Friends PC can't run any installers

Jintan

Administrator
Hero Member

Posts: 3880

Friends PC can't run any installers

« Reply #30 on: November 23, 2009, 05:36:03 PM »

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB053D0B0]

Does suggest SUPERAntiSpyware ends processes, but not real sure if the SUPERAdBlocker reference means just Internet processes.

But the earlier Gmer log showing activities like these:

.text C:\Program Files\Internet Explorer\iexplore.exe[3316] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\Internet Explorer\iexplore.exe[3316] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\Internet Explorer\iexplore.exe[3316] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\Internet Explorer\iexplore.exe[3316] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\Internet Explorer\iexplore.exe[3316] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C

Strongly indicates something loading into the Winsock there to communicate, and by appearance seems like Rustock or the newer Tdss-type rootkit activities.

Gmer has been updated, so a good idea would be to check with that again.

Go to Start - Run, type the following then press OK:

C:\WINDOWS\gmer_uninstall.cmd

--------------

Reboot, then click here and download the installer for Gmer to your desktop, then click that file to run Gmer.

Once it completes it's opening scan click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.


	Logged

ChrisN

Jr. Member

Posts: 85

Friends PC can't run any installers

« Reply #31 on: November 24, 2009, 10:04:10 AM »

I turned off the software you mentioned, rebooted & no improvement. There's an HP recovery partition. Should I thought malware usually messed that up. else seems we'll have to back up the data, & reinstall windows Sad


	Logged

ChrisN

Jr. Member

Posts: 85

Friends PC can't run any installers

« Reply #32 on: November 24, 2009, 10:25:00 AM »

I'll try restoring to a prior point the furthest I can go back is sept 1st


	Logged

ChrisN

Jr. Member

Posts: 85

Friends PC can't run any installers

« Reply #33 on: November 24, 2009, 11:53:00 AM »

restore failed Sad


	Logged

Jintan

Administrator
Hero Member

Posts: 3880

Friends PC can't run any installers

« Reply #34 on: November 24, 2009, 02:09:52 PM »

Those Winsock API calls from the earlier scans match malware net activities, and a type that is very often very well hidden from normal scans and views. That, and softwares like HijackThis and Malwarebytes having problems suggest a malware source of the problems. Malware also makes changes to interfere with successful System Restores, for obvious reasons. Gmer has been updated, and such updates include checks based on the latest malware methods, so why not run and post that Gmer scan and let's check.


	Logged

ChrisN

Jr. Member

Posts: 85

Friends PC can't run any installers

« Reply #35 on: November 24, 2009, 07:00:13 PM »

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-24 18:58:45
Windows 5.1.2600 Service Pack 3
Running: c0k4b8eg.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwtiyfog.sys

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[196] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\System32\svchost.exe[196] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\System32\svchost.exe[196] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\System32\svchost.exe[196] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\System32\svchost.exe[196] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\System32\svchost.exe[196] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\SMINST\Scheduler.exe[284] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 004170D0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[284] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 00417140 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[284] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 00416FC0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[284] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 00416F10 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[284] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 00417090 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[284] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 00416F50 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[284] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 00417000 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[284] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 00416F80 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[284] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 00417040 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[284] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 00416ED0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\Documents and Settings\Administrator\temp\TeamViewer\Version4\TeamViewer.exe[348] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Documents and Settings\Administrator\temp\TeamViewer\Version4\TeamViewer.exe[348] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Documents and Settings\Administrator\temp\TeamViewer\Version4\TeamViewer.exe[348] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Documents and Settings\Administrator\temp\TeamViewer\Version4\TeamViewer.exe[348] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Documents and Settings\Administrator\temp\TeamViewer\Version4\TeamViewer.exe[348] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Documents and Settings\Administrator\temp\TeamViewer\Version4\TeamViewer.exe[348] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Documents and Settings\Administrator\temp\TeamViewer\Version4\TeamViewer.exe[348] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Documents and Settings\Administrator\temp\TeamViewer\Version4\TeamViewer.exe[348] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\System32\svchost.exe[456] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\System32\svchost.exe[456] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\System32\svchost.exe[456] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\System32\svchost.exe[456] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\System32\svchost.exe[456] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\System32\svchost.exe[456] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\System32\svchost.exe[456] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\CyberPower PowerPanel Persoanl Edition\ppped.exe[476] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\CyberPower PowerPanel Persoanl Edition\ppped.exe[476] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\CyberPower PowerPanel Persoanl Edition\ppped.exe[476] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\CyberPower PowerPanel Persoanl Edition\ppped.exe[476] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\CyberPower PowerPanel Persoanl Edition\ppped.exe[476] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\CyberPower PowerPanel Persoanl Edition\ppped.exe[476] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\CyberPower PowerPanel Persoanl Edition\ppped.exe[476] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\CyberPower PowerPanel Persoanl Edition\ppped.exe[476] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\internet explorer\iexplore.exe[612] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\internet explorer\iexplore.exe[612] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\internet explorer\iexplore.exe[612] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\internet explorer\iexplore.exe[612] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01694315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[612] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 017667BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[612] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0188637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[612] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 018862AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[612] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 01886318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[612] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0188617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[612] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 018861E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[612] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 018863DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[612] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 01886242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[612] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\internet explorer\iexplore.exe[612] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\internet explorer\iexplore.exe[612] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\internet explorer\iexplore.exe[612] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\internet explorer\iexplore.exe[612] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\SentrilockCardUtility\SentriLockCardUtility.exe[624] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\SentrilockCardUtility\SentriLockCardUtility.exe[624] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\SentrilockCardUtility\SentriLockCardUtility.exe[624] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044FCA9 C:\Program Files\SentrilockCardUtility\SentriLockCardUtility.exe (Sentrilock Card Utility/SentriLock LLC)
.text C:\Program Files\SentrilockCardUtility\SentriLockCardUtility.exe[624] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\SentrilockCardUtility\SentriLockCardUtility.exe[624] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\SentrilockCardUtility\SentriLockCardUtility.exe[624] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\SentrilockCardUtility\SentriLockCardUtility.exe[624] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\SentrilockCardUtility\SentriLockCardUtility.exe[624] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\SentrilockCardUtility\SentriLockCardUtility.exe[624] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\winlogon.exe[708] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\winlogon.exe[708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\winlogon.exe[708] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\winlogon.exe[708] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\winlogon.exe[708] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\winlogon.exe[708] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\winlogon.exe[708] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\winlogon.exe[708] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\services.exe[760] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\services.exe[760] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\services.exe[760] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\services.exe[760] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\services.exe[760] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\services.exe[760] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\lsass.exe[772] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\lsass.exe[772] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\lsass.exe[772] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\lsass.exe[772] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\lsass.exe[772] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\lsass.exe[772] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[852] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[852] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[852] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[852] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[852] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[852] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[852] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\Ati2evxx.exe[964] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\Ati2evxx.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\Ati2evxx.exe[964] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\Ati2evxx.exe[964] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\Ati2evxx.exe[964] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\Ati2evxx.exe[964] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\Ati2evxx.exe[964] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\Ati2evxx.exe[964] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\svchost.exe[984] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\svchost.exe[984] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\svchost.exe[984] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\svchost.exe[984] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\svchost.exe[984] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1024] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1024] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1024] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1024] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1024] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1024] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1024] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\svchost.exe[1068] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\svchost.exe[1068] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\svchost.exe[1068] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\svchost.exe[1068] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\svchost.exe[1068] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\System32\svchost.exe[1168] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\System32\svchost.exe[1168] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\System32\svchost.exe[1168] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\System32\svchost.exe[1168] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\System32\svchost.exe[1168] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\svchost.exe[1268] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\svchost.exe[1268] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\svchost.exe[1268] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\svchost.exe[1268] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\svchost.exe[1268] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\SearchIndexer.exe[1360] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\svchost.exe[1376] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\svchost.exe[1376] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\svchost.exe[1376] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\svchost.exe[1376] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\svchost.exe[1376] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\spoolsv.exe[1580] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\spoolsv.exe[1580] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\spoolsv.exe[1580] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\spoolsv.exe[1580] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\spoolsv.exe[1580] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\spoolsv.exe[1580] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\System32\SCardSvr.exe[1644] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\System32\SCardSvr.exe[1644] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\System32\SCardSvr.exe[1644] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\System32\SCardSvr.exe[1644] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\System32\SCardSvr.exe[1644] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\System32\SCardSvr.exe[1644] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\System32\SCardSvr.exe[1644] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\System32\SCardSvr.exe[1644] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\svchost.exe[1716] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\svchost.exe[1716] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\svchost.exe[1716] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\svchost.exe[1716] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\svchost.exe[1716] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\svchost.exe[1716] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C


	Logged

ChrisN

Jr. Member

Posts: 85

Friends PC can't run any installers

« Reply #36 on: November 24, 2009, 07:01:39 PM »

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1752] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1752] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1752] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1752] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1752] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1752] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1752] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[1772] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[1772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[1772] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[1772] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[1772] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[1772] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[1772] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[1772] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1800] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1800] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\Bonjour\mDNSResponder.exe[1800] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\Bonjour\mDNSResponder.exe[1800] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\Bonjour\mDNSResponder.exe[1800] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\Bonjour\mDNSResponder.exe[1800] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\Bonjour\mDNSResponder.exe[1800] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\Bonjour\mDNSResponder.exe[1800] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[1884] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[1884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[1884] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[1884] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[1884] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[1884] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[1884] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe[1884] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1904] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\Java\jre6\bin\jqs.exe[1904] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\Java\jre6\bin\jqs.exe[1904] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1904] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\Java\jre6\bin\jqs.exe[1904] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\Java\jre6\bin\jqs.exe[1904] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\Java\jre6\bin\jqs.exe[1904] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\internet explorer\iexplore.exe[1972] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\internet explorer\iexplore.exe[1972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\internet explorer\iexplore.exe[1972] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\internet explorer\iexplore.exe[1972] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01694315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1972] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 01761D31 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1972] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 0175D5B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1972] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 017667BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1972] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 016D70D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1972] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0188637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1972] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 018862AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1972] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 01886318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1972] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0188617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1972] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 018861E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1972] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 018863DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1972] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 01886242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1972] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 017674D1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1972] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\internet explorer\iexplore.exe[1972] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\internet explorer\iexplore.exe[1972] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\internet explorer\iexplore.exe[1972] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\internet explorer\iexplore.exe[1972] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\LMabcoms.exe[2020] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\LMabcoms.exe[2020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\LMabcoms.exe[2020] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\LMabcoms.exe[2020] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\LMabcoms.exe[2020] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\LMabcoms.exe[2020] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\LMabcoms.exe[2020] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\LMabcoms.exe[2020] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2108] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2108] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2108] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2108] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2108] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2108] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2108] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\iTunes\iTunesHelper.exe[2144] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10013D7C
.text C:\Program Files\iTunes\iTunesHelper.exe[2144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10013BEC
.text C:\Program Files\iTunes\iTunesHelper.exe[2144] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10013DEC
.text C:\Program Files\iTunes\iTunesHelper.exe[2144] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10013AA0
.text C:\Program Files\iTunes\iTunesHelper.exe[2144] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10013214
.text C:\Program Files\iTunes\iTunesHelper.exe[2144] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100127E4
.text C:\Program Files\iTunes\iTunesHelper.exe[2144] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10012778
.text C:\Program Files\iTunes\iTunesHelper.exe[2144] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10013A4C
.text C:\Program Files\iPod\bin\iPodService.exe[2184] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\iPod\bin\iPodService.exe[2184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\iPod\bin\iPodService.exe[2184] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\iPod\bin\iPodService.exe[2184] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\iPod\bin\iPodService.exe[2184] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\iPod\bin\iPodService.exe[2184] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\iPod\bin\iPodService.exe[2184] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\iPod\bin\iPodService.exe[2184] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\System32\alg.exe[2268] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\System32\alg.exe[2268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\System32\alg.exe[2268] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\System32\alg.exe[2268] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\System32\alg.exe[2268] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\System32\alg.exe[2268] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\System32\alg.exe[2268] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\System32\alg.exe[2268] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2632] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2632] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2632] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2632] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2632] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2632] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2632] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\System32\svchost.exe[2868] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\System32\svchost.exe[2868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\System32\svchost.exe[2868] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\System32\svchost.exe[2868] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\System32\svchost.exe[2868] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\System32\svchost.exe[2868] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\System32\svchost.exe[2868] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\System32\svchost.exe[2868] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2884] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2884] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2884] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2884] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2884] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2884] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2884] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\WINDOWS\system32\ctfmon.exe[3708] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\WINDOWS\system32\ctfmon.exe[3708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\WINDOWS\system32\ctfmon.exe[3708] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\WINDOWS\system32\ctfmon.exe[3708] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\WINDOWS\system32\ctfmon.exe[3708] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\WINDOWS\system32\ctfmon.exe[3708] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\WINDOWS\system32\ctfmon.exe[3708] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\WINDOWS\system32\ctfmon.exe[3708] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4072] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D7C
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BEC
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4072] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DEC
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4072] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA0
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4072] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003214
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4072] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E4
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4072] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002778
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[4072] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A4C

---- EOF - GMER 1.0.15 ----


	Logged

Jintan

Administrator
Hero Member

Posts: 3880

Friends PC can't run any installers

« Reply #37 on: November 24, 2009, 07:37:02 PM »

Well, shoot. All the same hooks showing loading in running processes, but no identification of a source. We can try a scan, if it will cooperate there.

Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications

Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.

If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.


	Logged

ChrisN

Jr. Member

Posts: 85

Friends PC can't run any installers

« Reply #38 on: November 24, 2009, 08:31:53 PM »

When I try the online scan there's not button to click to start it in IE & I don't see it in FF either Sad

When I try to the download I get

HTTP 501 Not Implimented/HTTP 505 Version not supported

Is the esetsmartinstaller_enu.exe anywhere else I can pull it?

Please update your doc for others in the future


	Logged

ChrisN

Jr. Member

Posts: 85

Friends PC can't run any installers

« Reply #39 on: November 24, 2009, 08:50:06 PM »

Argh, sorry, IE doesn't show any pics, I was able to download the program & transfer it via team viewer

running it it says it can not get an update & asks if proxy is set, there is none here to setup. Like Malware Bytes it also won't update

I'm trying to get online one to start but no buttons & moving cursor it doesn't change for me to click anything


	Logged

Jintan

Administrator
Hero Member

Posts: 3880

Friends PC can't run any installers

« Reply #40 on: November 24, 2009, 09:13:25 PM »

More blocks related to security scans.

Open HijackThis and click Config - Misc Tools - Open hosts file manager, and click "Open in Notepad". Are any security software site names showing in that?

Go to Start - Network Connections (or the same in Control Panel). Right click the connection currently in use (often Local Area Connection), click Properties, then under the Networking tab click to hilight Internet Protocol (TCP/IP). Then click the Properties button. Is it set there to obtain IP and DNS server addresses automatically?


	Logged

ChrisN

Jr. Member

Posts: 85

Friends PC can't run any installers

« Reply #41 on: November 24, 2009, 09:17:11 PM »

i used

housecall.trendmicro.com

it revealed

file iiool.dat
Threat TSPY_KATES.SMB (trojan)

that I had it fix it. I won't be able to reboot & get access again till AM so i'll stay on it remotely incase you have anything else for me to try till then


	Logged

Jintan

Administrator
Hero Member

Posts: 3880

Friends PC can't run any installers

« Reply #42 on: November 24, 2009, 09:17:18 PM »

Those need checking, but these many Winsock hooks suggest something also has the ability to monitor, and interfere with, net traffic there. And something that is staying under our scanning radar.

If you have, or can borrow an XP CD, do the following as well please. Let's see if there is a malware driver that is "decloaked" before Windows loads there.

Code:

listsvc
dir c:\windows\system32\drivers

Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text (inside the Code box) into the open text box, then save this to your C:\Windows folder as "servcheck.bat"

It should then be C:\Windows\servcheck.bat (important)

Then start the problem computer, and load the XP CD into the CD-ROM drive and restart the system. On reboot watch for and agree to any prompts to boot from the CD. If the system only reboots to Windows stop and post back here and we will discuss steps to make changes in the BIOS.

After the installation software inspects the system and loads all necessary device drivers you will see the "Welcome To Setup" screen, with the following menu:

Quote

This portion of the Setup program prepares Microsoft Windows XP to run on your computer:

To setup Windows XP now, press ENTER.

To repair a Windows XP installation using Recovery Console, press R.

To quit Setup without installing Windows XP, press F3.

Press "R" to start the Recovery Console setup. After you start the Windows Recovery Console, you receive the following message:

Quote

Microsoft Windows(R) Recovery Console

The Recovery Console provides system repair and recovery functionality.
Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log on to
(To cancel, press ENTER)?

After you enter the number for the appropriate Windows installation (usually #1), Windows will then prompt you to enter the Administrator account password if one was created (if one was not created then just press Enter).

At the prompt type the following, pressing Enter after each:

batch servcheck.bat c:\windows\servicelook.txt

exit

When you hit Enter after typing exit your computer will reboot. Do Not press any key until the system has completely rebooted, then after the reboot be sure to remove your XP CD from the CD-ROM drive.

Then locate and post back here the contents of c:\windows\servicelook.txt please.


	Logged

ChrisN

Jr. Member

Posts: 85

Friends PC can't run any installers

« Reply #43 on: November 24, 2009, 09:35:17 PM »

I got this in an email but don't see it in the forum, did you delete it & nto tell me?

it's good to know should I do it?

"More blocks related to security scans.

Open HijackThis and click Config - Misc Tools - Open hosts file manager, and click "Open in Notepad". Are any security software site names showing in that?

Go to Start - Network Connections (or the same in Control Panel). Right click the connection currently in use (often Local Area Connection), click Properties, then under the Networking tab click to hilight Internet Protocol (TCP/IP). Then click the Properties button. Is it set there to obtain IP and DNS server addresses automatically?"

FYI, there's no "Config - Misc Tools" there's a "Open the Misc Tools section" (update notes)

for host file manager i got

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

yes it's set to obtain IP and DNS server addresses automatically


	Logged

ChrisN

Jr. Member

Posts: 85

Friends PC can't run any installers

« Reply #44 on: November 24, 2009, 09:40:09 PM »

I won't be able to try the CD stuff till the morning when someones in the office IF THEY have that CD (likely) I'll see if that trend cleanup helped any first too


	Logged

Pages: 1 2 [3] 4

« previous next »