90A88212]
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\Rap portCerberus\34302\RapportCerberus32_34302.sys ZwCreateThreadEx [0x90B28640]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x90A88354]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x90A82E10]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x9137CDD6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x913805AC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x913805DE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x91ED29DE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x90A82AA2]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwLoadKey [0x91380740]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x90A82E5C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x90A85C94]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x90A83AD6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x90A88286]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x90A882CA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x9137CCF6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x90A883BE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x90A881F0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenProcess [0x9137C1F6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x90A88326]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x90A8823A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x9137C3EA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x90A88378]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x91ED2B4A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x90A839A2]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x913806B6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x91380620]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x91380652]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x91380684]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x90A82EA8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x90A82EF4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x9137C026]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x9137CE7C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x90A82B12]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x90A82CB6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0x91380544]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x90A82C5E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x9137BFC0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x90A82D26]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x91ED2C0A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0x9137BF30]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x90A82F40]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x91ED2A8A]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x91EE8A72]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 82A4D369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A86D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82A8DD80 4 Bytes [C4, 2D, A8, 90]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82A8DDA8 4 Bytes [04, 29, ED, 91] {ADD AL, 0x29; IN EAX, DX; XCHG ECX, EAX}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82A8DE08 4 Bytes [80, C0, 37, 91] {ADD AL, 0x37; XCHG ECX, EAX}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82A8DE5C 16 Bytes [5C, 82, A8, 90, A8, 82, A8, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82A8DE84 4 Bytes [CA, 81, A8, 90] {RETF 0xa881; NOP }
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C1ABE8 5 Bytes JMP 91EE596C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 82C331D0 5 Bytes JMP 91EE7444 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82C48317 2 Bytes CALL 90A84189 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 10B 82C4831A 1 Byte [0D]
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82C620E9 2 Bytes CALL 90A8419F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 125 82C620EC 1 Byte [0D]
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82CEBF30 7 Bytes JMP 91EE8A76 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\csrss.exe[428] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\wininit.exe[480] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[480] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[480] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\wininit.exe[480] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00050A08
.text C:\Windows\system32\wininit.exe[480] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 000503FC
.text C:\Windows\system32\wininit.exe[480] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00050804
.text C:\Windows\system32\wininit.exe[480] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 000501F8
.text C:\Windows\system32\wininit.exe[480] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00050600
.text C:\Windows\system32\csrss.exe[492] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[540] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[540] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[540] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[540] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00100A08
.text C:\Windows\system32\winlogon.exe[540] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001003FC
.text C:\Windows\system32\winlogon.exe[540] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00100804
.text C:\Windows\system32\winlogon.exe[540] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001001F8
.text C:\Windows\system32\winlogon.exe[540] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00100600
.text C:\Windows\system32\services.exe[564] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\system32\services.exe[564] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\system32\services.exe[564] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\lsass.exe[600] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsass.exe[600] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsass.exe[600] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\lsass.exe[600] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 001D0A08
.text C:\Windows\system32\lsass.exe[600] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001D03FC
.text C:\Windows\system32\lsass.exe[600] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 001D0804
.text C:\Windows\system32\lsass.exe[600] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001D01F8
.text C:\Windows\system32\lsass.exe[600] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 001D0600
.text C:\Windows\system32\lsm.exe[608] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsm.exe[608] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsm.exe[608] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[708] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[708] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[804] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[804] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[804] user32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00190A08
.text C:\Windows\system32\svchost.exe[804] user32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001903FC
.text C:\Windows\system32\svchost.exe[804] user32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00190804
.text C:\Windows\system32\svchost.exe[804] user32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001901F8
.text C:\Windows\system32\svchost.exe[804] user32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00190600
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[864] ntdll.dll!KiUserApcDispatcher 77526F38 5 Bytes JMP 00414D50 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[864] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 001603FC
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[864] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 001601F8
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[864] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[864] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00300A08
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[864] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 003003FC
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[864] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00300804
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[864] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 003001F8
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[864] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00300600
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[864] WS2_32.dll!getaddrinfo 762C4296 5 Bytes JMP 71A40022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[864] WS2_32.dll!gethostbyname 762D7673 5 Bytes JMP 71AD0022
.text C:\Windows\System32\svchost.exe[1000] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[1000] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1000] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00310A08
.text C:\Windows\System32\svchost.exe[1000] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 003103FC
.text C:\Windows\System32\svchost.exe[1000] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00310804
.text C:\Windows\System32\svchost.exe[1000] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 003101F8
.text C:\Windows\System32\svchost.exe[1000] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00310600
.text C:\Windows\System32\svchost.exe[1032] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[1032] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1032] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00360A08
.text C:\Windows\System32\svchost.exe[1032] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 003603FC
.text C:\Windows\System32\svchost.exe[1032] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00360804
.text C:\Windows\System32\svchost.exe[1032] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 003601F8
.text C:\Windows\System32\svchost.exe[1032] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00360600
.text C:\Windows\system32\svchost.exe[1076] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1076] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1076] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 01060A08
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 010603FC
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 01060804
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 010601F8
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 01060600
.text C:\Windows\system32\svchost.exe[1204] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1204] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00250A08
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 002503FC
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00250804
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 002501F8
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWindowsHookExA 75996D0C 3 Bytes JMP 00250600
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWindowsHookExA + 4 75996D10 1 Byte [8A]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1240] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1240] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1240] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1240] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00110A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1240] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001103FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1240] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00110804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1240] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001101F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1240] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00110600
.text C:\Windows\system32\svchost.exe[1304] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000A03FC
.text C:\Windows\system32\svchost.exe[1304] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000A01F8
.text C:\Windows\system32\svchost.exe[1304] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1304] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00400A08
.text C:\Windows\system32\svchost.exe[1304] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 004003FC
.text C:\Windows\system32\svchost.exe[1304] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00400804
.text C:\Windows\system32\svchost.exe[1304] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 004001F8
.text C:\Windows\system32\svchost.exe[1304] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00400600
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1376] kernel32.dll!SetUnhandledExceptionFilter 7619F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1376] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1404] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1404] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1404] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1404] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00100A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1404] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001003FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1404] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00100804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1404] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001001F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1404] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00100600
.text C:\Windows\System32\spoolsv.exe[1592] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\System32\spoolsv.exe[1592] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\System32\spoolsv.exe[1592] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[1592] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00100A08
.text C:\Windows\System32\spoolsv.exe[1592] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001003FC
.text C:\Windows\System32\spoolsv.exe[1592] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00100804
.text C:\Windows\System32\spoolsv.exe[1592] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001001F8
.text C:\Windows\System32\spoolsv.exe[1592] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00100600
.text C:\Windows\system32\svchost.exe[1620] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1620] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1620] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1620] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00140A08
.text C:\Windows\system32\svchost.exe[1620] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001403FC
.text C:\Windows\system32\svchost.exe[1620] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00140804
.text C:\Windows\system32\svchost.exe[1620] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001401F8
.text C:\Windows\system32\svchost.exe[1620] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00140600
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1756] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000703FC
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1756] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000701F8
  #12  
Old March 10th, 2012, 06:09 PM
lcyber lcyber is offline
CTH Subscriber
 
Join Date: Feb 2003
O/S: Windows 7 64-bit
Location: uk
Posts: 1,066
75996D0C 5 Bytes JMP 00190600
.text C:\Windows\system32\svchost.exe[1980] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1980] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1980] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[2008] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[2008] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[2008] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[2008] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00140A08
.text C:\Windows\System32\svchost.exe[2008] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001403FC
.text C:\Windows\System32\svchost.exe[2008] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00140804
.text C:\Windows\System32\svchost.exe[2008] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001401F8
.text C:\Windows\System32\svchost.exe[2008] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00140600
.text C:\Windows\system32\taskhost.exe[2024] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] ntdll.dll!NtMapViewOfSection 77525C28 5 Bytes JMP 719F0022
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] ntdll.dll!KiUserApcDispatcher + E 77526F46 5 Bytes JMP 01938FA0 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000503FC
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000501F8
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] kernel32.dll!QueueUserWorkItem 76199961 6 Bytes PUSH 71060022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] kernel32.dll!CreateThread 7619DCC2 5 Bytes JMP 6C177303 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] kernel32.dll!SetUnhandledExceptionFilter 7619F4FB 6 Bytes PUSH 71A30022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WS2_32.dll!getaddrinfo 762C4296 5 Bytes JMP 710A0022
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WS2_32.dll!connect 762C6BDD 5 Bytes JMP 710F0022
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] GDI32.dll!BitBlt 770772C0 6 Bytes PUSH 71820022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!DdeInitializeW 75965DF2 6 Bytes PUSH 71760022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!EnableWindow 75968D02 5 Bytes JMP 6C1B9A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!CallNextHookEx 7596ABE1 5 Bytes JMP 6C1D7BAF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 6C1FEB00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001F03FC
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!DefWindowProcA 7596BB1C 7 Bytes JMP 6C17952D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!RegisterClassA 7596BC6A 6 Bytes PUSH 71890022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!CreateWindowExA 7596BF40 6 Bytes JMP 6C183363 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 6C1B2194 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!CreateWindowExW 7596EC7C 6 Bytes JMP 6C1DFF87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!RegisterClassW 7596ED4A 6 Bytes PUSH 71A60022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!RegisterClassExW 75970162 6 Bytes PUSH 71AE0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001F01F8
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!DefWindowProcW 7597507D 7 Bytes JMP 6C1D7C12 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!PeekMessageW 7597634A 6 Bytes PUSH 719B0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!TranslateMessage 759764C7 6 Bytes PUSH 71680022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!GetClipboardData 75982BA7 6 Bytes PUSH 716E0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!DialogBoxParamW 75983B9B 5 Bytes JMP 6C11170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!DialogBoxIndirectParamW 75993B7F 5 Bytes JMP 6C306336 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 001F0600
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!DialogBoxParamA 759ACF42 5 Bytes JMP 6C3062D1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!DialogBoxIndirectParamA 759AD274 5 Bytes JMP 6C30639B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!MessageBoxIndirectA 759BE869 5 Bytes JMP 6C306258 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!MessageBoxIndirectW 759BE963 5 Bytes JMP 6C3061DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!MessageBoxExA 759BE9C9 5 Bytes JMP 6C30617B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] USER32.dll!MessageBoxExW 759BE9ED 5 Bytes JMP 6C306117 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] ole32.dll!OleLoadFromStream 75E46143 5 Bytes JMP 6C306B0F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] ole32.dll!CoCreateInstance 75E89D0B 6 Bytes JMP 718E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] ole32.dll!CoCreateInstanceEx 75E89D4E 5 Bytes JMP 717E0022
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!InternetCloseHandle 75FAC704 6 Bytes PUSH 71480022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!InternetReadFile 75FAF978 6 Bytes PUSH 71280022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!HttpAddRequestHeadersA 75FB2ADC 6 Bytes PUSH 71640022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!InternetQueryDataAvailable 75FB3224 6 Bytes PUSH 712C0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!InternetOpenA 75FBD688 6 Bytes PUSH 71340022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!InternetOpenW 75FD72A6 6 Bytes PUSH 71300022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!InternetSetStatusCallback 75FD74BA 6 Bytes PUSH 711C0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!InternetReadFileExW 75FD8981 6 Bytes PUSH 71200022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!InternetReadFileExA 75FD89DC 6 Bytes PUSH 71240022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!InternetGetCookieExA 75FDB9E9 6 Bytes PUSH 71380022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!HttpSendRequestExW 75FE83BC 6 Bytes PUSH 71500022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!InternetWriteFile 75FE851E 6 Bytes PUSH 71180022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!InternetConnectA 75FFB75E 6 Bytes PUSH 71440022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!HttpOpenRequestA 75FFB841 6 Bytes PUSH 71600022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!InternetConnectW 75FFBDDA 6 Bytes PUSH 71400022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!HttpOpenRequestW 75FFC0CF 6 Bytes PUSH 715C0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!HttpSendRequestW 75FFC40D 6 Bytes PUSH 714C0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!HttpSendRequestA 76005172 6 Bytes PUSH 71580022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!HttpSendRequestExA 7604EA7D 6 Bytes PUSH 71540022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2036] WININET.dll!InternetGetCookieA 76050176 6 Bytes PUSH 713C0022; RET
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2396] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000503FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2396] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000501F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2396] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2396] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 000F0A08
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2396] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 000F03FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2396] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 000F0804
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2396] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 000F01F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2396] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 000F0600
.text C:\Windows\Explorer.EXE[2452] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\Explorer.EXE[2452] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\Explorer.EXE[2452] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\Explorer.EXE[2452] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00150A08
.text C:\Windows\Explorer.EXE[2452] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001503FC
.text C:\Windows\Explorer.EXE[2452] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00150804
.text C:\Windows\Explorer.EXE[2452] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001501F8
.text C:\Windows\Explorer.EXE[2452] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00150600
.text C:\Windows\system32\taskhost.exe[2604] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskhost.exe[2604] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskhost.exe[2604] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[2604] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00070A08
.text C:\Windows\system32\taskhost.exe[2604] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 000703FC
.text C:\Windows\system32\taskhost.exe[2604] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00070804
.text C:\Windows\system32\taskhost.exe[2604] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 000701F8
.text C:\Windows\system32\taskhost.exe[2604] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00070600
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2988] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3000] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3000] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3000] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3000] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 001F0A08
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3000] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001F03FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3000] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 001F0804
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3000] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001F01F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3000] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 001F0600
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3040] ntdll.dll!KiUserApcDispatcher 77526F38 5 Bytes JMP 00445210 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3040] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 001603FC
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3040] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 001601F8
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3040] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3040] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00190A08
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3040] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001903FC
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3040] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00190804
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3040] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001901F8
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3040] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00190600
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3040] WS2_32.dll!getaddrinfo 762C4296 5 Bytes JMP 71A50022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3040] WS2_32.dll!gethostbyname 762D7673 5 Bytes JMP 71AE0022
.text C:\Program Files\Windows Sidebar\sidebar.exe[3048] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[3048] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3048] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3048] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 000A0A08
.text C:\Program Files\Windows Sidebar\sidebar.exe[3048] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 000A03FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[3048] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 000A0804
.text C:\Program Files\Windows Sidebar\sidebar.exe[3048] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 000A01F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3048] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 000A0600
.text C:\Windows\system32\svchost.exe[3412] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[3412] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[3412] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[3412] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00470A08
.text C:\Windows\system32\svchost.exe[3412] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 004703FC
.text C:\Windows\system32\svchost.exe[3412] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00470804
.text C:\Windows\system32\svchost.exe[3412] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 004701F8
.text C:\Windows\system32\svchost.exe[3412] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00470600
.text C:\Windows\system32\AUDIODG.EXE[3644] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[3676] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 001103FC
.text C:\Windows\system32\SearchIndexer.exe[3676] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 001101F8
.text C:\Windows\system32\SearchIndexer.exe[3676] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[3676] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 001B0A08
.text C:\Windows\system32\SearchIndexer.exe[3676] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001B03FC
.text C:\Windows\system32\SearchIndexer.exe[3676] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 001B0804
.text C:\Windows\system32\SearchIndexer.exe[3676] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001B01F8
.text C:\Windows\system32\SearchIndexer.exe[3676] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 001B0600
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3856] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3856] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3856] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3856] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00100A08
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3856] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001003FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3856] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00100804
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3856] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001001F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3856] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00100600
.t
  #13  
Old March 10th, 2012, 06:15 PM
lcyber lcyber is offline
CTH Subscriber
 
Join Date: Feb 2003
O/S: Windows 7 64-bit
Location: uk
Posts: 1,066
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3856] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00100A08
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3856] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 001003FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3856] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00100804
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3856] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 001001F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3856] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00100600
.text C:\Windows\system32\svchost.exe[4068] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[4068] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[4068] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[4068] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00420A08
.text C:\Windows\system32\svchost.exe[4068] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 004203FC
.text C:\Windows\system32\svchost.exe[4068] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00420804
.text C:\Windows\system32\svchost.exe[4068] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 004201F8
.text C:\Windows\system32\svchost.exe[4068] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00420600
.text C:\Windows\notepad.exe[4184] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\ctfmon.exe[4448] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] ntdll.dll!NtMapViewOfSection 77525C28 5 Bytes JMP 719F0022
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] ntdll.dll!KiUserApcDispatcher + E 77526F46 5 Bytes JMP 005E8FA0 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] kernel32.dll!QueueUserWorkItem 76199961 6 Bytes PUSH 71060022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] kernel32.dll!CreateThread 7619DCC2 5 Bytes JMP 6C177303 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] kernel32.dll!SetUnhandledExceptionFilter 7619F4FB 6 Bytes PUSH 71A30022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WS2_32.dll!getaddrinfo 762C4296 5 Bytes JMP 710A0022
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WS2_32.dll!connect 762C6BDD 5 Bytes JMP 710F0022
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] GDI32.dll!BitBlt 770772C0 6 Bytes PUSH 71830022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!DdeInitializeW 75965DF2 6 Bytes PUSH 71770022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!EnableWindow 75968D02 5 Bytes JMP 6C1B9A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!CallNextHookEx 7596ABE1 5 Bytes JMP 6C1D7BAF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 6C1FEB00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!DefWindowProcA 7596BB1C 7 Bytes JMP 6C17952D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!RegisterClassA 7596BC6A 6 Bytes PUSH 71890022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!CreateWindowExA 7596BF40 6 Bytes JMP 6C183363 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 6C1B2194 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!CreateWindowExW 7596EC7C 6 Bytes JMP 6C1DFF87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!RegisterClassW 7596ED4A 6 Bytes PUSH 71A60022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!RegisterClassExW 75970162 6 Bytes PUSH 71AE0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!DefWindowProcW 7597507D 7 Bytes JMP 6C1D7C12 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!PeekMessageW 7597634A 6 Bytes PUSH 719B0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!TranslateMessage 759764C7 6 Bytes PUSH 71690022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!GetClipboardData 75982BA7 6 Bytes PUSH 716F0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!DialogBoxParamW 75983B9B 5 Bytes JMP 6C11170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!DialogBoxIndirectParamW 75993B7F 5 Bytes JMP 6C306336 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!DialogBoxParamA 759ACF42 5 Bytes JMP 6C3062D1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!DialogBoxIndirectParamA 759AD274 5 Bytes JMP 6C30639B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!MessageBoxIndirectA 759BE869 5 Bytes JMP 6C306258 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!MessageBoxIndirectW 759BE963 5 Bytes JMP 6C3061DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!MessageBoxExA 759BE9C9 5 Bytes JMP 6C30617B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] USER32.dll!MessageBoxExW 759BE9ED 5 Bytes JMP 6C306117 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] ole32.dll!OleLoadFromStream 75E46143 5 Bytes JMP 6C306B0F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] ole32.dll!CoCreateInstance 75E89D0B 6 Bytes JMP 718E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] ole32.dll!CoCreateInstanceEx 75E89D4E 5 Bytes JMP 717F0022
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!InternetCloseHandle 75FAC704 6 Bytes PUSH 71490022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!InternetReadFile 75FAF978 6 Bytes PUSH 71290022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!HttpAddRequestHeadersA 75FB2ADC 6 Bytes PUSH 71650022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!InternetQueryDataAvailable 75FB3224 6 Bytes PUSH 712D0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!InternetOpenA 75FBD688 6 Bytes PUSH 71350022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!InternetOpenW 75FD72A6 6 Bytes PUSH 71310022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!InternetSetStatusCallback 75FD74BA 6 Bytes PUSH 711C0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!InternetReadFileExW 75FD8981 6 Bytes PUSH 71210022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!InternetReadFileExA 75FD89DC 6 Bytes PUSH 71250022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!InternetGetCookieExA 75FDB9E9 6 Bytes PUSH 71390022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!HttpSendRequestExW 75FE83BC 6 Bytes PUSH 71510022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!InternetWriteFile 75FE851E 6 Bytes PUSH 71180022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!InternetConnectA 75FFB75E 6 Bytes PUSH 71450022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!HttpOpenRequestA 75FFB841 6 Bytes PUSH 71610022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!InternetConnectW 75FFBDDA 6 Bytes PUSH 71410022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!HttpOpenRequestW 75FFC0CF 6 Bytes PUSH 715D0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!HttpSendRequestW 75FFC40D 6 Bytes PUSH 714D0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!HttpSendRequestA 76005172 6 Bytes PUSH 71590022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!HttpSendRequestExA 7604EA7D 6 Bytes PUSH 71550022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[4644] WININET.dll!InternetGetCookieA 76050176 6 Bytes PUSH 713D0022; RET
.text C:\Windows\system32\wuauclt.exe[4752] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000703FC
.text C:\Windows\system32\wuauclt.exe[4752] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000701F8
.text C:\Windows\system32\wuauclt.exe[4752] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\wuauclt.exe[4752] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 00090A08
.text C:\Windows\system32\wuauclt.exe[4752] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 000903FC
.text C:\Windows\system32\wuauclt.exe[4752] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 00090804
.text C:\Windows\system32\wuauclt.exe[4752] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 000901F8
.text C:\Windows\system32\wuauclt.exe[4752] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 00090600
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] ntdll.dll!NtMapViewOfSection
  #14  
Old March 10th, 2012, 06:16 PM
lcyber lcyber is offline
CTH Subscriber
 
Join Date: Feb 2003
O/S: Windows 7 64-bit
Location: uk
Posts: 1,066
text C:\Program Files\Internet Explorer\iexplore.exe[5204] ntdll.dll!KiUserApcDispatcher + E 77526F46 5 Bytes JMP 004A8FA0 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000503FC
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000501F8
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] kernel32.dll!QueueUserWorkItem 76199961 6 Bytes PUSH 710A0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] kernel32.dll!SetUnhandledExceptionFilter 7619F4FB 6 Bytes PUSH 71A30022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WS2_32.dll!getaddrinfo 762C4296 5 Bytes JMP 710E0022
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WS2_32.dll!connect 762C6BDD 5 Bytes JMP 71130022
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] GDI32.dll!BitBlt 770772C0 6 Bytes PUSH 71830022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!DdeInitializeW 75965DF2 6 Bytes PUSH 71760022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!EnableWindow 75968D02 5 Bytes JMP 6C1B9A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!UnhookWindowsHookEx 7596ADF9 5 Bytes JMP 000F0A08
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!UnhookWinEvent 7596B750 5 Bytes JMP 000F03FC
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!RegisterClassA 7596BC6A 6 Bytes PUSH 71890022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!CreateWindowExA 7596BF40 6 Bytes JMP 7192000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!SetWindowsHookExW 7596E30C 5 Bytes JMP 000F0804
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!CreateWindowExW 7596EC7C 6 Bytes JMP 7196000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!RegisterClassW 7596ED4A 6 Bytes PUSH 71A60022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!RegisterClassExW 75970162 6 Bytes PUSH 71AE0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!SetWinEventHook 759724DC 5 Bytes JMP 000F01F8
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!PeekMessageW 7597634A 6 Bytes PUSH 719B0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!TranslateMessage 759764C7 6 Bytes PUSH 716C0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!GetClipboardData 75982BA7 6 Bytes PUSH 71720022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!DialogBoxParamW 75983B9B 5 Bytes JMP 6C11170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!DialogBoxIndirectParamW 75993B7F 5 Bytes JMP 6C306336 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!SetWindowsHookExA 75996D0C 5 Bytes JMP 000F0600
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!DialogBoxParamA 759ACF42 5 Bytes JMP 6C3062D1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!DialogBoxIndirectParamA 759AD274 5 Bytes JMP 6C30639B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!MessageBoxIndirectA 759BE869 5 Bytes JMP 6C306258 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!MessageBoxIndirectW 759BE963 5 Bytes JMP 6C3061DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!MessageBoxExA 759BE9C9 5 Bytes JMP 6C30617B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] USER32.dll!MessageBoxExW 759BE9ED 5 Bytes JMP 6C306117 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] ole32.dll!CoCreateInstance 75E89D0B 6 Bytes JMP 718E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] ole32.dll!CoCreateInstanceEx 75E89D4E 5 Bytes JMP 717F0022
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!InternetCloseHandle 75FAC704 6 Bytes PUSH 714C0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!InternetReadFile 75FAF978 6 Bytes PUSH 712C0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!HttpAddRequestHeadersA 75FB2ADC 6 Bytes PUSH 71680022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!InternetQueryDataAvailable 75FB3224 6 Bytes PUSH 71300022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!InternetOpenA 75FBD688 6 Bytes PUSH 71380022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!InternetOpenW 75FD72A6 6 Bytes PUSH 71340022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!InternetSetStatusCallback 75FD74BA 6 Bytes PUSH 71200022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!InternetReadFileExW 75FD8981 6 Bytes PUSH 71240022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!InternetReadFileExA 75FD89DC 6 Bytes PUSH 71280022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!InternetGetCookieExA 75FDB9E9 6 Bytes PUSH 713C0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!HttpSendRequestExW 75FE83BC 6 Bytes PUSH 71540022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!InternetWriteFile 75FE851E 6 Bytes PUSH 711C0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!InternetConnectA 75FFB75E 6 Bytes PUSH 71480022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!HttpOpenRequestA 75FFB841 6 Bytes PUSH 71640022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!InternetConnectW 75FFBDDA 6 Bytes PUSH 71440022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!HttpOpenRequestW 75FFC0CF 6 Bytes PUSH 71600022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!HttpSendRequestW 75FFC40D 6 Bytes PUSH 71500022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!HttpSendRequestA 76005172 6 Bytes PUSH 715C0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!HttpSendRequestExA 7604EA7D 6 Bytes PUSH 71580022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[5204] WININET.dll!InternetGetCookieA 76050176 6 Bytes PUSH 71400022; RET
.text C:\Users\user\Desktop\OTL.exe[5220] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[5408] ntdll.dll!LdrUnloadDll 7753C86E 5 Bytes JMP 000A03FC
.text C:\Windows\system32\svchost.exe[5408] ntdll.dll!LdrLoadDll 7754223E 5 Bytes JMP 000A01F8
.text C:\Windows\system32\svchost.exe[5408] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]
.text C:\Users\user\AppData\Local\Microsoft\Windows\Temp orary Internet Files\Content.IE5\G911MLVJ\rw3nck8l.exe[5704] kernel32.dll!GetBinaryTypeW + 70 761B69F4 1 Byte [62]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1376] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71F9F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2988] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71F9F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\tdx \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)

Device \Driver\ACPI_HAL \Device\00000057 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Par ameters\Keys\000a3a595be5
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Paramet ers\Keys\000a3a595be5 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\avast! sandbox 0 bytes
File C:\avast! sandbox\snx_rhive 262144 bytes
File C:\avast! sandbox\snx_rhive.LOG1 5120 bytes
File C:\avast! sandbox\snx_rhive.LOG2 0 bytes
File C:\avast! sandbox\snx_rhive{f4f35fd3-6959-11e1-bba1-1c6f65705093}.TM.blf 65536 bytes
File C:\avast! sandbox\snx_rhive{f4f35fd3-6959-11e1-bba1-1c6f65705093}.TMContainer00000000000000000001.regt rans-ms 524288 bytes
File C:\avast! sandbox\snx_rhive{f4f35fd3-6959-11e1-bba1-1c6f65705093}.TMContainer00000000000000000002.regt rans-ms 524288 bytes
  #15  
Old March 10th, 2012, 06:38 PM
lcyber lcyber is offline
CTH Subscriber
 
Join Date: Feb 2003
O/S: Windows 7 64-bit
Location: uk
Posts: 1,066
aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-10 17:19:22
-----------------------------
17:19:22.273 OS Version: Windows 6.1.7601 Service Pack 1
17:19:22.273 Number of processors: 4 586 0x170A
17:19:22.273 ComputerName: USER-PC UserName: user
17:19:22.772 Initialize success
17:19:22.850 AVAST engine defs: 12031001
17:19:27.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:19:27.796 Disk 0 Vendor: ExcelStor_Technology_J8080S P21OAB3A Size: 78532MB BusType: 3
17:19:27.983 Disk 0 MBR read successfully
17:19:27.983 Disk 0 MBR scan
17:19:27.983 Disk 0 Windows 7 default MBR code
17:19:28.030 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
17:19:28.092 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 78430 MB offset 206848
17:19:28.154 Disk 0 scanning sectors +160831488
17:19:28.544 Disk 0 scanning C:\Windows\system32\drivers
17:20:37.481 Service scanning
17:20:55.140 Modules scanning
17:22:05.325 Disk 0 trace - called modules:
17:22:05.340 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
17:22:05.356 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x863ba1e8]
17:22:05.356 3 CLASSPNP.SYS[8ba0459e] -> nt!IofCallDriver -> [0x85e79878]
17:22:05.356 5 ACPI.sys[836a03d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85e93030]
17:22:06.120 AVAST engine scan C:\Windows
17:22:31.751 AVAST engine scan C:\Windows\system32
17:37:19.783 Disk 0 MBR has been saved successfully to "C:\Users\user\Desktop\MBR.dat"
17:37:19.798 The log file has been saved successfully to "C:\Users\user\Desktop\aswMBR2.txt"
Closed Topic

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 01:16 AM.