msa.exe, a.exe, b.exe, c.exe

[mdelaney911]

i was reading about another person who had this virus and forhockey (i think that was it) was giving steps to follow on what he needs to diagnose.

for the last few days msa.exe has been taking up my processor. and every day or 2 i also get either a/exe, b.exe or c.exe. i know its not a good thing to have processes running that you dont know what they are so i close them whenever i see them. (i keep an eye on what is running any time im on my computer, i hate random things running)

after reading the other persons problems, i have some of the symptoms but not all of them. i can run my AV but it results in nothing. im using Avira personal.
i did download and run the scans forhockey(sorry if im spelling it wrong) had told the other guy to get and post but he never did so im going to post mine in hopes he can just continue.


Sysprotlog.txt
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: spjp.sys
Service Name: ---
Module Base: F7690000
Module End: F7791000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\ahwv344u.SYS
Service Name: ---
Module Base: F70C5000
Module End: F70FD000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EDF64000
Module End: EDF7C000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7CFA000
Module End: F7CFC000
Hidden: Yes

Module Name: \??\C:\DOCUME~1\Michael\LOCALS~1\Temp\kgpiqpoc.sys
Service Name: kgpiqpoc
Module Base: ECE7A000
Module End: ECE90000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: F7ECBBAE
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: F7ECBBA4
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteKey
Address: F7ECBBB3
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteValueKey
Address: F7ECBBBD
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwEnumerateKey
Address: F76AFCA4
Driver Base: F7690000
Driver End: F7791000
Driver Name: spjp.sys

Function Name: ZwEnumerateValueKey
Address: F76B0032
Driver Base: F7690000
Driver End: F7791000
Driver Name: spjp.sys

Function Name: ZwLoadKey
Address: F7ECBBC2
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenKey
Address: F76910C0
Driver Base: F7690000
Driver End: F7791000
Driver Name: spjp.sys

Function Name: ZwOpenProcess
Address: F7ECBB90
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: F7ECBB95
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwQueryKey
Address: F76B010A
Driver Base: F7690000
Driver End: F7791000
Driver Name: spjp.sys

Function Name: ZwQueryValueKey
Address: F76AFF8A
Driver Base: F7690000
Driver End: F7791000
Driver Name: spjp.sys

Function Name: ZwReplaceKey
Address: F7ECBBCC
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwRestoreKey
Address: F7ECBBC7
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: F7ECBBB8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: F7ECBB9F
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
IRP Hooks:
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLOSE
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_READ
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_WRITE
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_EA
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLEANUP
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_POWER
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_READ
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_WRITE
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 861461F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 861461F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 861461F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 861461F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 861461F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 861461F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ahwv344u.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 860EC1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ahwv344u.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 860EC1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ahwv344u.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 860EC1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ahwv344u.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 860EC1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ahwv344u.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 860EC1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ahwv344u.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 860EC1F8
Hooking Module: _unknown_

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_CREATE
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_CLOSE
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_READ
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_WRITE
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SET_EA
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_CLEANUP
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_POWER
Jump To: F7698E30
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: F76AD514
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: C:\windows\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 85C981F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 85C981F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 85C981F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 85C981F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 85C981F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_READ
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8612F500
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8612F500
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8612F500
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8612F500
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8612F500
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8612F500
Hooking Module: _unknown_

******************************************************************************************
******************************************************************************************
Ports:
Local Address: MICHAEL-44380AF.HOME:3601
Remote Address: GW-IN-F138.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3564
Remote Address: GW-IN-F138.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3561
Remote Address: GW-IN-F138.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3560
Remote Address: AN-IN-F132.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3559
Remote Address: AN-IN-F132.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3558
Remote Address: AN-IN-F132.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3556
Remote Address: AN-IN-F101.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3553
Remote Address: AN-IN-F132.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3548
Remote Address: GW-IN-F156.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: MICHAEL-44380AF:5152
Remote Address: LOCALHOST:3476
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: MICHAEL-44380AF:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: MICHAEL-44380AF:3475
Remote Address: LOCALHOST:3474
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF:3474
Remote Address: LOCALHOST:3475
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF:3473
Remote Address: LOCALHOST:3472
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF:3472
Remote Address: LOCALHOST:3473
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF:1026
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: MICHAEL-44380AF:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: MICHAEL-44380AF:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: MICHAEL-44380AF.HOME:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: MICHAEL-44380AF.HOME:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: MICHAEL-44380AF.HOME:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: MICHAEL-44380AF.HOME:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: MICHAEL-44380AF:4771
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Media Player\wmplayer.exe
State: NA

Local Address: MICHAEL-44380AF:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: MICHAEL-44380AF:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: MICHAEL-44380AF:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: MICHAEL-44380AF:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: MICHAEL-44380AF:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied




Win32diag.txt
Running from: C:\Documents and Settings\Michael\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Michael\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\windows'...





Finished!

[mdelaney911]

sorry for the re post but msa.exe just started running again so im going to do another scaan and post it before terminating msa.exe


sysprotlog #2


SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: spjp.sys
Service Name: ---
Module Base: F7690000
Module End: F7791000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\ahwv344u.SYS
Service Name: ---
Module Base: F70C5000
Module End: F70FD000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EDF64000
Module End: EDF7C000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7CFA000
Module End: F7CFC000
Hidden: Yes

Module Name: \??\C:\DOCUME~1\Michael\LOCALS~1\Temp\kgpiqpoc.sys
Service Name: kgpiqpoc
Module Base: ECE7A000
Module End: ECE90000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: F7ECBBAE
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: F7ECBBA4
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteKey
Address: F7ECBBB3
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteValueKey
Address: F7ECBBBD
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwEnumerateKey
Address: F76AFCA4
Driver Base: F7690000
Driver End: F7791000
Driver Name: spjp.sys

Function Name: ZwEnumerateValueKey
Address: F76B0032
Driver Base: F7690000
Driver End: F7791000
Driver Name: spjp.sys

Function Name: ZwLoadKey
Address: F7ECBBC2
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenKey
Address: F76910C0
Driver Base: F7690000
Driver End: F7791000
Driver Name: spjp.sys

Function Name: ZwOpenProcess
Address: F7ECBB90
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: F7ECBB95
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwQueryKey
Address: F76B010A
Driver Base: F7690000
Driver End: F7791000
Driver Name: spjp.sys

Function Name: ZwQueryValueKey
Address: F76AFF8A
Driver Base: F7690000
Driver End: F7791000
Driver Name: spjp.sys

Function Name: ZwReplaceKey
Address: F7ECBBCC
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwRestoreKey
Address: F7ECBBC7
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: F7ECBBB8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: F7ECBB9F
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
IRP Hooks:
Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_READ
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_WRITE
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 85B961F8
Hooking Module: _unknown_

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLOSE
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_READ
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_WRITE
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_EA
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLEANUP
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_POWER
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: F7691000
Hooking Module: spjp.sys

Hooked Module: C:\windows\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 861461F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 861461F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 861461F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 861461F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 861461F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 861461F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8636D1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ahwv344u.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 860EC1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ahwv344u.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 860EC1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ahwv344u.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 860EC1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ahwv344u.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 860EC1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ahwv344u.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 860EC1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\ahwv344u.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 860EC1F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 85C981F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 85C981F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 85C981F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 85C981F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 85C981F8
Hooking Module: _unknown_

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_CREATE
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_CLOSE
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_READ
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_WRITE
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SET_EA
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_CLEANUP
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_POWER
Jump To: F7698E30
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: F76AD514
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: \Driver\PCI_PNP7308
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: F76D4AEA
Hooking Module: spjp.sys

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_READ
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 861171F8
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8612F500
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8612F500
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8612F500
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8612F500
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8612F500
Hooking Module: _unknown_

Hooked Module: C:\windows\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8612F500
Hooking Module: _unknown_

******************************************************************************************
******************************************************************************************
Ports:
Local Address: MICHAEL-44380AF.HOME:3871
Remote Address: 63.97.94.33:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3870
Remote Address: 63.97.94.73:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3869
Remote Address: A204-2-177-34.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3868
Remote Address: A204-2-177-34.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3867
Remote Address: 8.19.18.50:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3866
Remote Address: GW-IN-F148.GOOGLE.COM:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3862
Remote Address: AN-IN-F164.GOOGLE.COM:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3861
Remote Address: EC2-174-129-100-223.COMPUTE-1.AMAZONAWS.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: MICHAEL-44380AF.HOME:3858
Remote Address: EC2-174-129-100-223.COMPUTE-1.AMAZONAWS.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: MICHAEL-44380AF.HOME:3848
Remote Address: GW-IN-F156.GOOGLE.COM:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3847
Remote Address: AN-IN-F164.GOOGLE.COM:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3844
Remote Address: EC2-174-129-100-223.COMPUTE-1.AMAZONAWS.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: MICHAEL-44380AF.HOME:3831
Remote Address: 63.97.94.32:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3821
Remote Address: 63.97.94.72:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3818
Remote Address: EC2-174-129-30-253.COMPUTE-1.AMAZONAWS.COM:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3815
Remote Address: A204-2-177-48.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3813
Remote Address: NETBLK-207-171-14-119.ADCONION.COM:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3811
Remote Address: EC2-174-129-30-253.COMPUTE-1.AMAZONAWS.COM:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3805
Remote Address: 63.97.94.19:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3780
Remote Address: GW-IN-F101.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3779
Remote Address: NUQ04S01-IN-F139.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3777
Remote Address: GW-IN-F132.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:3771
Remote Address: 209.85.133.157:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF.HOME:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: MICHAEL-44380AF:5152
Remote Address: LOCALHOST:3476
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: MICHAEL-44380AF:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: MICHAEL-44380AF:3475
Remote Address: LOCALHOST:3474
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF:3474
Remote Address: LOCALHOST:3475
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF:3473
Remote Address: LOCALHOST:3472
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF:3472
Remote Address: LOCALHOST:3473
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: MICHAEL-44380AF:1026
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: MICHAEL-44380AF:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: MICHAEL-44380AF:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: MICHAEL-44380AF.HOME:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: MICHAEL-44380AF.HOME:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: MICHAEL-44380AF.HOME:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: MICHAEL-44380AF.HOME:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: MICHAEL-44380AF:4771
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Media Player\wmplayer.exe
State: NA

Local Address: MICHAEL-44380AF:3740
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\msa.exe
State: NA

Local Address: MICHAEL-44380AF:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: MICHAEL-44380AF:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: MICHAEL-44380AF:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: MICHAEL-44380AF:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: MICHAEL-44380AF:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied







still nothing from win32k so im not posting that log

[tetonbob]

Hello and Welcome.

While there may be similarities in files and symptoms, we treat each topic individually, and therefore require a different set of logs.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a

Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed. I currently have as many open topics as I can effectively handle; this will have you back in queue with the proper logs so an available helper would be able to assist.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.