msqpdxrfdcedrm.sys
-
msqpdxrfdcedrm.sys
First of all,
Thank you for this wonderfull initiative, i am glad somebody is fighting back at the badguys of the internet.
I used a step by step cleaning procedure i found on this site ( as stated, i did a reboot after every scan)
in order....
Scanned with SuperAntispyware(didnt find much)
Scanned with Malwarebytes, (log below) Everything deleted fine
Scanned with Gmer(log below) found a process called: msqpdxrfdcedrm.sys
Scanned with Hijackthis (log below)
Here's my issue, is the process found by Gmer deleted? Should i delete it manually?
Are there some other threats or issues im not aware off? What course off actions should i take?
,,,,,,,,,,,,,,,,,,,,,,,,,,,,MalwareBytes log ( I did a translation to English).................................
Folders infected: 1
files infected: 1
Memoryprocesses infected:
(No items found)
Memory modules infected:
(no items found)
Registry keys infected:
(no items found)
Registry values infected:
(no items found)
Registry data files nfected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders nfected:
C:\Program Files\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.
Files infected:
c:\program files\relevantknowledge\rloci.bin (Spyware.Marketscore) -> Quarantined and deleted successfully.
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Gmer log file.............................................
GMER 1.0.15.14972 - GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-01 19:43:03
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAllocateVirtualMemory [0xEFBCA790]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAssignProcessToJobObject [0xEFBCADB0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEFB276B8]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwConnectPort [0xEFBC92A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateFile [0xEFBD7890]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEFB27574]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreatePort [0xEFBC8F50]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcess [0xEFBC6220]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcessEx [0xEFBC65F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateSection [0xEFBC5D40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateThread [0xEFBC76D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDebugActiveProcess [0xEFBC8230]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDeleteFile [0xEFBD8320]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDeleteKey [0xEFBD6160]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEFB27A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEFB2714C]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateKey [0xEFBD7830]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateValueKey [0xEFBD7860]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwLoadDriver [0xEFBCA260]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwLoadKey [0xEFBD6F00]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenFile [0xEFBD7F30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEFB2764E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEFB2708C]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenSection [0xEFBC5FB0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEFB270F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwProtectVirtualMemory [0xEFBCAA40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryKey [0xEFBD77D0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEFB2776E]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueueApcThread [0xEFBCAF30]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwReplaceKey [0xEFBD72A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwRequestWaitReplyPort [0xEFBC9E10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEFB2772E]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwResumeThread [0xEFBC8920]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSaveKey [0xEFBD77B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSecureConnectPort [0xEFBC9660]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetContextThread [0xEFBC8050]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetInformationFile [0xEFBD85E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetSystemInformation [0xEFBC83B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEFB278AE]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwShutdownSystem [0xEFBCA160]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendProcess [0xEFBC8AD0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendThread [0xEFBC8750]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSystemDebugControl [0xEFBC8590]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateProcess [0xEFBC7490]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateThread [0xEFBC7E30]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwUnloadDriver [0xEFBCA480]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwWriteVirtualMemory [0xEFBCABF0]
INT 0x62 ? 82571BF8
INT 0x63 ? 82441F00
INT 0x82 ? 82571BF8
INT 0x83 ? 82571BF8
INT 0x83 ? 82571BF8
INT 0x83 ? 82571BF8
INT 0x94 ? 82441F00
INT 0xA4 ? 82441F00
INT 0xB4 ? 82441F00
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 241C 80501C54 12 Bytes [50, 8F, BC, EF, 20, 62, BC, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2758 80501F90 12 Bytes [D0, 8A, BC, EF, 50, 87, BC, ...] {ROR BYTE [EDX-0x78af1044], 0x1; MOV ESP, 0xbc8590ef; OUT DX, EAX}
? qjzh.sys Het systeem kan het opgegeven bestand niet vinden. !
? spmu.sys Het systeem kan het opgegeven bestand niet vinden. !
.text USBPORT.SYS!DllUnload F813C8AC 5 Bytes JMP 824414E0
.text a8gljhiy.SYS F7FB8386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a8gljhiy.SYS F7FB83AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a8gljhiy.SYS F7FB83C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a8gljhiy.SYS F7FB83C9 1 Byte [2E]
.text a8gljhiy.SYS F7FB83C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[200] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00D90001
.text C:\WINDOWS\Explorer.EXE[200] kernel32.dll!CreateProcessW 7C7D2336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[200] kernel32.dll!CreateProcessA 7C7D236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[200] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\Explorer.EXE[200] USER32.dll!ExitWindowsEx 7E3DA275 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[200] WS2_32.dll!socket 71A34211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[440] KERNEL32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\winlogon.exe[468] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\services.exe[512] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\lsass.exe[524] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 716F003D
.text C:\Program Files\Java\jre6\bin\jqs.exe[656] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text ...
.text C:\Documents and Settings\Compaq_Eigenaar\Mijn documenten\Downloads\hkqf8p0f.exe[744] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00BA0001
.text C:\Documents and Settings\Compaq_Eigenaar\Mijn documenten\Downloads\hkqf8p0f.exe[744] kernel32.dll!CreateProcessW 7C7D2336 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Compaq_Eigenaar\Mijn documenten\Downloads\hkqf8p0f.exe[744] kernel32.dll!CreateProcessA 7C7D236B 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\Compaq_Eigenaar\Mijn documenten\Downloads\hkqf8p0f.exe[744] kernel32.dll!CloseHandle 7C7D9BE7 6 Bytes JMP 5F190F5A
.text C:\Documents and Settings\Compaq_Eigenaar\Mijn documenten\Downloads\hkqf8p0f.exe[744] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\Documents and Settings\Compaq_Eigenaar\Mijn documenten\Downloads\hkqf8p0f.exe[744] kernel32.dll!CreateFileW 7C7E0800 6 Bytes JMP 5F160F5A
.text C:\Documents and Settings\Compaq_Eigenaar\Mijn documenten\Downloads\hkqf8p0f.exe[744] user32.dll!ExitWindowsEx 7E3DA275 6 Bytes JMP 5F100F5A
.text C:\Documents and Settings\Compaq_Eigenaar\Mijn documenten\Downloads\hkqf8p0f.exe[744] ole32.dll!CoCreateInstanceEx 774C0526 6 Bytes JMP 5F130F5A
.text C:\Documents and Settings\Compaq_Eigenaar\Mijn documenten\Downloads\hkqf8p0f.exe[744] WS2_32.dll!socket 71A34211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 716F003D
.text C:\Program Files\Windows Defender\MsMpEng.exe[820] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 716F003D
.text ...
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[1168] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00B30001
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[1168] user32.dll!LoadStringW 7E399E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[1168] user32.dll!LoadStringA 7E3AC908 6 Bytes JMP 5F05001E
.text C:\WINDOWS\system32\Ati2evxx.exe[1420] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00A30001
.text C:\WINDOWS\system32\Ati2evxx.exe[1420] kernel32.dll!CreateProcessW 7C7D2336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1420] kernel32.dll!CreateProcessA 7C7D236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1420] kernel32.dll!CloseHandle 7C7D9BE7 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1420] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\Ati2evxx.exe[1420] kernel32.dll!CreateFileW 7C7E0800 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1420] USER32.dll!ExitWindowsEx 7E3DA275 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1420] WS2_32.dll!socket 71A34211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1684] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\alg.exe[1944] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1984] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\emaudsv.exe[2020] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text ...
.text C:\Program Files\PostgreSQL\8.3\bin\postgres.exe[2828] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 012A0001
.text C:\Program Files\PostgreSQL\8.3\bin\postgres.exe[2828] kernel32.dll!CreateProcessW 7C7D2336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\PostgreSQL\8.3\bin\postgres.exe[2828] kernel32.dll!CreateProcessA 7C7D236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\PostgreSQL\8.3\bin\postgres.exe[2828] kernel32.dll!CloseHandle 7C7D9BE7 6 Bytes JMP 5F190F5A
.text C:\Program Files\PostgreSQL\8.3\bin\postgres.exe[2828] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\Program Files\PostgreSQL\8.3\bin\postgres.exe[2828] kernel32.dll!CreateFileW 7C7E0800 6 Bytes JMP 5F160F5A
.text C:\Program Files\PostgreSQL\8.3\bin\postgres.exe[2828] WS2_32.dll!socket 71A34211 6 Bytes JMP 5F040F5A
.text C:\Program Files\PostgreSQL\8.3\bin\postgres.exe[2828] USER32.dll!ExitWindowsEx 7E3DA275 6 Bytes JMP 5F100F5A
.text C:\Program Files\PostgreSQL\8.3\bin\postgres.exe[2828] OLE32.dll!CoCreateInstanceEx 774C0526 6 Bytes JMP 5F130F5A
.text C:\windows\system\hpsysdrv.exe[3012] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00AF0001
.text C:\windows\system\hpsysdrv.exe[3012] kernel32.dll!CreateProcessW 7C7D2336 6 Bytes JMP 5F0D0F5A
.text C:\windows\system\hpsysdrv.exe[3012] kernel32.dll!CreateProcessA 7C7D236B 6 Bytes JMP 5F0A0F5A
.text C:\windows\system\hpsysdrv.exe[3012] kernel32.dll!CloseHandle 7C7D9BE7 6 Bytes JMP 5F160F5A
.text C:\windows\system\hpsysdrv.exe[3012] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\windows\system\hpsysdrv.exe[3012] kernel32.dll!CreateFileW 7C7E0800 6 Bytes JMP 5F130F5A
.text C:\windows\system\hpsysdrv.exe[3012] USER32.dll!ExitWindowsEx 7E3DA275 6 Bytes JMP 5F100F5A
.text C:\windows\system\hpsysdrv.exe[3012] WS2_32.dll!socket 71A34211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\AGRSMMSG.exe[3140] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00B70001
.text C:\WINDOWS\AGRSMMSG.exe[3140] kernel32.dll!CreateProcessW 7C7D2336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\AGRSMMSG.exe[3140] kernel32.dll!CreateProcessA 7C7D236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\AGRSMMSG.exe[3140] kernel32.dll!CloseHandle 7C7D9BE7 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\AGRSMMSG.exe[3140] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\AGRSMMSG.exe[3140] kernel32.dll!CreateFileW 7C7E0800 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\AGRSMMSG.exe[3140] USER32.dll!ExitWindowsEx 7E3DA275 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\AGRSMMSG.exe[3140] WS2_32.dll!socket 71A34211 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3176] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00AF0001
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3176] kernel32.dll!CreateProcessW 7C7D2336 6 Bytes JMP 5F0D0F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3176] kernel32.dll!CreateProcessA 7C7D236B 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3176] kernel32.dll!CloseHandle 7C7D9BE7 6 Bytes JMP 5F190F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3176] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3176] kernel32.dll!CreateFileW 7C7E0800 6 Bytes JMP 5F160F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3176] USER32.dll!ExitWindowsEx 7E3DA275 6 Bytes JMP 5F100F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3176] WS2_32.dll!socket 71A34211 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3176] ole32.dll!CoCreateInstanceEx 774C0526 6 Bytes JMP 5F130F5A
.text C:\Program Files\Browser PS2 mouse\mouse32a.exe[3244] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00C50001
.text C:\Program Files\Browser PS2 mouse\mouse32a.exe[3244] kernel32.dll!CreateProcessW 7C7D2336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Browser PS2 mouse\mouse32a.exe[3244] kernel32.dll!CreateProcessA 7C7D236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Browser PS2 mouse\mouse32a.exe[3244] kernel32.dll!CloseHandle 7C7D9BE7 6 Bytes JMP 5F190F5A
.text C:\Program Files\Browser PS2 mouse\mouse32a.exe[3244] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\Program Files\Browser PS2 mouse\mouse32a.exe[3244] kernel32.dll!CreateFileW 7C7E0800 6 Bytes JMP 5F160F5A
.text C:\Program Files\Browser PS2 mouse\mouse32a.exe[3244] user32.dll!ExitWindowsEx 7E3DA275 6 Bytes JMP 5F100F5A
.text C:\Program Files\Browser PS2 mouse\mouse32a.exe[3244] ole32.dll!CoCreateInstanceEx 774C0526 6 Bytes JMP 5F130F5A
.text C:\Program Files\Browser PS2 mouse\mouse32a.exe[3244] WS2_32.dll!socket 71A34211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3396] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00D40001
.text C:\Program Files\Windows Defender\MSASCui.exe[3396] kernel32.dll!CreateProcessW 7C7D2336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3396] kernel32.dll!CreateProcessA 7C7D236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3396] kernel32.dll!CloseHandle 7C7D9BE7 6 Bytes JMP 5F160F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3396] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\Program Files\Windows Defender\MSASCui.exe[3396] kernel32.dll!CreateFileW 7C7E0800 6 Bytes JMP 5F130F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3396] USER32.dll!ExitWindowsEx 7E3DA275 6 Bytes JMP 5F100F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[3396] WS2_32.dll!socket 71A34211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[3464] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 01500001
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[3464] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[3464] USER32.dll!LoadStringW 7E399E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[3464] USER32.dll!LoadStringA 7E3AC908 6 Bytes JMP 5F05001E
.text C:\Program Files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe[3524] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00BC0001
.text C:\Program Files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe[3524] kernel32.dll!CreateProcessW 7C7D2336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe[3524] kernel32.dll!CreateProcessA 7C7D236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe[3524] kernel32.dll!CloseHandle 7C7D9BE7 6 Bytes JMP 5F190F5A
.text C:\Program Files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe[3524] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\Program Files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe[3524] kernel32.dll!CreateFileW 7C7E0800 6 Bytes JMP 5F160F5A
.text C:\Program Files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe[3524] USER32.dll!ExitWindowsEx 7E3DA275 6 Bytes JMP 5F100F5A
.text C:\Program Files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe[3524] ole32.dll!CoCreateInstanceEx 774C0526 6 Bytes JMP 5F130F5A
.text C:\Program Files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe[3524] WS2_32.dll!socket 71A34211 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00FF0001
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] kernel32.dll!CreateProcessW 7C7D2336 6 Bytes JMP 5F0D0F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] kernel32.dll!CreateProcessA 7C7D236B 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] kernel32.dll!CloseHandle 7C7D9BE7 6 Bytes JMP 5F190F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] kernel32.dll!CreateFileW 7C7E0800 6 Bytes JMP 5F160F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] USER32.dll!ExitWindowsEx 7E3DA275 6 Bytes JMP 5F100F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] ole32.dll!CoCreateInstanceEx 774C0526 6 Bytes JMP 5F130F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] WS2_32.dll!select 71A330A8 6 Bytes JMP 5F280F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] WS2_32.dll!closesocket 71A33E2B 6 Bytes JMP 5F1C0F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] WS2_32.dll!ioctlsocket 71A33F50 6 Bytes JMP 5F2B0F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] WS2_32.dll!socket 71A34211 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] WS2_32.dll!connect 71A34A07 6 Bytes JMP 5F1F0F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] WS2_32.dll!send 71A34C27 6 Bytes JMP 5F250F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] WS2_32.dll!WSARecv 71A34CB5 6 Bytes JMP 5F370F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] WS2_32.dll!recv 71A3676F 6 Bytes JMP 5F330F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] WS2_32.dll!WSASend 71A368FA 6 Bytes JMP 5F3A0F5A
.text C:\PROGRA~1\FREEDO~1\fdm.exe[3552] WS2_32.dll!WSAAsyncSelect 71A40991 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\ctfmon.exe[3572] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00B00001
.text C:\WINDOWS\system32\ctfmon.exe[3572] kernel32.dll!CreateProcessW 7C7D2336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[3572] kernel32.dll!CreateProcessA 7C7D236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[3572] kernel32.dll!CloseHandle 7C7D9BE7 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\ctfmon.exe[3572] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\ctfmon.exe[3572] kernel32.dll!CreateFileW 7C7E0800 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\ctfmon.exe[3572] USER32.dll!ExitWindowsEx 7E3DA275 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\ctfmon.exe[3572] WS2_32.dll!socket 71A34211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Tall Emu\Online Armor\OAhlp.exe[3732] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00FD0001
.text C:\Program Files\Tall Emu\Online Armor\OAhlp.exe[3732] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\Program Files\Tall Emu\Online Armor\OAhlp.exe[3732] USER32.dll!LoadStringW 7E399E36 6 Bytes JMP 5F0B001E
.text C:\Program Files\Tall Emu\Online Armor\OAhlp.exe[3732] USER32.dll!LoadStringA 7E3AC908 6 Bytes JMP 5F05001E
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] kernel32.dll!LoadLibraryExW + C4 7C7D1BB9 4 Bytes CALL 00C00001
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] kernel32.dll!CreateProcessW 7C7D2336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] kernel32.dll!CreateProcessA 7C7D236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] kernel32.dll!CloseHandle 7C7D9BE7 6 Bytes JMP 5F160F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] kernel32.dll!FreeLibrary + 15 7C7DAC93 4 Bytes CALL 7170003D
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] kernel32.dll!CreateFileW 7C7E0800 6 Bytes JMP 5F130F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] WS2_32.dll!select 71A330A8 6 Bytes JMP 5F250F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] WS2_32.dll!closesocket 71A33E2B 6 Bytes JMP 5F190F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] WS2_32.dll!ioctlsocket 71A33F50 6 Bytes JMP 5F280F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] WS2_32.dll!socket 71A34211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] WS2_32.dll!connect 71A34A07 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] WS2_32.dll!send 71A34C27 6 Bytes JMP 5F220F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] WS2_32.dll!WSARecv 71A34CB5 6 Bytes JMP 5F340F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] WS2_32.dll!recv 71A3676F 6 Bytes JMP 5F300F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] WS2_32.dll!WSASend 71A368FA 6 Bytes JMP 5F370F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] WS2_32.dll!WSAAsyncSelect 71A40991 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4088] USER32.dll!ExitWindowsEx 7E3DA275 6 Bytes JMP 5F100F5A
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8466040] spmu.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F846613C] spmu.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84660BE] spmu.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F84667FC] spmu.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84666D2] spmu.sys
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\a8gljhiy.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8476048] spmu.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F8838300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F8838360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F8838610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F8838650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F8838610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F8838360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F8838300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F8838300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F8838360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F8838650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F8838610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F8838610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F8838650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F8838300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F8838360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[512] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[512] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 825701F8
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \FileSystem\Fastfat \FatCdrom 821391F8
Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
Device \Driver\usbohci \Device\USBPDO-0 8243F1F8
Device \Driver\usbohci \Device\USBPDO-1 8243F1F8
Device \Driver\usbohci \Device\USBPDO-2 8243F1F8
Device \Driver\usbehci \Device\USBPDO-3 8241D1F8
Device \Driver\PCI_PNP0944 \Device\00000054 spmu.sys
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
Device \Driver\Ftdisk \Device\HarddiskVolume1 825DE1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 825DE1F8
Device \Driver\Cdrom \Device\CdRom0 824421F8
Device \Driver\Cdrom \Device\CdRom1 824421F8
Device \Driver\Cdrom \Device\CdRom2 824421F8
Device \Driver\sptd \Device\40163444 spmu.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 8218B1F8
Device \Driver\USBSTOR \Device\00000077 8218C1F8
Device \Driver\USBSTOR \Device\00000078 8218C1F8
Device \Driver\NetBT \Device\NetbiosSmb 8218B1F8
Device \Driver\USBSTOR \Device\00000079 8218C1F8
Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\usbohci \Device\USBFDO-0 8243F1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{EBB026C8-30C3-4D35-B5F5-5202EE3D76F7} 8218B1F8
Device \Driver\USBSTOR \Device\0000007a 8218C1F8
Device \Driver\usbohci \Device\USBFDO-1 8243F1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 821411F8
Device \Driver\USBSTOR \Device\0000007b 8218C1F8
Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\usbohci \Device\USBFDO-2 8243F1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 821411F8
Device \Driver\usbehci \Device\USBFDO-3 8241D1F8
Device \Driver\Ftdisk \Device\FtControl 825DE1F8
Device \Driver\a8gljhiy \Device\Scsi\a8gljhiy1 823FB1F8
Device \Driver\a8gljhiy \Device\Scsi\a8gljhiy1Port4Path0Target0Lun0 823FB1F8
Device \FileSystem\Fastfat \Fat 821391F8
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \FileSystem\Cdfs \Cdfs 821371F8
---- Services - GMER 1.0.15 ----
Service system32\drivers\msqpdxrfdcedrm.sys (*** hidden *** ) [SYSTEM] msqpdxserv.sys <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv. sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv. sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv. sys@imagepath \systemroot\system32\drivers\msqpdxrfdcedrm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv. sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv. sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv. sys\modules@msqpdxserv \systemroot\system32\drivers\msqpdxrfdcedrm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv. sys\modules@msqpdxl \systemroot\system32\msqpdxnirjjrlv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -543731189
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -811299436
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@khjeh 0xBB 0x24 0xD9 0x7E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAD 0xC2 0x3B 0xFA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khje h 0xCA 0x27 0x82 0xB6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@ start 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@ type 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@ imagepath \systemroot\system32\drivers\msqpdxrfdcedrm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@ group file system
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\ modules
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\ modules@msqpdxserv \systemroot\system32\drivers\msqpdxrfdcedrm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\ modules@msqpdxl \systemroot\system32\msqpdxnirjjrlv.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@khjeh 0xBB 0x24 0xD9 0x7E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001@khjeh 0xAD 0xC2 0x3B 0xFA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCA 0x27 0x82 0xB6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys@ start 1
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys@ type 1
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys@ imagepath \systemroot\system32\drivers\msqpdxrfdcedrm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys@ group file system
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys\ modules
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys\ modules@msqpdxserv \systemroot\system32\drivers\msqpdxrfdcedrm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys\ modules@msqpdxl \systemroot\system32\msqpdxnirjjrlv.dll
---- EOF - GMER 1.0.15 ----
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Hijackthislo g................................................
Logfile of HijackThis v1.99.1
Scan saved at 20:14:54, on 1-7-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\emaudsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Browser PS2 mouse\mouse32a.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Compaq_Eigenaar\Mijn documenten\Downloads\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo! Search Marketing
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo! Search Marketing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! Search Marketing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Program Files\Browser PS2 mouse\mouse32a.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [E-MU USB Audio Control Panel] "C:\Program Files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: E-MU Audio Service (emaudsv) - E-MU Systems - C:\WINDOWS\system32\emaudsv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - Unknown owner - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe" runservice -w -N "pgsql-8.3" -D "C:\Program Files\PostgreSQL\8.3\data\ (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
Thank You for your time
-
Welcome,
Visit this page below to familiarize yourself to the tool below and download from one of the links provided.
A guide and tutorial on using ComboFix
If you have previously downloaded ComboFix,please delete that version now.
It is IMPORTANT that it is saved directly to your desktop
Close any open browsers.
Disconnect from the Internet.
Please do not re-connect your machine back to the Internet until Combofix has completely finished.
Disable your antivirus program and any realtime malware scanners and script blockers now
How To Disable
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Re-enable your anti-virus and re-connect back to the internet and post the combofix log.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.
ComboFix SHOULD NOT be used unless requested by a forum helper.
-
Thanks for the help, heres the log
ComboFix 09-07-04.05 - Compaq_Eigenaar 05-07-2009 13:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.511.203 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Compaq_Eigenaar\Bureaublad\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090704-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Voorgaande Run -------
.
c:\documents and settings\Compaq_Eigenaar\Application Data\inst.exe
c:\windows\Installer\10743e5.msi
c:\windows\Installer\10743ec.msi
c:\windows\Installer\10743f3.msi
c:\windows\Installer\10b680.msi
c:\windows\Installer\12991c3.msi
c:\windows\Installer\152a58.msi
c:\windows\Installer\171b30.msi
c:\windows\Installer\18db292.msi
c:\windows\Installer\18db2aa.msp
c:\windows\Installer\1a0278.msi
c:\windows\Installer\1a027f.msi
c:\windows\Installer\1a0284.msi
c:\windows\Installer\1a028b.msi
c:\windows\Installer\1cc380.msi
c:\windows\Installer\1cc38a.msi
c:\windows\Installer\1f91403.msi
c:\windows\Installer\216701.msi
c:\windows\Installer\22ff41.msi
c:\windows\Installer\2392ed7.msi
c:\windows\Installer\240f165.msp
c:\windows\Installer\2707a69.msi
c:\windows\Installer\2a17343.msi
c:\windows\Installer\371157.msi
c:\windows\Installer\3a19ba.msi
c:\windows\Installer\45246.msi
c:\windows\Installer\4840d90.msp
c:\windows\Installer\492ba21.msi
c:\windows\Installer\497ad.msi
c:\windows\Installer\497b3.msi
c:\windows\Installer\497b9.msi
c:\windows\Installer\497c0.msi
c:\windows\Installer\497c7.msi
c:\windows\Installer\497ce.msi
c:\windows\Installer\497d4.msi
c:\windows\Installer\497da.msi
c:\windows\Installer\497e0.msi
c:\windows\Installer\497e6.msi
c:\windows\Installer\497ec.msi
c:\windows\Installer\497f2.msi
c:\windows\Installer\497f9.msi
c:\windows\Installer\4ae697.msi
c:\windows\Installer\4fa5b.msi
c:\windows\Installer\6a8d88f.msi
c:\windows\Installer\6a8d896.msi
c:\windows\Installer\6a8d8e1.msp
c:\windows\Installer\6b767ac.msi
c:\windows\Installer\6c4fa63.msi
c:\windows\Installer\6c5d8.msi
c:\windows\Installer\709f8.msi
c:\windows\Installer\76fd3.msi
c:\windows\Installer\76fdb.msi
c:\windows\Installer\8665e.msi
c:\windows\Installer\86669.msi
c:\windows\Installer\8e4be.msi
c:\windows\Installer\94ce33.msp
c:\windows\Installer\96f908.msi
c:\windows\Installer\a35bb.msp
c:\windows\Installer\a50a7.msi
c:\windows\Installer\a628eb.msi
c:\windows\Installer\afa36.msi
c:\windows\Installer\b63e60.msi
c:\windows\Installer\b63e66.msi
c:\windows\Installer\b63e6c.msi
c:\windows\Installer\b63e72.msi
c:\windows\Installer\b63e78.msi
c:\windows\Installer\b63e7e.msi
c:\windows\Installer\b63e84.msi
c:\windows\Installer\b63e8b.msi
c:\windows\Installer\b63e91.msi
c:\windows\Installer\b63e98.msi
c:\windows\Installer\b63e9e.msi
c:\windows\Installer\b63ea4.msi
c:\windows\Installer\b63eaa.msi
c:\windows\Installer\b63eb0.msi
c:\windows\Installer\b63eb6.msi
c:\windows\Installer\b63ebc.msi
c:\windows\Installer\b63ec3.msi
c:\windows\Installer\bae9af.msi
c:\windows\Installer\be558.msp
c:\windows\Installer\c3179.msi
c:\windows\Installer\c317f.msi
c:\windows\Installer\fa088.msp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSQPDXSERV.SYS
-------\Service_msqpdxserv.sys
(((((((((((((((((((( Bestanden Gemaakt van 2009-06-05 to 2009-07-05 ))))))))))))))))))))))))))))))
.
2009-07-04 14:38 . 2009-07-04 14:38 -------- d--h--r- c:\documents and settings\Compaq_Eigenaar\Onlangs geopend
2009-07-04 14:25 . 2009-07-04 14:25 -------- d-----w- c:\documents and settings\Compaq_Eigenaar\PokerOffice
2009-07-04 14:23 . 2009-07-04 14:24 -------- d-----w- c:\program files\PokerOffice5
2009-07-01 23:10 . 2009-06-04 08:53 31944 ----a-w- c:\documents and settings\Compaq_Eigenaar\Application Data\Mozilla\Firefox\Profiles\t07mhbly.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-07-01 23:10 . 2009-06-04 08:53 22848 ----a-w- c:\documents and settings\Compaq_Eigenaar\Application Data\Mozilla\Firefox\Profiles\t07mhbly.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg _bootstrap.exe
2009-07-01 23:10 . 2009-06-04 08:53 18776 ----a-w- c:\documents and settings\Compaq_Eigenaar\Application Data\Mozilla\Firefox\Profiles\t07mhbly.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg .exe
2009-07-01 22:41 . 2009-07-01 22:41 -------- d-----w- C:\Rbackup
2009-07-01 21:33 . 2009-07-01 21:33 -------- d-----w- c:\program files\Perfect Uninstaller
2009-07-01 06:13 . 2009-07-01 06:13 -------- d-----w- c:\documents and settings\Compaq_Eigenaar\Application Data\Malwarebytes
2009-07-01 06:13 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-01 06:13 . 2009-07-01 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-01 06:13 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-01 06:13 . 2009-07-01 06:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 22:28 . 2009-06-30 22:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-06-30 21:12 . 2009-06-30 21:13 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-06-30 21:12 . 2009-06-30 21:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-30 21:12 . 2009-06-30 21:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-30 21:05 . 2009-07-01 22:26 117760 ----a-w- c:\documents and settings\Compaq_Eigenaar\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-06-30 21:04 . 2009-06-30 21:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-30 21:00 . 2009-06-30 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-30 20:59 . 2009-06-30 21:04 -------- d-----w- c:\documents and settings\Compaq_Eigenaar\Application Data\SUPERAntiSpyware.com
2009-06-30 16:48 . 2009-07-01 22:19 -------- d-----w- c:\program files\CCleaner
2009-06-30 09:15 . 2009-06-30 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2009-06-30 09:15 . 2009-06-30 09:15 -------- d-----w- c:\documents and settings\Compaq_Eigenaar\Application Data\OnlineArmor
2009-06-30 09:14 . 2009-04-28 03:02 31824 ----a-w- c:\windows\system32\drivers\OAmon.sys
2009-06-30 09:14 . 2009-04-28 03:01 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
2009-06-30 09:14 . 2009-04-28 03:01 198224 ----a-w- c:\windows\system32\drivers\OADriver.sys
2009-06-30 09:14 . 2009-06-30 09:14 -------- d-----w- c:\program files\Tall Emu
2009-06-30 08:33 . 2009-06-30 08:33 -------- d-----w- c:\program files\Sophos
2009-06-30 08:28 . 2009-06-30 08:28 -------- d-sh--w- c:\documents and settings\Compaq_Eigenaar\IECompatCache
2009-06-30 00:17 . 2008-06-19 15:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-06-29 18:46 . 2009-06-29 18:46 -------- d-----w- c:\program files\Windows Defender
2009-06-28 11:35 . 2009-04-30 21:18 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-28 11:35 . 2009-04-30 21:17 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-06-28 11:35 . 2009-04-30 21:17 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-28 11:35 . 2009-04-30 21:17 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-06-25 21:26 . 2009-06-25 21:26 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-06-25 21:26 . 2009-06-25 21:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2009-06-25 21:25 . 2009-06-25 21:26 6330616 ----a-w- c:\documents and settings\All Users\Application Data\Hitman Pro 3\HitmanPro35.exe
2009-06-25 20:21 . 2009-06-25 20:21 -------- d-----w- c:\program files\ASIO4ALL v2
2009-06-24 13:42 . 2009-06-24 13:42 -------- d-----w- c:\documents and settings\Compaq_Eigenaar\.smplayer
2009-06-24 13:41 . 2009-06-24 13:41 -------- d-----w- c:\program files\SMPlayer
2009-06-08 19:43 . 2009-06-08 19:43 -------- d-----w- c:\program files\PokerOffice
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-05 11:03 . 2008-12-09 01:50 -------- d-----w- c:\documents and settings\Compaq_Eigenaar\Application Data\Free Download Manager
2009-07-05 10:58 . 2008-08-09 11:06 -------- d-----w- c:\documents and settings\Compaq_Eigenaar\Application Data\uTorrent
2009-07-05 10:02 . 2008-12-14 05:56 -------- d-----w- c:\program files\Registry Easy
2009-07-03 15:45 . 2009-03-26 02:50 -------- d-----w- c:\documents and settings\Compaq_Eigenaar\Application Data\Vso
2009-07-01 23:18 . 2008-10-12 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-01 20:42 . 2008-10-09 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-30 21:04 . 2008-12-15 13:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-30 17:07 . 2008-08-05 19:42 16688 ----a-w- c:\documents and settings\Compaq_Eigenaar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-30 16:45 . 2008-08-23 10:51 -------- d-----w- c:\program files\TweakNow RegCleaner Std
2009-06-30 09:14 . 2005-01-01 23:01 97740 ----a-w- c:\windows\system32\perfc013.dat
2009-06-30 09:14 . 2005-01-01 23:01 523144 ----a-w- c:\windows\system32\perfh013.dat
2009-06-29 18:38 . 2008-08-29 09:09 -------- d-----w- c:\program files\Lavasoft
2009-06-27 00:46 . 2008-08-29 09:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-25 21:50 . 2008-11-25 03:54 -------- d-----w- c:\program files\PartyGaming
2009-06-25 21:26 . 2008-12-02 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2009-06-25 21:26 . 2008-12-03 16:44 -------- d-----w- c:\program files\Hitman Pro 3
2009-06-25 21:26 . 2008-12-02 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro 3
2009-06-25 19:38 . 2008-08-05 16:43 -------- d-----w- c:\program files\Creative Professional
2009-06-24 17:20 . 2009-03-25 16:44 -------- d-----w- c:\program files\Jubler
2009-06-16 12:59 . 2008-08-05 19:58 -------- d-----w- c:\documents and settings\Compaq_Eigenaar\Application Data\Propellerhead Software
2009-06-16 12:52 . 2008-08-05 19:57 -------- d-----w- c:\program files\Propellerhead
2009-06-09 13:03 . 2009-04-03 12:27 -------- d-----w- c:\documents and settings\Compaq_Eigenaar\Application Data\dvdcss
2009-06-03 19:49 . 2009-01-20 00:27 -------- d-----w- c:\program files\Xvid
2009-06-03 15:03 . 2009-02-25 15:50 -------- d-----w- c:\program files\QuickTime
2009-06-03 15:02 . 2005-01-01 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-26 21:30 . 2009-04-06 00:25 -------- d-----w- c:\program files\Full Tilt Poker
2009-05-26 16:05 . 2009-05-26 16:05 4720 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-05-18 19:05 . 2009-04-11 12:52 -------- d-----w- c:\program files\Omaha Indicator
2009-05-13 05:06 . 2008-08-05 06:26 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:34 . 2008-08-05 06:24 347136 ----a-w- c:\windows\system32\localspl.dll
2009-04-22 12:20 . 2009-04-04 02:10 784 ----a-w- c:\documents and settings\Compaq_Eigenaar\Application Data\mpauth.dat
2009-04-19 19:51 . 2008-08-05 06:26 1847296 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:55 . 2008-08-05 06:25 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"E-MU USB Audio Control Panel"="c:\program files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe" [2007-11-26 274432]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"POEngine5"="c:\program files\PokerOffice5\POEngine.exe" [2008-09-03 475136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"FLMBROWSEMOUSE"="c:\program files\Browser PS2 mouse\mouse32a.exe" [2009-01-15 360448]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-04-28 2052296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2004-09-24 49152]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-04-28 335048]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPlayerForWindows_Update Reminder
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
"c:\\Program Files\\Propellerhead\\ReCycle\\ReCycle.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [30-6-2009 2:17 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12-12-2008 15:40 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADr iver.sys [30-6-2009 11:14 198224]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [30-6-2009 11:14 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [30-6-2009 11:14 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23-6-2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23-6-2009 11:01 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [12-12-2008 15:40 20560]
R2 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [20-11-2006 11:29 20992]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [30-6-2009 11:14 361672]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3-11-2006 19:19 13592]
R3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys [26-11-2007 16:14 163352]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [19-9-2008 4:03 65536]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [30-6-2009 11:14 3264200]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10-12-2008 6:46 66048]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3. sys --> c:\windows\system32\drivers\hitmanpro3.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1B3.tm p --> c:\windows\system32\1B3.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23-6-2009 11:01 7408]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Inhoud van de 'Gedeelde Taken' map
2009-07-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
2009-07-05 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe [2008-12-14 15:30]
.
- - - - ORPHANS VERWIJDERD - - - -
HKLM-Run-POEngine - (no file)
Notify-!SASWinLogon - (no file)
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.nl/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pres ario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pres ario&pf=desktop
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-05 13:21
Windows 5.1.2600 Service Pack 3 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\M EMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1B3.tmp"
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Installer\UserData\LocalSystem\Componen ts\|"|w�*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\ \Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01 CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
- - - - - - - > 'winlogon.exe'(476)
c:\windows\system32\Ati2evxx.dll
.
Voltooingstijd: 2009-07-05 13:23
ComboFix-quarantined-files.txt 2009-07-05 11:22
Pre-Run: 51.348.672.512 bytes beschikbaar
Post-Run: 51.329.200.128 bytes beschikbaar
287 --- E O F --- 2009-07-02 23:07
-
Thanks for that.
What is happening now?
Newbie
