i'm looking at another friends PC - Dell Vostro 1510 vista 32bit
i have removed bearshare - run malwarebytes, superantispyware and MSE - full scan today
now posting the required logs - which said possible rootkit
Also programs windows photo viewer all bring a message , program stopped
if you could have a look please - thanks
HJT LOG
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:20:27, on 01/08/2013
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Users\Amalee\Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USSMB/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USSMB/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: MHURLSearchHook Class - {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - C:\Program Files\Family Toolbar\tbhelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: MHTBPos00 - {0C37B053-FD68-456a-82E1-D788EE342E6F} - C:\Program Files\Family Toolbar\tbcore3.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
O2 - BHO: MyHeritage New Tab - {D62EC836-BF1E-4CAC-81BE-FB9179835D8E} - C:\Program Files\Family Toolbar\mhxpcomi.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB7.1; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; MDDS; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.isketch.net/isketch.shtml"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/be...loader_v10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - C:\Program Files\Family Toolbar\mhxpcomi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: O2FLASH - O2Micro International - C:\Windows\system32\DRIVERS\o2flash.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 8150 bytes
DDS LOG
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.6001.18639 BrowserJavaVersion: 10.25.2
Run by Amalee at 20:33:51 on 2013-08-01
Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.44.1033.18.3062.1912 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://search.myheritage.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: MHURLSearchHook Class: {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - c:\program files\family toolbar\tbhelper.dll
dURLSearchHooks: MHURLSearchHook Class: {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - c:\program files\family toolbar\tbhelper.dll
BHO: MHTBPos00 Class: {0C37B053-FD68-456a-82E1-D788EE342E6F} - c:\program files\family toolbar\tbcore3.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: CMySite Class: {D62EC836-BF1E-4CAC-81BE-FB9179835D8E} - c:\program files\family toolbar\mhxpcomi.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB7.1; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; MDDS; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.isketch.net/isketch.shtml"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{6BBAADA6-87D7-4A48-ACB1-1667D830F521} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{EE99AF54-FB7D-497C-8B11-9F2303C69E6D} : DHCPNameServer = 192.168.1.1
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\family toolbar\mhxpcomi.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\28.0.1500.95\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2009-4-8 77824]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-6-18 107392]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-7-18 295376]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-4-8 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-4-8 43608]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2009-4-8 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2009-4-8 235840]
S1 MpKsl40359968;MpKsl40359968;c:\programdata\microsoft\microsoft antimalware\definition updates\{bf0c841a-e92c-4a4b-97c0-67b50fac87ba}\MpKsl40359968.sys [2013-8-1 29904]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
.
=============== Created Last 30 ================
.
2013-08-01 13:25:08 698504 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1e5ad1ce-3bce-4703-a836-2ae47be0315c}\gapaengine.dll
2013-08-01 13:24:56 7143960 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{bf0c841a-e92c-4a4b-97c0-67b50fac87ba}\mpengine.dll
2013-08-01 13:22:55 -------- d-----w- c:\windows\ERUNT
2013-08-01 13:09:41 -------- d-----w- c:\windows\pss
2013-08-01 13:01:03 -------- d-----w- c:\program files\Microsoft Security Client
2013-08-01 10:52:38 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-08-01 10:52:37 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-08-01 10:52:28 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-08-01 10:50:23 7143960 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b8b30351-5c97-4afa-8ff0-0abc2e375fc8}\mpengine.dll
.
==================== Find3M ====================
.
2013-06-18 20:50:08 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-18 20:50:08 107392 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
.
============= FINISH: 20:34:20.23 ===============
ATTACH LOG
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 07/04/2009 21:09:29
System Uptime: 01/08/2013 20:29:23 (0 hours ago)
.
Motherboard: Dell Inc. | | 0R780K
Processor: Intel(R) Core(TM)2 Duo CPU T5670 @ 1.80GHz | U2E1 | 1801/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 223 GiB total, 138.774 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.257 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
3ivx MPEG-4 5.0.3 (remove only)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11.5
Advanced Audio FX Engine
Advanced Video FX Engine
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Big Fish Games: Game Manager
Bonjour
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Dell Edoc Viewer
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card Utility
Family Toolbar
FlipShare
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java 7 Update 25
Junk Mail filter update
Laptop Integrated Webcam Driver (1.01.01.0529)
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Macromedia Fireworks MX 2004
Macromedia FreeHand MXa
Malwarebytes Anti-Malware version 1.75.0.1300
MediaBar
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MSVCRT
Norton Internet Security
Picasa 3
QuickSet
QuickTime
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Sonic CinePlayer Decoder Pack
Spotify
SUPERAntiSpyware Free Edition
Tales of Lagoona: Orphans of the Ocean
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VoiceOver Kit
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
.
==== End Of File ===========================
ARK LOG REPORTED ROOTKIT - SO CHANGED SETTINGS AS INSTRUCTED
Reported root kit found at of scan
GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-08-01 23:09:01
Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.FBEO 232.89GB
Running: xpe82k4j.exe; Driver: C:\Users\Amalee\AppData\Local\Temp\kwdirkob.sys
---- Kernel code sections - GMER 2.1 ----
? C:\Users\Amalee\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 2.1 ----
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtCreateFile + 6 77DF7C7E 4 Bytes [28, 4C, 33, 00] {SUB [EBX+ESI+0x0], CL}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtCreateFile + B 77DF7C83 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtMapViewOfSection + 6 77DF83CE 4 Bytes [28, 4F, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtMapViewOfSection + B 77DF83D3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenFile + 6 77DF845E 4 Bytes [68, 4C, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenFile + B 77DF8463 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenProcess + 6 77DF84DE 4 Bytes [A8, 4D, 33, 00] {TEST AL, 0x4d; XOR EAX, [EAX]}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenProcess + B 77DF84E3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenProcessToken + B 77DF84F3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenProcessTokenEx + 6 77DF84FE 4 Bytes [A8, 4E, 33, 00] {TEST AL, 0x4e; XOR EAX, [EAX]}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenProcessTokenEx + B 77DF8503 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenThread + 6 77DF854E 4 Bytes [68, 4D, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenThread + B 77DF8553 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenThreadToken + 6 77DF855E 4 Bytes [68, 4E, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenThreadToken + B 77DF8563 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenThreadTokenEx + B 77DF8573 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtQueryAttributesFile + 6 77DF85FE 4 Bytes [A8, 4C, 33, 00] {TEST AL, 0x4c; XOR EAX, [EAX]}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtQueryAttributesFile + B 77DF8603 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtQueryFullAttributesFile + B 77DF86B3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtSetInformationFile + 6 77DF8B8E 4 Bytes [28, 4D, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtSetInformationFile + B 77DF8B93 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtSetInformationThread + 6 77DF8BDE 4 Bytes [28, 4E, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtSetInformationThread + B 77DF8BE3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtUnmapViewOfSection + 6 77DF8E7E 4 Bytes [68, 4F, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtUnmapViewOfSection + B 77DF8E83 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtCreateFile + 6 77DF7C7E 4 Bytes [28, 60, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtCreateFile + B 77DF7C83 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtMapViewOfSection + 6 77DF83CE 4 Bytes [28, 63, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtMapViewOfSection + B 77DF83D3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenFile + 6 77DF845E 4 Bytes [68, 60, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenFile + B 77DF8463 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenProcess + 6 77DF84DE 4 Bytes [A8, 61, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenProcess + B 77DF84E3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenProcessToken + B 77DF84F3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenProcessTokenEx + 6 77DF84FE 4 Bytes [A8, 62, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenProcessTokenEx + B 77DF8503 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenThread + 6 77DF854E 4 Bytes [68, 61, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenThread + B 77DF8553 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenThreadToken + 6 77DF855E 4 Bytes [68, 62, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenThreadToken + B 77DF8563 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenThreadTokenEx + B 77DF8573 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtQueryAttributesFile + 6 77DF85FE 4 Bytes [A8, 60, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtQueryAttributesFile + B 77DF8603 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtQueryFullAttributesFile + B 77DF86B3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtSetInformationFile + 6 77DF8B8E 4 Bytes [28, 61, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtSetInformationFile + B 77DF8B93 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtSetInformationThread + 6 77DF8BDE 4 Bytes [28, 62, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtSetInformationThread + B 77DF8BE3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtUnmapViewOfSection + 6 77DF8E7E 4 Bytes [68, 63, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtUnmapViewOfSection + B 77DF8E83 1 Byte [E2]
---- Devices - GMER 2.1 ----
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys
---- Processes - GMER 2.1 ----
Process (*** hidden *** ) [4] 84F34C10
---- Files - GMER 2.1 ----
File C:\Windows\Temp\xpe9E55.tmp (size mismatch) 377856/0 bytes executable
---- EOF - GMER 2.1 ----
i have removed bearshare - run malwarebytes, superantispyware and MSE - full scan today
now posting the required logs - which said possible rootkit
Also programs windows photo viewer all bring a message , program stopped
if you could have a look please - thanks
HJT LOG
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:20:27, on 01/08/2013
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Users\Amalee\Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USSMB/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USSMB/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: MHURLSearchHook Class - {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - C:\Program Files\Family Toolbar\tbhelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: MHTBPos00 - {0C37B053-FD68-456a-82E1-D788EE342E6F} - C:\Program Files\Family Toolbar\tbcore3.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
O2 - BHO: MyHeritage New Tab - {D62EC836-BF1E-4CAC-81BE-FB9179835D8E} - C:\Program Files\Family Toolbar\mhxpcomi.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB7.1; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; MDDS; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.isketch.net/isketch.shtml"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/be...loader_v10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - C:\Program Files\Family Toolbar\mhxpcomi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: O2FLASH - O2Micro International - C:\Windows\system32\DRIVERS\o2flash.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 8150 bytes
DDS LOG
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.6001.18639 BrowserJavaVersion: 10.25.2
Run by Amalee at 20:33:51 on 2013-08-01
Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.44.1033.18.3062.1912 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://search.myheritage.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: MHURLSearchHook Class: {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - c:\program files\family toolbar\tbhelper.dll
dURLSearchHooks: MHURLSearchHook Class: {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - c:\program files\family toolbar\tbhelper.dll
BHO: MHTBPos00 Class: {0C37B053-FD68-456a-82E1-D788EE342E6F} - c:\program files\family toolbar\tbcore3.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: CMySite Class: {D62EC836-BF1E-4CAC-81BE-FB9179835D8E} - c:\program files\family toolbar\mhxpcomi.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB7.1; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; MDDS; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.isketch.net/isketch.shtml"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{6BBAADA6-87D7-4A48-ACB1-1667D830F521} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{EE99AF54-FB7D-497C-8B11-9F2303C69E6D} : DHCPNameServer = 192.168.1.1
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\family toolbar\mhxpcomi.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\28.0.1500.95\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2009-4-8 77824]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-6-18 107392]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-7-18 295376]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-4-8 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-4-8 43608]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2009-4-8 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2009-4-8 235840]
S1 MpKsl40359968;MpKsl40359968;c:\programdata\microsoft\microsoft antimalware\definition updates\{bf0c841a-e92c-4a4b-97c0-67b50fac87ba}\MpKsl40359968.sys [2013-8-1 29904]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
.
=============== Created Last 30 ================
.
2013-08-01 13:25:08 698504 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1e5ad1ce-3bce-4703-a836-2ae47be0315c}\gapaengine.dll
2013-08-01 13:24:56 7143960 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{bf0c841a-e92c-4a4b-97c0-67b50fac87ba}\mpengine.dll
2013-08-01 13:22:55 -------- d-----w- c:\windows\ERUNT
2013-08-01 13:09:41 -------- d-----w- c:\windows\pss
2013-08-01 13:01:03 -------- d-----w- c:\program files\Microsoft Security Client
2013-08-01 10:52:38 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-08-01 10:52:37 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-08-01 10:52:28 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-08-01 10:50:23 7143960 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b8b30351-5c97-4afa-8ff0-0abc2e375fc8}\mpengine.dll
.
==================== Find3M ====================
.
2013-06-18 20:50:08 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-18 20:50:08 107392 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
.
============= FINISH: 20:34:20.23 ===============
ATTACH LOG
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 07/04/2009 21:09:29
System Uptime: 01/08/2013 20:29:23 (0 hours ago)
.
Motherboard: Dell Inc. | | 0R780K
Processor: Intel(R) Core(TM)2 Duo CPU T5670 @ 1.80GHz | U2E1 | 1801/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 223 GiB total, 138.774 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.257 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
3ivx MPEG-4 5.0.3 (remove only)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11.5
Advanced Audio FX Engine
Advanced Video FX Engine
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Big Fish Games: Game Manager
Bonjour
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Dell Edoc Viewer
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card Utility
Family Toolbar
FlipShare
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java 7 Update 25
Junk Mail filter update
Laptop Integrated Webcam Driver (1.01.01.0529)
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Macromedia Fireworks MX 2004
Macromedia FreeHand MXa
Malwarebytes Anti-Malware version 1.75.0.1300
MediaBar
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MSVCRT
Norton Internet Security
Picasa 3
QuickSet
QuickTime
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Sonic CinePlayer Decoder Pack
Spotify
SUPERAntiSpyware Free Edition
Tales of Lagoona: Orphans of the Ocean
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VoiceOver Kit
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
.
==== End Of File ===========================
ARK LOG REPORTED ROOTKIT - SO CHANGED SETTINGS AS INSTRUCTED
Reported root kit found at of scan
GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-08-01 23:09:01
Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.FBEO 232.89GB
Running: xpe82k4j.exe; Driver: C:\Users\Amalee\AppData\Local\Temp\kwdirkob.sys
---- Kernel code sections - GMER 2.1 ----
? C:\Users\Amalee\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 2.1 ----
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtCreateFile + 6 77DF7C7E 4 Bytes [28, 4C, 33, 00] {SUB [EBX+ESI+0x0], CL}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtCreateFile + B 77DF7C83 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtMapViewOfSection + 6 77DF83CE 4 Bytes [28, 4F, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtMapViewOfSection + B 77DF83D3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenFile + 6 77DF845E 4 Bytes [68, 4C, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenFile + B 77DF8463 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenProcess + 6 77DF84DE 4 Bytes [A8, 4D, 33, 00] {TEST AL, 0x4d; XOR EAX, [EAX]}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenProcess + B 77DF84E3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenProcessToken + B 77DF84F3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenProcessTokenEx + 6 77DF84FE 4 Bytes [A8, 4E, 33, 00] {TEST AL, 0x4e; XOR EAX, [EAX]}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenProcessTokenEx + B 77DF8503 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenThread + 6 77DF854E 4 Bytes [68, 4D, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenThread + B 77DF8553 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenThreadToken + 6 77DF855E 4 Bytes [68, 4E, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenThreadToken + B 77DF8563 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtOpenThreadTokenEx + B 77DF8573 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtQueryAttributesFile + 6 77DF85FE 4 Bytes [A8, 4C, 33, 00] {TEST AL, 0x4c; XOR EAX, [EAX]}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtQueryAttributesFile + B 77DF8603 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtQueryFullAttributesFile + B 77DF86B3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtSetInformationFile + 6 77DF8B8E 4 Bytes [28, 4D, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtSetInformationFile + B 77DF8B93 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtSetInformationThread + 6 77DF8BDE 4 Bytes [28, 4E, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtSetInformationThread + B 77DF8BE3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtUnmapViewOfSection + 6 77DF8E7E 4 Bytes [68, 4F, 33, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3988] ntdll.dll!NtUnmapViewOfSection + B 77DF8E83 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtCreateFile + 6 77DF7C7E 4 Bytes [28, 60, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtCreateFile + B 77DF7C83 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtMapViewOfSection + 6 77DF83CE 4 Bytes [28, 63, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtMapViewOfSection + B 77DF83D3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenFile + 6 77DF845E 4 Bytes [68, 60, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenFile + B 77DF8463 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenProcess + 6 77DF84DE 4 Bytes [A8, 61, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenProcess + B 77DF84E3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenProcessToken + B 77DF84F3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenProcessTokenEx + 6 77DF84FE 4 Bytes [A8, 62, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenProcessTokenEx + B 77DF8503 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenThread + 6 77DF854E 4 Bytes [68, 61, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenThread + B 77DF8553 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenThreadToken + 6 77DF855E 4 Bytes [68, 62, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenThreadToken + B 77DF8563 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtOpenThreadTokenEx + B 77DF8573 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtQueryAttributesFile + 6 77DF85FE 4 Bytes [A8, 60, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtQueryAttributesFile + B 77DF8603 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtQueryFullAttributesFile + B 77DF86B3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtSetInformationFile + 6 77DF8B8E 4 Bytes [28, 61, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtSetInformationFile + B 77DF8B93 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtSetInformationThread + 6 77DF8BDE 4 Bytes [28, 62, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtSetInformationThread + B 77DF8BE3 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtUnmapViewOfSection + 6 77DF8E7E 4 Bytes [68, 63, 5F, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[4908] ntdll.dll!NtUnmapViewOfSection + B 77DF8E83 1 Byte [E2]
---- Devices - GMER 2.1 ----
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys
---- Processes - GMER 2.1 ----
Process (*** hidden *** ) [4] 84F34C10
---- Files - GMER 2.1 ----
File C:\Windows\Temp\xpe9E55.tmp (size mismatch) 377856/0 bytes executable
---- EOF - GMER 2.1 ----