BleepingComputer.com: Google Redirect & Malware

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Google Redirect & Malware

#1 User is offline   FRISC0 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 130
  • Joined: 21-January 08
  • Gender:Male

Posted 01 April 2011 - 07:52 AM

Hey there, I've noticed recently when I click links on Google they will take me to other websites of advertising and other rubbish that I didn't actually click on. I also had a pop-up the other day (I'm on Vista) asking me to Allow a programme to be installed and it wouldn't stop asking me to install it and I had to push cancel for a good 10 mins before it went away, my antivirus said it was a trojan, I've just turned my PC on and it says I have malware (according to AVG...).

Please could you direct me with any help, I should be okay following instructions I've done these a few times before :)

I'm not sure what I'm infected with but I feel something is there, any help would be a great help!

Thanks
FRISC0

EDIT:
Here is my DDS Log:

Quote

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jamie at 15:50:34.28 on 01/04/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2047.579 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Jamie\Desktop\gmer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Users\Jamie\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = local;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [UPnPRemoteEndpointInfo] regsvr32 /s /u "c:\users\jamie\appdata\local\upnpremoteendpointinfo\UPnPRemoteEndpointInfo.dll"
uRun: [zpka6oPoqDdX] control.exe "c:\users\jamie\appdata\local\io2trlckr3\zpka6oPoqDdX.cpl",0,1
uRun: [Hgugi] rundll32.exe "c:\users\jamie\appdata\local\esokonej.dll",Startup
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jamie\appdata\roaming\mozilla\firefox\profiles\wkfz9qgz.default\
FF - prefs.js: browser.startup.homepage - hxxp://Google.co.uk
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\users\jamie\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\jamie\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\jamie\appdata\roaming\facebook\npfbplugin_1_0_3.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-31 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-31 301528]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-31 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-3-31 53592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-3-31 42184]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-23 21504]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-8-24 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-10-16 369256]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-6-27 335872]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Camdrv30;Philips ToUcam XS;c:\windows\system32\drivers\camdrv30.sys [2001-8-17 171264]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-3-11 13224]
S3 RTLWUSB;802.11g USB2.0 WLAN Dongle;c:\windows\system32\drivers\RTL8187.sys [2008-6-27 335872]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2009-3-11 90408]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2009-3-11 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2009-3-11 122024]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2009-3-11 115368]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2009-3-11 25768]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2009-3-11 111784]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2009-3-11 117544]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-01 14:49:12 625664 ----a-w- c:\users\jamie\dds.scr
2011-03-31 18:31:01 -------- d-----w- c:\users\jamie\appdata\local\{418BCFCB-4472-48FB-A67C-F0A800FB5462}
2011-03-30 23:15:42 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-30 23:15:41 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-03-30 23:14:44 40648 ----a-w- c:\windows\avastSS.scr
2011-03-30 23:13:58 -------- d-----w- c:\program files\AVAST Software
2011-03-30 23:13:58 -------- d-----w- c:\progra~2\AVAST Software
2011-03-30 22:21:55 0 ----a-w- c:\users\jamie\appdata\local\Syowobe.bin
2011-03-30 22:21:52 -------- d-----w- c:\users\jamie\appdata\local\{5384F7E6-9104-4F09-B1F0-72A183ECAC0A}
2011-03-30 13:50:43 -------- d-----w- c:\users\jamie\appdata\local\{97808D4A-D5FA-43D3-95AE-A42CD7F07FA5}
2011-03-29 17:38:51 -------- d-----w- c:\users\jamie\appdata\local\{941FEAB4-FE37-4D6F-A2BC-0779E3F0E90F}
2011-03-28 16:47:50 -------- d-----w- c:\users\jamie\appdata\local\{1F0EAAFC-2B5D-4E5F-BE98-C9A5553370E1}
2011-03-27 20:30:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-27 20:29:59 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-27 20:29:59 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-27 20:29:59 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-27 20:29:59 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-27 20:29:59 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-27 20:29:59 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-27 20:29:59 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-27 20:28:40 376480 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-03-26 18:38:55 -------- d-----w- c:\users\jamie\appdata\local\{FDC4747C-C5DA-403A-AB87-821480F8CA5C}
2011-03-23 11:09:09 -------- d-----w- c:\users\jamie\appdata\local\{5F57A843-32D5-4857-9AFC-E5C3D0857C2C}
2011-03-23 10:15:06 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 10:15:05 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-23 10:15:05 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-22 10:27:03 -------- d-----w- c:\users\jamie\appdata\local\{6233DC08-021B-4F62-B82E-14BA0E0AD1AC}
2011-03-22 10:26:42 -------- d-----w- c:\users\jamie\appdata\local\{A7AD0566-CD0C-4C61-8161-0FE786F7206A}
2011-03-20 21:46:39 -------- d-----w- c:\users\jamie\appdata\local\{59CF0317-A669-4948-AD36-03953CC67D99}
2011-03-18 15:28:33 -------- d-----w- c:\users\jamie\appdata\local\{889EF7D4-E2B2-4210-98BC-562CF820C770}
2011-03-14 22:06:33 -------- d-----w- c:\program files\Free Audio Pack
2011-03-11 21:07:26 -------- d-----w- c:\users\jamie\appdata\local\{A83C51F8-9B6A-43AD-89EB-5F57B8DED0E5}
2011-03-10 10:36:22 -------- d-----w- c:\program files\iPod
2011-03-08 23:36:48 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-08 23:36:47 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-08 23:36:47 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-08 23:36:47 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-08 23:36:46 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-08 23:36:46 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-07 17:00:04 -------- d-----w- c:\users\jamie\appdata\local\{08DAB889-D2D1-4BD1-B7E8-1C7D8C1AAC19}
2011-03-04 20:55:33 -------- d-----w- c:\users\jamie\appdata\local\{800BF940-4B5B-4FD4-8807-9864DD0B7800}
2011-03-03 23:08:27 -------- d-----w- c:\users\jamie\appdata\local\{0DDE6C29-0DE7-453C-AC91-583B3E84CA49}
2011-03-03 21:46:41 -------- d-----w- c:\program files\iTunes
2011-03-03 21:42:43 -------- d-----w- c:\program files\Bonjour
2011-03-02 16:23:36 -------- d-----w- c:\users\jamie\appdata\local\{5B620FEB-1A5B-4689-8F9E-2CE2B8AFC230}
.
==================== Find3M ====================
.
2011-02-18 16:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-01-31 15:52:58 626688 ----a-w- c:\windows\system32\msvcr80.dll
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 15:53:14.92 ===============



and here is my GMER log:

Quote

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-01 16:31:38
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000006b SAMSUNG_ rev.CP10
Running: gmer.exe; Driver: C:\Users\Jamie\AppData\Local\Temp\ugloypod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8E2659CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8E267EAC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8E267F04]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8E26801A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8E267E02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8E267F54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8E267E56]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8E267FC8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8E2659EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8E2657B8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8E265A12]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8E268412]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8E2664AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8E267EDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8E267F2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8E268044]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8E267E2E]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA2FD7780]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8E267F94]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8E267E84]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8E267FF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8E266370]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8E265A36]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8E265A5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8E265812]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8E26594E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8E26592A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8E265972]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA2FD7830]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA2FD78D0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8E265A7E]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA2FD7970]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E98C8DE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 10D 82ABB890 4 Bytes [CA, 59, 26, 8E]
.text ntkrnlpa.exe!KeSetEvent + 1D1 82ABB954 8 Bytes [AC, 7E, 26, 8E, 04, 7F, 26, ...]
.text ntkrnlpa.exe!KeSetEvent + 1DD 82ABB960 4 Bytes [1A, 80, 26, 8E]
.text ntkrnlpa.exe!KeSetEvent + 1F5 82ABB978 4 Bytes [02, 7E, 26, 8E]
.text ntkrnlpa.exe!KeSetEvent + 215 82ABB998 8 Bytes [54, 7F, 26, 8E, 56, 7E, 26, ...]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82BE65C7 5 Bytes JMP 8E98829E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 82C3F4F3 5 Bytes JMP 8E989D38 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82C48E18 4 Bytes CALL 8E266E3B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82C4CA8C 4 Bytes CALL 8E266E51 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82CA0DAE 7 Bytes JMP 8E98C8E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE spsys.sys!?SPVersion@@3PADA + 1ABF 8149503F 110 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1B2F 814950AF 1 Byte [16]
PAGE spsys.sys!?SPVersion@@3PADA + 1B2F 814950AF 128 Bytes [16, 3B, C8, 75, E2, B0, 01, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1BB0 81495130 6 Bytes [0E, 83, 78, 14, 01, 75]
PAGE spsys.sys!?SPVersion@@3PADA + 1BB7 81495137 2298 Bytes [83, 78, 18, 37, 75, 02, B3, ...]
PAGE ...
? C:\Users\Jamie\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[268] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Program Files\Mozilla Firefox\firefox.exe[268] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\Windows\Explorer.EXE[424] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00090030
.text C:\Windows\Explorer.EXE[424] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0009006C
.text C:\Windows\Explorer.EXE[424] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 000B006C
.text C:\Windows\Explorer.EXE[424] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000B00A8
.text C:\Windows\Explorer.EXE[424] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000B01D4
.text C:\Windows\Explorer.EXE[424] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000B00E4
.text C:\Windows\Explorer.EXE[424] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 000B0120
.text C:\Windows\Explorer.EXE[424] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 000B015C
.text C:\Windows\Explorer.EXE[424] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 000B0198
.text C:\Windows\Explorer.EXE[424] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 000B0030
.text C:\Windows\Explorer.EXE[424] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000C00A8
.text C:\Windows\Explorer.EXE[424] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000C00E4
.text C:\Windows\Explorer.EXE[424] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 000C0120
.text C:\Windows\Explorer.EXE[424] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 000C0030
.text C:\Windows\Explorer.EXE[424] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 000C006C
.text C:\Windows\system32\taskeng.exe[460] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\taskeng.exe[460] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\taskeng.exe[460] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\taskeng.exe[460] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\taskeng.exe[460] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\taskeng.exe[460] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\taskeng.exe[460] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\taskeng.exe[460] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\taskeng.exe[460] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\taskeng.exe[460] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\taskeng.exe[460] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Windows\system32\taskeng.exe[460] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Windows\system32\taskeng.exe[460] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Windows\system32\taskeng.exe[460] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Windows\system32\taskeng.exe[460] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\Windows\system32\Dwm.exe[604] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\Dwm.exe[604] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\Dwm.exe[604] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\Dwm.exe[604] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\Dwm.exe[604] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\Dwm.exe[604] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\Dwm.exe[604] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\Dwm.exe[604] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\Dwm.exe[604] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\Dwm.exe[604] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\Dwm.exe[604] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Windows\system32\Dwm.exe[604] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Windows\system32\Dwm.exe[604] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Windows\system32\Dwm.exe[604] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Windows\system32\Dwm.exe[604] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\Windows\system32\wininit.exe[716] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00030030
.text C:\Windows\system32\wininit.exe[716] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0003006C
.text C:\Windows\system32\wininit.exe[716] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0005006C
.text C:\Windows\system32\wininit.exe[716] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000500A8
.text C:\Windows\system32\wininit.exe[716] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000501D4
.text C:\Windows\system32\wininit.exe[716] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000500E4
.text C:\Windows\system32\wininit.exe[716] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00050120
.text C:\Windows\system32\wininit.exe[716] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0005015C
.text C:\Windows\system32\wininit.exe[716] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00050198
.text C:\Windows\system32\wininit.exe[716] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00050030
.text C:\Windows\system32\wininit.exe[716] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000600A8
.text C:\Windows\system32\wininit.exe[716] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000600E4
.text C:\Windows\system32\wininit.exe[716] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00060120
.text C:\Windows\system32\wininit.exe[716] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00060030
.text C:\Windows\system32\wininit.exe[716] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0006006C
.text C:\Windows\system32\services.exe[760] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\services.exe[760] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\services.exe[760] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\services.exe[760] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\services.exe[760] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\services.exe[760] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\services.exe[760] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\services.exe[760] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\services.exe[760] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\services.exe[760] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\services.exe[760] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Windows\system32\services.exe[760] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Windows\system32\services.exe[760] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Windows\system32\services.exe[760] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Windows\system32\services.exe[760] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\Windows\system32\lsass.exe[776] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\lsass.exe[776] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0017006C
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 001700A8
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 001701D4
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 001700E4
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00170120
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0017015C
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00170198
.text C:\Windows\system32\lsass.exe[776] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00170030
.text C:\Windows\system32\lsass.exe[776] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001800A8
.text C:\Windows\system32\lsass.exe[776] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001800E4
.text C:\Windows\system32\lsass.exe[776] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00180120
.text C:\Windows\system32\lsass.exe[776] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00180030
.text C:\Windows\system32\lsass.exe[776] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0018006C
.text C:\Windows\system32\lsm.exe[784] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\lsm.exe[784] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\lsm.exe[784] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\lsm.exe[784] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\lsm.exe[784] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\lsm.exe[784] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\lsm.exe[784] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\lsm.exe[784] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\lsm.exe[784] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\lsm.exe[784] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\winlogon.exe[828] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00030030
.text C:\Windows\system32\winlogon.exe[828] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0003006C
.text C:\Windows\system32\winlogon.exe[828] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0005006C
.text C:\Windows\system32\winlogon.exe[828] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000500A8
.text C:\Windows\system32\winlogon.exe[828] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000501D4
.text C:\Windows\system32\winlogon.exe[828] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000500E4
.text C:\Windows\system32\winlogon.exe[828] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00050120
.text C:\Windows\system32\winlogon.exe[828] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0005015C
.text C:\Windows\system32\winlogon.exe[828] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00050198
.text C:\Windows\system32\winlogon.exe[828] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00050030
.text C:\Windows\system32\winlogon.exe[828] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000600A8
.text C:\Windows\system32\winlogon.exe[828] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000600E4
.text C:\Windows\system32\winlogon.exe[828] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00060120
.text C:\Windows\system32\winlogon.exe[828] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00060030
.text C:\Windows\system32\winlogon.exe[828] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0006006C
.text C:\Windows\System32\spoolsv.exe[868] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\System32\spoolsv.exe[868] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\System32\spoolsv.exe[868] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\System32\spoolsv.exe[868] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\System32\spoolsv.exe[868] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\System32\spoolsv.exe[868] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\System32\spoolsv.exe[868] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\System32\spoolsv.exe[868] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\System32\spoolsv.exe[868] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\System32\spoolsv.exe[868] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\System32\spoolsv.exe[868] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 002100A8
.text C:\Windows\System32\spoolsv.exe[868] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 002100E4
.text C:\Windows\System32\spoolsv.exe[868] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00210120
.text C:\Windows\System32\spoolsv.exe[868] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00210030
.text C:\Windows\System32\spoolsv.exe[868] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0021006C
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\nvvsvc.exe[1056] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00150030
.text C:\Windows\system32\nvvsvc.exe[1056] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0015006C
.text C:\Windows\system32\nvvsvc.exe[1056] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0017006C
.text C:\Windows\system32\nvvsvc.exe[1056] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 001700A8
.text C:\Windows\system32\nvvsvc.exe[1056] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 001701D4
.text C:\Windows\system32\nvvsvc.exe[1056] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 001700E4
.text C:\Windows\system32\nvvsvc.exe[1056] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00170120
.text C:\Windows\system32\nvvsvc.exe[1056] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0017015C
.text C:\Windows\system32\nvvsvc.exe[1056] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00170198
.text C:\Windows\system32\nvvsvc.exe[1056] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00170030
.text C:\Windows\system32\nvvsvc.exe[1056] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001800A8
.text C:\Windows\system32\nvvsvc.exe[1056] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001800E4
.text C:\Windows\system32\nvvsvc.exe[1056] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00180120
.text C:\Windows\system32\nvvsvc.exe[1056] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00180030
.text C:\Windows\system32\nvvsvc.exe[1056] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0018006C
.text C:\Windows\system32\svchost.exe[1088] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\svchost.exe[1088] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0008006C
.text C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000800A8
.text C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000801D4
.text C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000800E4
.text C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00080120
.text C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0008015C
.text C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00080198
.text C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00080030
.text C:\Windows\system32\svchost.exe[1088] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001500A8
.text C:\Windows\system32\svchost.exe[1088] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001500E4
.text C:\Windows\system32\svchost.exe[1088] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00150120
.text C:\Windows\system32\svchost.exe[1088] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00150030
.text C:\Windows\system32\svchost.exe[1088] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0015006C
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Windows\system32\wbem\wmiprvse.exe[1140] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000D00A8
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000D00E4
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 000D0120
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 000D0030
.text C:\Windows\system32\svchost.exe[1184] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 000D006C
.text C:\Windows\System32\svchost.exe[1220] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00090030
.text C:\Windows\System32\svchost.exe[1220] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0009006C
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 000B006C
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000B00A8
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000B01D4
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000B00E4
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 000B0120
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 000B015C
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 000B0198
.text C:\Windows\System32\svchost.exe[1220] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 000B0030
.text C:\Windows\System32\svchost.exe[1220] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001200A8
.text C:\Windows\System32\svchost.exe[1220] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001200E4
.text C:\Windows\System32\svchost.exe[1220] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00120120
.text C:\Windows\System32\svchost.exe[1220] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00120030
.text C:\Windows\System32\svchost.exe[1220] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0012006C
.text C:\Windows\System32\svchost.exe[1256] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\System32\svchost.exe[1256] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\System32\svchost.exe[1256] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\System32\svchost.exe[1256] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\System32\svchost.exe[1256] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\System32\svchost.exe[1256] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\System32\svchost.exe[1256] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\System32\svchost.exe[1256] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\System32\svchost.exe[1256] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\System32\svchost.exe[1256] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\System32\svchost.exe[1256] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 002000A8
.text C:\Windows\System32\svchost.exe[1256] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 002000E4
.text C:\Windows\System32\svchost.exe[1256] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00200120
.text C:\Windows\System32\svchost.exe[1256] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00200030
.text C:\Windows\System32\svchost.exe[1256] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0020006C
.text C:\Windows\system32\svchost.exe[1292] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\svchost.exe[1292] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\svchost.exe[1292] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000C00A8
.text C:\Windows\system32\svchost.exe[1292] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000C00E4
.text C:\Windows\system32\svchost.exe[1292] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 000C0120
.text C:\Windows\system32\svchost.exe[1292] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 000C0030
.text C:\Windows\system32\svchost.exe[1292] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 000C006C
.text C:\Windows\system32\taskeng.exe[1400] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\taskeng.exe[1400] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\taskeng.exe[1400] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\taskeng.exe[1400] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\taskeng.exe[1400] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\taskeng.exe[1400] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\taskeng.exe[1400] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\taskeng.exe[1400] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\taskeng.exe[1400] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\taskeng.exe[1400] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\taskeng.exe[1400] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Windows\system32\taskeng.exe[1400] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Windows\system32\taskeng.exe[1400] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Windows\system32\taskeng.exe[1400] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Windows\system32\taskeng.exe[1400] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\Windows\system32\svchost.exe[1424] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\svchost.exe[1424] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\svchost.exe[1472] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\svchost.exe[1472] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001B00A8
.text C:\Windows\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001B00E4
.text C:\Windows\system32\svchost.exe[1472] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 001B0120
.text C:\Windows\system32\svchost.exe[1472] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 001B0030
.text C:\Windows\system32\svchost.exe[1472] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 001B006C
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00150030
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0015006C
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0027006C
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 002700A8
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 002701D4
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 002700E4
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00270120
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0027015C
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00270198
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00270030
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 002800A8
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 002800E4
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00280120
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00280030
.text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1572] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0028006C
.text C:\Windows\system32\nvvsvc.exe[1596] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00150030
.text C:\Windows\system32\nvvsvc.exe[1596] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0015006C
.text C:\Windows\system32\nvvsvc.exe[1596] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0027006C
.text C:\Windows\system32\nvvsvc.exe[1596] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 002700A8
.text C:\Windows\system32\nvvsvc.exe[1596] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 002701D4
.text C:\Windows\system32\nvvsvc.exe[1596] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 002700E4
.text C:\Windows\system32\nvvsvc.exe[1596] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00270120
.text C:\Windows\system32\nvvsvc.exe[1596] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0027015C
.text C:\Windows\system32\nvvsvc.exe[1596] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00270198
.text C:\Windows\system32\nvvsvc.exe[1596] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00270030
.text C:\Windows\system32\nvvsvc.exe[1596] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 002800A8
.text C:\Windows\system32\nvvsvc.exe[1596] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 002800E4
.text C:\Windows\system32\nvvsvc.exe[1596] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00280120
.text C:\Windows\system32\nvvsvc.exe[1596] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00280030
.text C:\Windows\system32\nvvsvc.exe[1596] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0028006C
.text C:\Windows\system32\svchost.exe[1780] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\svchost.exe[1780] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\svchost.exe[1780] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000C00A8
.text C:\Windows\system32\svchost.exe[1780] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000C00E4
.text C:\Windows\system32\svchost.exe[1780] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 000C0120
.text C:\Windows\system32\svchost.exe[1780] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 000C0030
.text C:\Windows\system32\svchost.exe[1780] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 000C006C
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1960] kernel32.dll!SetUnhandledExceptionFilter 75D6A84F 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00150030
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0015006C
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0017006C
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 001700A8
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 001701D4
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 001700E4
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00170120
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0017015C
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00170198
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00170030
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001800A8
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001800E4
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00180120
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00180030
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[1980] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0018006C
.text C:\Windows\system32\wbem\unsecapp.exe[2356] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\wbem\unsecapp.exe[2356] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\wbem\unsecapp.exe[2356] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\wbem\unsecapp.exe[2356] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\wbem\unsecapp.exe[2356] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\wbem\unsecapp.exe[2356] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\wbem\unsecapp.exe[2356] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\wbem\unsecapp.exe[2356] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\wbem\unsecapp.exe[2356] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\wbem\unsecapp.exe[2356] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\wbem\unsecapp.exe[2356] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Windows\system32\wbem\unsecapp.exe[2356] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Windows\system32\wbem\unsecapp.exe[2356] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Windows\system32\wbem\unsecapp.exe[2356] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Windows\system32\wbem\unsecapp.exe[2356] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\Windows\SOUNDMAN.EXE[2380] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00140030
.text C:\Windows\SOUNDMAN.EXE[2380] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0014006C
.text C:\Windows\SOUNDMAN.EXE[2380] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0016006C
.text C:\Windows\SOUNDMAN.EXE[2380] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 001600A8
.text C:\Windows\SOUNDMAN.EXE[2380] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 001601D4
.text C:\Windows\SOUNDMAN.EXE[2380] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 001600E4
.text C:\Windows\SOUNDMAN.EXE[2380] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00160120
.text C:\Windows\SOUNDMAN.EXE[2380] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0016015C
.text C:\Windows\SOUNDMAN.EXE[2380] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00160198
.text C:\Windows\SOUNDMAN.EXE[2380] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00160030
.text C:\Windows\SOUNDMAN.EXE[2380] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001700A8
.text C:\Windows\SOUNDMAN.EXE[2380] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001700E4
.text C:\Windows\SOUNDMAN.EXE[2380] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00170120
.text C:\Windows\SOUNDMAN.EXE[2380] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00170030
.text C:\Windows\SOUNDMAN.EXE[2380] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0017006C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2400] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[2440] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Program Files\Bonjour\mDNSResponder.exe[2464] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00240030
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0024006C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0026006C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 002600A8
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 002601D4
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 002600E4
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00260120
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0026015C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00260198
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00260030
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 002700A8
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 002700E4
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00270120
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00270030
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[2500] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0027006C
.text C:\Windows\system32\svchost.exe[2612] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\svchost.exe[2612] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\svchost.exe[2612] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\svchost.exe[2612] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\svchost.exe[2612] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\svchost.exe[2612] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\svchost.exe[2612] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\svchost.exe[2612] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\svchost.exe[2612] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\svchost.exe[2612] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\system32\svchost.exe[2612] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 00C700A8
.text C:\Windows\system32\svchost.exe[2612] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 00C700E4
.text C:\Windows\system32\svchost.exe[2612] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00C70120
.text C:\Windows\system32\svchost.exe[2612] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00C70030
.text C:\Windows\system32\svchost.exe[2612] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 00C7006C
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Program Files\AVG\AVG10\avgtray.exe[2632] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00150030
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0015006C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001900A8
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001900E4
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00190120
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00190030
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0019006C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 001A006C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 001A00A8
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 001A01D4
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 001A00E4
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 001A0120
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 001A015C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 001A0198
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2728] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 001A0030
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00150030
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0015006C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0017006C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 001700A8
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 001701D4
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 001700E4
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00170120
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0017015C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00170198
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00170030
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001800A8
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001800E4
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00180120
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00180030
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2784] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0018006C
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0008006C
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000800A8
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000801D4
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000800E4
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00080120
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0008015C
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00080198
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00080030
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000900A8
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000900E4
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00090120
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00090030
.text C:\Program Files\Windows Sidebar\sidebar.exe[2828] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0009006C
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00150030
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0015006C
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0017006C
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 001700A8
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 001701D4
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 001700E4
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00170120
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0017015C
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00170198
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00170030
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001800A8
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001800E4
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00180120
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00180030
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2836] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0018006C
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2844] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\mysql\bin\mysqld-nt.exe[2920] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00140030
.text C:\mysql\bin\mysqld-nt.exe[2920] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0014006C
.text C:\mysql\bin\mysqld-nt.exe[2920] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001600A8
.text C:\mysql\bin\mysqld-nt.exe[2920] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001600E4
.text C:\mysql\bin\mysqld-nt.exe[2920] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00160120
.text C:\mysql\bin\mysqld-nt.exe[2920] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00160030
.text C:\mysql\bin\mysqld-nt.exe[2920] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0016006C
.text C:\mysql\bin\mysqld-nt.exe[2920] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0017006C
.text C:\mysql\bin\mysqld-nt.exe[2920] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 001700A8
.text C:\mysql\bin\mysqld-nt.exe[2920] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 001701D4
.text C:\mysql\bin\mysqld-nt.exe[2920] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 001700E4
.text C:\mysql\bin\mysqld-nt.exe[2920] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00170120
.text C:\mysql\bin\mysqld-nt.exe[2920] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0017015C
.text C:\mysql\bin\mysqld-nt.exe[2920] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00170198
.text C:\mysql\bin\mysqld-nt.exe[2920] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00170030
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Program Files\iTunes\iTunesHelper.exe[2940] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0008006C
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000800A8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000801D4
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000800E4
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00080120
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0008015C
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00080198
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00080030
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000900A8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000900E4
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00090120
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00090030
.text C:\Program Files\Windows Sidebar\sidebar.exe[3064] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0009006C
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00150030
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0015006C
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0017006C
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 001700A8
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 001701D4
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 001700E4
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00170120
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0017015C
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00170198
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00170030
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001800A8
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001800E4
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00180120
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00180030
.text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[3084] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0018006C
.text C:\Program Files\iPod\bin\iPodService.exe[3112] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00150030
.text C:\Program Files\iPod\bin\iPodService.exe[3112] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0015006C
.text C:\Program Files\iPod\bin\iPodService.exe[3112] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0017006C
.text C:\Program Files\iPod\bin\iPodService.exe[3112] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 001700A8
.text C:\Program Files\iPod\bin\iPodService.exe[3112] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 001701D4
.text C:\Program Files\iPod\bin\iPodService.exe[3112] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 001700E4
.text C:\Program Files\iPod\bin\iPodService.exe[3112] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00170120
.text C:\Program Files\iPod\bin\iPodService.exe[3112] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0017015C
.text C:\Program Files\iPod\bin\iPodService.exe[3112] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00170198
.text C:\Program Files\iPod\bin\iPodService.exe[3112] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00170030
.text C:\Program Files\iPod\bin\iPodService.exe[3112] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001800A8
.text C:\Program Files\iPod\bin\iPodService.exe[3112] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001800E4
.text C:\Program Files\iPod\bin\iPodService.exe[3112] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00180120
.text C:\Program Files\iPod\bin\iPodService.exe[3112] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00180030
.text C:\Program Files\iPod\bin\iPodService.exe[3112] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0018006C
.text C:\Windows\system32\svchost.exe[3196] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\svchost.exe[3196] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\svchost.exe[3196] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\svchost.exe[3196] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\svchost.exe[3196] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\svchost.exe[3196] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\svchost.exe[3196] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\svchost.exe[3196] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\svchost.exe[3196] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\svchost.exe[3196] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Windows\System32\svchost.exe[3248] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\System32\svchost.exe[3248] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\System32\svchost.exe[3248] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\System32\svchost.exe[3248] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\System32\svchost.exe[3248] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\System32\svchost.exe[3248] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\System32\svchost.exe[3248] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\System32\svchost.exe[3248] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\System32\svchost.exe[3248] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\System32\svchost.exe[3248] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0008006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000800A8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000801D4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000800E4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00080120
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0008015C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00080198
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00080030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000900A8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000900E4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00090120
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00090030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3288] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0009006C
.text C:\Windows\system32\SearchIndexer.exe[3416] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 000D0030
.text C:\Windows\system32\SearchIndexer.exe[3416] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 000D006C
.text C:\Windows\system32\SearchIndexer.exe[3416] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 000F006C
.text C:\Windows\system32\SearchIndexer.exe[3416] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000F00A8
.text C:\Windows\system32\SearchIndexer.exe[3416] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000F01D4
.text C:\Windows\system32\SearchIndexer.exe[3416] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000F00E4
.text C:\Windows\system32\SearchIndexer.exe[3416] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 000F0120
.text C:\Windows\system32\SearchIndexer.exe[3416] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 000F015C
.text C:\Windows\system32\SearchIndexer.exe[3416] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 000F0198
.text C:\Windows\system32\SearchIndexer.exe[3416] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 000F0030
.text C:\Windows\system32\SearchIndexer.exe[3416] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001000A8
.text C:\Windows\system32\SearchIndexer.exe[3416] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001000E4
.text C:\Windows\system32\SearchIndexer.exe[3416] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00100120
.text C:\Windows\system32\SearchIndexer.exe[3416] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00100030
.text C:\Windows\system32\SearchIndexer.exe[3416] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0010006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00090030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0009006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 000B006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000B00A8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000B01D4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000B00E4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 000B0120
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 000B015C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 000B0198
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 000B0030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000C00A8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000C00E4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 000C0120
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 000C0030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3520] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 000C006C
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00150030
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0015006C
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001700A8
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001700E4
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00170120
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00170030
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0017006C
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0018006C
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 001800A8
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 001801D4
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 001800E4
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00180120
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0018015C
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00180198
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3844] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00180030
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00040030
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0004006C
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000D00A8
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000D00E4
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 000D0120
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 000D0030
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 000D006C
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 000E006C
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000E00A8
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000E01D4
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000E00E4
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 000E0120
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 000E015C
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 000E0198
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4556] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 000E0030
.text C:\Windows\system32\svchost.exe[4592] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Windows\system32\svchost.exe[4592] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Windows\system32\svchost.exe[4592] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Windows\system32\svchost.exe[4592] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Windows\system32\svchost.exe[4592] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Windows\system32\svchost.exe[4592] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Windows\system32\svchost.exe[4592] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Windows\system32\svchost.exe[4592] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Windows\system32\svchost.exe[4592] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Windows\system32\svchost.exe[4592] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Program Files\iTunes\iTunes.exe[4748] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Program Files\iTunes\iTunes.exe[4748] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Program Files\iTunes\iTunes.exe[4748] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Program Files\iTunes\iTunes.exe[4748] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Program Files\iTunes\iTunes.exe[4748] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Program Files\iTunes\iTunes.exe[4748] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Program Files\iTunes\iTunes.exe[4748] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Program Files\iTunes\iTunes.exe[4748] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Program Files\iTunes\iTunes.exe[4748] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Program Files\iTunes\iTunes.exe[4748] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Program Files\iTunes\iTunes.exe[4748] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 000800A8
.text C:\Program Files\iTunes\iTunes.exe[4748] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 000800E4
.text C:\Program Files\iTunes\iTunes.exe[4748] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00080120
.text C:\Program Files\iTunes\iTunes.exe[4748] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00080030
.text C:\Program Files\iTunes\iTunes.exe[4748] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0008006C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00050030
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0005006C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0007006C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 000700A8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 000701D4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 000700E4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00070120
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0007015C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00070198
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00070030
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 001900A8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 001900E4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00190120
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00190030
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[5248] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0019006C
.text C:\Users\Jamie\Desktop\gmer.exe[5432] ntdll.dll!LdrLoadDll 77BC93A8 5 Bytes JMP 00150030
.text C:\Users\Jamie\Desktop\gmer.exe[5432] ntdll.dll!LdrUnloadDll 77BDB740 5 Bytes JMP 0015006C
.text C:\Users\Jamie\Desktop\gmer.exe[5432] ADVAPI32.dll!CreateServiceW 75FD9EB4 5 Bytes JMP 0026006C
.text C:\Users\Jamie\Desktop\gmer.exe[5432] ADVAPI32.dll!DeleteService 75FDA07E 5 Bytes JMP 002600A8
.text C:\Users\Jamie\Desktop\gmer.exe[5432] ADVAPI32.dll!SetServiceObjectSecurity 76016CD9 5 Bytes JMP 002601D4
.text C:\Users\Jamie\Desktop\gmer.exe[5432] ADVAPI32.dll!ChangeServiceConfigA 76016DD9 5 Bytes JMP 002600E4
.text C:\Users\Jamie\Desktop\gmer.exe[5432] ADVAPI32.dll!ChangeServiceConfigW 76016F81 5 Bytes JMP 00260120
.text C:\Users\Jamie\Desktop\gmer.exe[5432] ADVAPI32.dll!ChangeServiceConfig2A 76017099 5 Bytes JMP 0026015C
.text C:\Users\Jamie\Desktop\gmer.exe[5432] ADVAPI32.dll!ChangeServiceConfig2W 760171E1 5 Bytes JMP 00260198
.text C:\Users\Jamie\Desktop\gmer.exe[5432] ADVAPI32.dll!CreateServiceA 760172A1 5 Bytes JMP 00260030
.text C:\Users\Jamie\Desktop\gmer.exe[5432] USER32.dll!SetWindowsHookExA 75A06322 5 Bytes JMP 002700A8
.text C:\Users\Jamie\Desktop\gmer.exe[5432] USER32.dll!SetWindowsHookExW 75A087AD 5 Bytes JMP 002700E4
.text C:\Users\Jamie\Desktop\gmer.exe[5432] USER32.dll!UnhookWindowsHookEx 75A098DB 5 Bytes JMP 00270120
.text C:\Users\Jamie\Desktop\gmer.exe[5432] USER32.dll!SetWinEventHook 75A09F3A 5 Bytes JMP 00270030
.text C:\Users\Jamie\Desktop\gmer.exe[5432] USER32.dll!UnhookWinEvent 75A0C06F 5 Bytes JMP 0027006C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

This post has been edited by FRISC0: 01 April 2011 - 10:34 AM

#2 User is offline   Conspire 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 155
  • Joined: 29-October 10
  • Gender:Male

Posted 03 April 2011 - 09:18 AM

Hello,

Apologize for the delay as the forum is extremely busy and short of volunteers.

Multiple AntiVirus Running

I see you have more than one Anti-Virus program installed, ( AVG 10 ) and ( Avast! ).

While this may seem like greater protection, it can cause problems including slowdowns, system hangs or even crashes. This can happen if both AntiVirus applications attempt to access the same file at the same time. This may cause the applications to interfere with each other, or cause the system to lock up. It can also be a drain on system resources, making a machine run slower than it should.

You are strongly advised to uninstall AVG because it has flagged one of the Combofix's component as dangerous. If you still have difficulty running CF, please refer at the beginning of CF speech for alternative solution.

Any antivirus program must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

Re-install the program -> Reboot -> Uninstall


AVG has a removal tool which should also be run if you choose to uninstall it

http://www.avg.com/download-tools

Choose the 32bit remover

Run it according to the instructions.

===================================================

Please read through these instructions to familarize yourself with what to expect when this tool runs


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

    Regarding AVG - Due to recent changes in AVG and how it interacts with ComboFix, before running ComboFix, AVG must be uninstalled via Start>Control Panel>Add or Remove programs panel.

    If you have difficulty uninstalling AVG, download Opswat AppRemover for AVG. The download for the AVG uninstaller can be found here > http://www.appremover.com/appremover/avg/AppRemover.exe

    **********************************************

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Proud Graduate of the WTT Classroom
Member of ASAP and UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may Posted Image

#3 User is offline   FRISC0 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 130
  • Joined: 21-January 08
  • Gender:Male

Posted 03 April 2011 - 03:34 PM

Hey no worries I understand, thanks for you time to help me!

I have decided to keep AVG. I unistalled for the combofix and have now re-installed.
Here is my ComboFix log:

Quote

ComboFix 11-04-03.01 - Jamie 03/04/2011 21:18:11.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2047.917 [GMT 1:00]
Running from: c:\users\Jamie\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Jamie\AppData\Local\{5384F7E6-9104-4F09-B1F0-72A183ECAC0A}
c:\users\Jamie\AppData\Local\{5384F7E6-9104-4F09-B1F0-72A183ECAC0A}\chrome.manifest
c:\users\Jamie\AppData\Local\{5384F7E6-9104-4F09-B1F0-72A183ECAC0A}\chrome\content\_cfg.js
c:\users\Jamie\AppData\Local\{5384F7E6-9104-4F09-B1F0-72A183ECAC0A}\chrome\content\overlay.xul
c:\users\Jamie\AppData\Local\{5384F7E6-9104-4F09-B1F0-72A183ECAC0A}\install.rdf
c:\users\Jamie\AppData\Local\esokonej.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_WMPNetworkSvc
.
.
((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))
.
.
2011-04-03 20:24 . 2011-04-03 20:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-04-03 20:24 . 2011-04-03 20:24 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-04-03 20:24 . 2011-04-03 20:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-03 20:24 . 2011-04-03 20:24 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-04-01 17:00 . 2011-04-01 17:02 -------- d-----w- C:\.jagex_cache_32
2011-04-01 16:59 . 2011-04-01 16:59 -------- d-----w- c:\program files\Common Files\Java
2011-04-01 16:34 . 2011-04-01 16:34 -------- d-----w- c:\users\Jamie\AppData\Local\{F9E94D31-FD70-4046-9025-9331FF3EEEC7}
2011-03-31 18:31 . 2011-03-31 18:31 -------- d-----w- c:\users\Jamie\AppData\Local\{418BCFCB-4472-48FB-A67C-F0A800FB5462}
2011-03-30 23:13 . 2011-04-03 19:44 -------- d-----w- c:\programdata\AVAST Software
2011-03-30 23:13 . 2011-03-30 23:13 -------- d-----w- c:\program files\AVAST Software
2011-03-30 22:21 . 2011-04-02 23:00 0 ----a-w- c:\users\Jamie\AppData\Local\Syowobe.bin
2011-03-30 13:50 . 2011-03-30 13:51 -------- d-----w- c:\users\Jamie\AppData\Local\{97808D4A-D5FA-43D3-95AE-A42CD7F07FA5}
2011-03-29 17:38 . 2011-03-29 17:39 -------- d-----w- c:\users\Jamie\AppData\Local\{941FEAB4-FE37-4D6F-A2BC-0779E3F0E90F}
2011-03-28 16:47 . 2011-03-28 16:48 -------- d-----w- c:\users\Jamie\AppData\Local\{1F0EAAFC-2B5D-4E5F-BE98-C9A5553370E1}
2011-03-27 20:30 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-27 20:29 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-27 20:29 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-27 20:29 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-27 20:29 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-27 20:29 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-27 20:29 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-27 20:29 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-27 20:28 . 2011-03-27 20:28 376480 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-03-26 18:38 . 2011-03-26 18:39 -------- d-----w- c:\users\Jamie\AppData\Local\{FDC4747C-C5DA-403A-AB87-821480F8CA5C}
2011-03-23 11:16 . 2011-03-23 11:16 -------- d-----w- c:\program files\Common Files\Skype
2011-03-23 11:09 . 2011-03-23 11:09 -------- d-----w- c:\users\Jamie\AppData\Local\{5F57A843-32D5-4857-9AFC-E5C3D0857C2C}
2011-03-23 10:15 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 10:15 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 10:15 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-22 10:27 . 2011-03-22 10:27 -------- d-----w- c:\users\Jamie\AppData\Local\{6233DC08-021B-4F62-B82E-14BA0E0AD1AC}
2011-03-22 10:26 . 2011-03-22 10:27 -------- d-----w- c:\users\Jamie\AppData\Local\{A7AD0566-CD0C-4C61-8161-0FE786F7206A}
2011-03-20 21:46 . 2011-03-20 21:47 -------- d-----w- c:\users\Jamie\AppData\Local\{59CF0317-A669-4948-AD36-03953CC67D99}
2011-03-18 15:28 . 2011-03-18 15:28 -------- d-----w- c:\users\Jamie\AppData\Local\{889EF7D4-E2B2-4210-98BC-562CF820C770}
2011-03-14 22:06 . 2011-03-14 22:17 -------- d-----w- c:\program files\Free Audio Pack
2011-03-11 21:07 . 2011-03-11 21:07 -------- d-----w- c:\users\Jamie\AppData\Local\{A83C51F8-9B6A-43AD-89EB-5F57B8DED0E5}
2011-03-10 10:36 . 2011-03-10 10:36 -------- d-----w- c:\program files\iPod
2011-03-08 23:36 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-08 23:36 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-08 23:36 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-08 23:36 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-08 23:36 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-08 23:36 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-07 17:00 . 2011-03-07 17:00 -------- d-----w- c:\users\Jamie\AppData\Local\{08DAB889-D2D1-4BD1-B7E8-1C7D8C1AAC19}
2011-03-04 20:55 . 2011-03-04 20:55 -------- d-----w- c:\users\Jamie\AppData\Local\{800BF940-4B5B-4FD4-8807-9864DD0B7800}
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-17 20:33 . 2010-06-24 11:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-18 16:36 . 2011-02-18 16:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2011-02-18 16:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-02 20:40 . 2010-05-07 09:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-31 15:52 . 2011-01-31 15:52 626688 ----a-w- c:\windows\system32\msvcr80.dll
2011-01-20 16:37 . 2011-02-09 15:31 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 15:31 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 15:31 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 15:31 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 15:31 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-09 15:31 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-09 15:31 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 15:31 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 15:31 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 15:31 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 15:31 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 15:31 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 15:31 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 15:31 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 15:31 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 15:31 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 15:31 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 15:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 15:31 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 15:31 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 15:31 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 15:31 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 15:31 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 15:31 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 15:31 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47 . 2011-02-09 15:30 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 15:30 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-03-18 17:53 . 2011-03-27 20:30 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"UPnPRemoteEndpointInfo"="c:\users\Jamie\AppData\Local\UPnPRemoteEndpointInfo\UPnPRemoteEndpointInfo.dll" [2011-01-22 20]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 12:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gainward]
2007-11-27 14:40 2169352 ----a-w- c:\program files\XpertVision\TBPANEL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-04-23 11:55 133104 ----atw- c:\users\Jamie\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 23:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 15:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 13:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-12-24 14:43 396152 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 FXDrv32;FXDrv32;D:\FXDrv32.sys [x]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-03-11 13224]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [x]
R3 RTLWUSB;802.11g USB2.0 WLAN Dongle;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 335872]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-06-04 90408]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [2008-06-04 15016]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [2008-06-04 122024]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [2008-06-04 115368]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [2008-06-04 25768]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [2008-06-04 111784]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [2008-06-04 117544]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-10-15 326704]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-10-16 369256]
S3 Camdrv30;Philips ToUcam XS;c:\windows\system32\Drivers\camdrv30.sys [2001-08-17 171264]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 335872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1120449131-2099679387-1230050658-1000Core.job
- c:\users\Jamie\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-23 11:55]
.
2011-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1120449131-2099679387-1230050658-1000UA.job
- c:\users\Jamie\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-23 11:55]
.
2011-04-03 c:\windows\Tasks\User_Feed_Synchronization-{2BF8F888-5AC5-4B2A-907F-163B8026A570}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = local;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jamie\AppData\Roaming\Mozilla\Firefox\Profiles\wkfz9qgz.default\
FF - prefs.js: browser.startup.homepage - hxxp://Google.co.uk
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-zpka6oPoqDdX - c:\users\Jamie\AppData\Local\IO2trLCkr3\zpka6oPoqDdX.cpl
HKCU-Run-Hgugi - c:\users\Jamie\AppData\Local\esokonej.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-03 21:29
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\mysql\bin\mysqld-nt.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-04-03 21:33:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-03 20:33
ComboFix2.txt 2010-08-19 09:05
.
Pre-Run: 111,762,137,088 bytes free
Post-Run: 111,404,863,488 bytes free
.
- - End Of File - - 365862DFA9B4829847E58250287AE530

This post has been edited by FRISC0: 03 April 2011 - 03:43 PM

#4 User is offline   Conspire 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 155
  • Joined: 29-October 10
  • Gender:Male

Posted 03 April 2011 - 09:52 PM

You're welcome :thumbup2:

How is it running for you now?

Follow these steps to display hidden files and folders.

  • Open Folder Options by clicking the Start button Posted Image, clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
  • Click the View tab.
  • Under Advanced settings, click Show hidden files and folders
  • Click OK. (Remember to Hide files and folders once done)


Please go to one of the below sites to scan the following files:
Virus Total (Recommended)
jotti.org
VirScan


click on Browse, and upload the following file for analysis:
c:\users\Jamie\AppData\Local\Syowobe.bin

Then click Submit. Allow the file to be scanned, and then please copy and paste the results link(for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
Proud Graduate of the WTT Classroom
Member of ASAP and UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may Posted Image

#5 User is offline   FRISC0 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 130
  • Joined: 21-January 08
  • Gender:Male

Posted 04 April 2011 - 05:46 AM

Hey there, none of the websites will let me upload the file saying its got either 0 bytes, its missing or it just wont upload.

What shall I do? :( x

#6 User is offline   Conspire 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 155
  • Joined: 29-October 10
  • Gender:Male

Posted 04 April 2011 - 07:54 AM

Ok, never mind about that.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

Note: If you are using Windows Vista/7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • Look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
  • Select Uninstall application on close check box and push Posted Image

===================================================

Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program. (Note to Vista users, please right-click and select Run as Administrator.)
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware

    • Launch Malwarebytes' Anti-Malware

  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.

===================================================

On your next reply please post :
ESET report
MBAM log
How is it running now?


Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!
Proud Graduate of the WTT Classroom
Member of ASAP and UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may Posted Image

#7 User is offline   FRISC0 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 130
  • Joined: 21-January 08
  • Gender:Male

Posted 04 April 2011 - 01:43 PM

ESET LOG:

Quote

C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application
C:\Qoobox\Quarantine\[4]-Submit_2010-08-24_16.27.16.zip a variant of Win32/Kryptik.GND trojan
C:\Qoobox\Quarantine\C\Users\Jamie\AppData\Roaming\shwebsvc8.dll.vir a variant of Win32/Kryptik.GND trojan
C:\Users\Jamie\AppData\Local\UPnPRemoteEndpointInfo\UPnPRemoteEndpointInfo.dll.del a variant of Win32/Sefnit.AD trojan
C:\Users\Jamie\AppData\Local\UPnPRemoteEndpointInfo\UPnPRemoteEndpointInfo_t.dll a variant of Win32/Sefnit.AY trojan
C:\Users\Jamie\Documents\Programmes\Trainers\TRALoader.exe probably a variant of Win32/Agent.KZLLNWP trojan
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\C00.php a variant of Java/TrojanDownloader.OpenStream.NAZ trojan


MBAM LOG:

Quote

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6268

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

04/04/2011 17:53:31
mbam-log-2011-04-04 (17-53-31).txt

Scan type: Quick scan
Objects scanned: 172800
Time elapsed: 8 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thankyou for all your help :) Google redirect seems to be gone. x

#8 User is offline   Conspire 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 155
  • Joined: 29-October 10
  • Gender:Male

Posted 04 April 2011 - 10:22 PM

We need to investigate a bit further with what ESET has discovered. At the moment I'm not at home so I won't be able to give you directions until the next few hours or so. Please bear with me, we're almost done! :thumbup2:

This post has been edited by Conspire: 04 April 2011 - 10:23 PM

Proud Graduate of the WTT Classroom
Member of ASAP and UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may Posted Image

#9 User is offline   Conspire 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 155
  • Joined: 29-October 10
  • Gender:Male

Posted 05 April 2011 - 01:11 AM

Follow these steps to display hidden files and folders.

  • Open Folder Options by clicking the Start button Posted Image, clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
  • Click the View tab.
  • Under Advanced settings, click Show hidden files and folders
  • Click OK. (Remember to Hide files and folders once done)


Please go to one of the below sites to scan the following files:
Virus Total (Recommended)
jotti.org
VirScan


click on Browse, and upload the following file for analysis:

C:\Users\Jamie\AppData\Local\UPnPRemoteEndpointInfo\UPnPRemoteEndpointInfo.dll.del
C:\Users\Jamie\AppData\Local\UPnPRemoteEndpointInfo\UPnPRemoteEndpointInfo_t.dll

Then click Submit. Allow the file to be scanned, and then please copy and paste the results link(for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
Proud Graduate of the WTT Classroom
Member of ASAP and UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may Posted Image

#10 User is offline   FRISC0 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 130
  • Joined: 21-January 08
  • Gender:Male

Posted 05 April 2011 - 05:52 AM

Here is file 1:

Quote

File name: UPnPRemoteEndpointInfo.dll.del
Submission date: 2011-04-05 10:47:22 (UTC)
Current status: finished
Result: 28/ 42 (66.7%)
VT Community Posted Image
not reviewed
Safety score: - Compact Print results Antivirus Version Last Update Result AhnLab-V32011.04.05.012011.04.05Trojan/Win32.SefnitAntiVir7.11.5.1912011.04.05TR/BHO.GenAntiy-AVL2.0.3.72011.04.05Trojan/Win32.Sefnit.genAvast4.8.1351.02011.04.04Win32:Sefnit-AAvast55.0.677.02011.04.04Win32:Sefnit-AAVG10.0.0.11902011.04.05-BitDefender7.22011.04.05Gen:Variant.Kazy.7104CAT-QuickHeal11.002011.04.05-ClamAV0.97.0.02011.04.05-Commtouch5.2.11.52011.03.24-Comodo82272011.04.05TrojWare.Win32.Agent.~N14DrWeb5.0.2.033002011.04.05-Emsisoft5.1.0.52011.04.05Trojan.Win32.Sefnit!IKeSafe7.0.17.02011.04.05-eTrust-Vet36.1.82542011.04.05Win32/Sefnit.A!genericF-Prot4.6.2.1172011.04.04W32/Sefnit.D2.gen!EldoradoF-Secure9.0.16440.02011.04.05Gen:Variant.Kazy.7104Fortinet4.2.254.02011.04.05W32/Sefnit.JSO!trGData222011.04.05Gen:Variant.Kazy.7104IkarusT3.1.1.103.02011.04.05Trojan.Win32.SefnitJiangmin13.0.9002011.03.31Trojan/Generic.dkuyK7AntiVirus9.96.42902011.04.04TrojanKaspersky7.0.0.1252011.04.05Trojan.Win32.Sefnit.jsoMcAfee5.400.0.11582011.04.05Artemis!9DCB2E89CBE3McAfee-GW-Edition2010.1C2011.04.05Artemis!9DCB2E89CBE3Microsoft1.67022011.04.04Trojan:Win32/Sefnit.ENOD3260162011.04.05a variant of Win32/Sefnit.ADNorman6.07.072011.04.05W32/Suspicious_Gen2.JYLVBPanda10.0.3.52011.04.04Trj/CI.APCTools7.0.3.52011.04.04Trojan.GenPrevx3.02011.04.05-Rising23.51.05.052011.04.02-Sophos4.64.02011.04.05-SUPERAntiSpyware4.40.0.10062011.04.05-Symantec20101.3.2.892011.04.05Trojan.Gen.2TheHacker6.7.0.1.1672011.04.05-TrendMicro9.200.0.10122011.04.05TROJ_GEN.R21C2C8TrendMicro-HouseCall9.200.0.10122011.04.05TROJ_GEN.R21C2C8VBA323.12.14.32011.04.04-VIPRE89242011.04.05-ViRobot2011.4.5.43942011.04.05-VirusBuster13.6.287.02011.04.04Trojan.Sefnit!0CWPoUgBeic Additional information MD5 : 9dcb2e89cbe3406a191d2d664162d28d SHA1 : 87adc803178875b65434f1c522bd8969432e78e5 SHA256: b01c12998c61fd1f2d23271457aeba8d28f7ba4692d76edb7dbd068bc4e0e7b8 ssdeep: 3072:Y9DaFHMsWpteJlAzKbxTY1beZEg8LGT1:Y9DaFJJOzeYbe1 File size : 110592 bytes First seen: 2011-04-05 10:47:22 Last seen : 2011-04-05 10:47:22 TrID:
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%) sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x8600
timedatestamp....: 0x4B71DD19 (Tue Feb 09 22:09:29 2010)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x14D0E, 0x15000, 6.30, 12196982ddf63c661674e1ad0bac7dd8
.rdata, 0x16000, 0x1536, 0x2000, 4.15, d279758cabd5c4afff2b1c43e35bc2a9
.data, 0x18000, 0x1FC4, 0x2000, 4.59, b175c1a2f23bc875378620bd28d1025e
.reloc, 0x1A000, 0xCE8, 0x1000, 5.91, b208334b6d737ec521535f1cf43ea09c

[[ 2 import(s) ]]
KERNEL32.dll: DeleteFileA, QueueUserWorkItem, SetCurrentDirectoryA, GetBinaryTypeA, AreFileApisANSI, SetConsoleTextAttribute, GetStringTypeW, CreateToolhelp32Snapshot, LoadResource, lstrcatW, GetExitCodeThread, GetStartupInfoW, lstrcmpiW, DuplicateHandle, lstrcpyA, GetDiskFreeSpaceA, SetDefaultCommConfigW, GetProfileSectionA, GetDateFormatW, GetProfileIntW, DeleteTimerQueueEx, GetCommandLineA, RegisterWaitForSingleObjectEx, AddAtomW, WriteFileEx, IsBadReadPtr, GetStdHandle, GetConsoleMode, FindResourceW, GetThreadPriority, MapViewOfFileEx, ExitProcess, GetFileAttributesExA, PurgeComm, WinExec, SetLocalTime, FillConsoleOutputAttribute, GetDriveTypeW, GetProcessVersion, LocalLock, CreateEventW, CopyFileW, CreateEventA, GlobalFlags, lstrlenW, GetCompressedFileSizeW, WriteProfileStringA, FlushConsoleInputBuffer, GetTempPathW, SetEnvironmentVariableW, AllocConsole, GetSystemDefaultUILanguage, MoveFileW, FlushViewOfFile, GetCurrentDirectoryW, LocalAlloc, RtlUnwind, FindFirstChangeNotificationA, GetProfileStringW, LCMapStringA, FindAtomW, OpenMutexA, GetVolumeNameForVolumeMountPointW, SetVolumeMountPointW, EnterCriticalSection, GetSystemDirectoryA, OpenFileMappingW, CreateRemoteThread, GetTimeFormatA, CreateFileW, GetStringTypeExW, SetConsoleCursorPosition, ResumeThread, FindResourceExA, ResetEvent, SwitchToThread, WriteProcessMemory, lstrcmpA, VirtualFree, GetUserDefaultLCID, AddAtomA, GetThreadLocale, GetModuleHandleW, OpenSemaphoreW, FindNextVolumeW, EnumUILanguagesW, GlobalHandle, GlobalAddAtomW, SetConsoleWindowInfo, SetTimeZoneInformation, WriteConsoleW, SetSystemTime, VerLanguageNameW, GetVersion, ReadConsoleInputA, IsValidLocale, GetLocaleInfoA, RtlMoveMemory, CreateIoCompletionPort, DosDateTimeToFileTime, GetFileAttributesA, OpenJobObjectW, GetTimeZoneInformation, GetLogicalDriveStringsA, DeviceIoControl, HeapSetInformation, EnumSystemLocalesA, GetFileSize, SetLastError, OpenEventW, GetSystemWow64DirectoryW, GetStringTypeExA, GetModuleFileNameW, FindFirstFileA, GlobalMemoryStatusEx, RemoveDirectoryA, GetCurrentThread, GetComputerNameExW, FormatMessageW, GetProcessAffinityMask, IsProcessorFeaturePresent, SearchPathA, GetFileInformationByHandle, lstrcpynA, LocalReAlloc, CancelWaitableTimer, FindAtomA, WriteProfileStringW, HeapReAlloc, CreateMutexA, MapViewOfFile, GetTickCount, GetModuleHandleA, HeapAlloc, GetComputerNameA, UnmapViewOfFile, GetSystemTimeAsFileTime, Sleep, InitializeCriticalSection, CreateFileA, InterlockedExchange, LeaveCriticalSection, CopyFileA, VirtualQuery, CreateFileMappingA, WaitForSingleObject, GetLastError, GlobalAlloc, ReadFile, LocalFree, GetProcessHeap, GetProcAddress, ReleaseMutex, LoadLibraryA, MoveFileA, CreateProcessA, CloseHandle, HeapFree, GetSystemInfo, InterlockedDecrement
ADVAPI32.dll: RegSaveKeyExW, IsTokenRestricted, RegNotifyChangeKeyValue, RegFlushKey, SetEntriesInAclA, OpenServiceA, RegCreateKeyExW, MapGenericMask, UnlockServiceDatabase, GetAclInformation, RegisterServiceCtrlHandlerExA, RegSaveKeyW, OpenThreadToken, GetNumberOfEventLogRecords, ControlService, CreateProcessAsUserW, RegOpenKeyA, CloseEventLog, EnumServicesStatusA, CreateServiceA, SetEntriesInAclW, RegQueryValueExA, ConvertStringSecurityDescriptorToSecurityDescriptorA, RegOpenKeyExA, LookupAccountNameA, RegSetValueExA, RegCloseKey, GetSecurityDescriptorSacl, RegCreateKeyExA, RegConnectRegistryA

[[ 4 export(s) ]]
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer


& Here is file 2:

Quote

File name: UPnPRemoteEndpointInfo_t.dll
Submission date: 2011-04-05 10:49:45 (UTC)
Current status: finished
Result: 23/ 40 (57.5%)
VT Community Posted Image
not reviewed
Safety score: - Compact Print results Antivirus Version Last Update Result
Antivirus Version Last Update Result AhnLab-V32011.04.05.012011.04.05Trojan/Win32.GenAntiVir7.11.5.1912011.04.05TR/Spy.86016.136Antiy-AVL2.0.3.72011.04.05-Avast4.8.1351.02011.04.04Win32:MalOb-FHAvast55.0.677.02011.04.04Win32:MalOb-FHAVG10.0.0.11902011.04.05-BitDefender7.22011.04.05Gen:Variant.Kazy.11227CAT-QuickHeal11.002011.04.05Trojan.Agent.niClamAV0.97.0.02011.04.05-CommtouchNoneNone..-Comodo82272011.04.05UnclassifiedMalwareDrWeb5.0.2.033002011.04.05-eSafe7.0.17.02011.04.05-eTrust-Vet36.1.82542011.04.05-F-Prot4.6.2.1172011.04.04-F-Secure9.0.16440.02011.04.05Gen:Variant.Kazy.11227Fortinet4.2.254.02011.04.05-GData222011.04.05Gen:Variant.Kazy.11227IkarusT3.1.1.103.02011.04.05Trojan.Win32.SefnitJiangminNoneNone..-K7AntiVirus9.96.42902011.04.04-McAfee5.400.0.11582011.04.05Artemis!817621FAE67DMcAfee-GW-Edition2010.1C2011.04.05Artemis!817621FAE67DMicrosoft1.67022011.04.04Trojan:Win32/Sefnit.JNOD3260162011.04.05a variant of Win32/Sefnit.AYNorman6.07.072011.04.05W32/Suspicious_Gen2.GNEPAPanda10.0.3.52011.04.04Trj/CI.APCTools7.0.3.52011.04.04Trojan.GenPrevx3.02011.04.05-Rising23.51.05.052011.04.02Trojan.Win32.Generic.126F5AFCSophos4.64.02011.04.05-SUPERAntiSpyware4.40.0.10062011.04.05-Symantec20101.3.2.892011.04.05Trojan.GenTheHacker6.7.0.1.1672011.04.05-TrendMicro9.200.0.10122011.04.05TROJ_GEN.R47C2ARTrendMicro-HouseCall9.200.0.10122011.04.05TROJ_GEN.R47C2ARVBA323.12.14.32011.04.04-VIPRE89242011.04.05Trojan.Win32.Sefnit.al (v)ViRobot2011.4.5.43942011.04.05-VirusBuster13.6.287.02011.04.04Trojan.Sefnit!MX0/RQXyxT8 Additional information MD5 : 817621fae67d5453c6d111920cbeabc3 SHA1 : 06539a9d5a2ab55007f583ae70b5b2176b37ae3c SHA256: 0782afc6f02aacec0f1a1dba535489281fec247b910413dc1ffd4959f77cb65e ssdeep: 1536:lfWQD8Gk8U59D64gNOeUrDrmpWptgMtiHRYC1yk8IdTVTi:lDD0p64uOWpWptgOiHRYa8I
dTVTi File size : 86016 bytes First seen: 2011-01-07 15:04:12 Last seen : 2011-04-05 10:49:45 TrID:
Win32 Executable MS Visual C++ (generic) (51.4%)
Win 9x/ME Control Panel applet (21.1%)
Win32 Executable Generic (11.6%)
Win32 Dynamic Link Library (generic) (10.3%)
Generic Win/DOS Executable (2.7%) sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x15DA
timedatestamp....: 0x4CB12773 (Sun Oct 10 02:39:47 2010)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0xE389, 0xF000, 6.04, 6cdda1d3f12b0bff1e95825c03b2ee7f
.rdata, 0x10000, 0x10F1, 0x2000, 3.50, ac2c3dde8fd65a65ec117a41843d9fad
.data, 0x12000, 0x1778, 0x2000, 5.40, 2aba1129bd07748f8fb38640ab432200
.reloc, 0x14000, 0x8D8, 0x1000, 3.95, 3ac735f420661d59705c85ec7419e615

[[ 6 import(s) ]]
KERNEL32.dll: HeapSize, GetCurrentActCtx, GetProcessVersion, GetProfileSectionA, SetLocalTime, InitializeCriticalSection, ReleaseMutex, RemoveDirectoryA, SetCurrentDirectoryA, AddRefActCtx, GetCurrencyFormatA, CreateTimerQueue, VerLanguageNameW, MoveFileExA, SetVolumeLabelA, CancelWaitableTimer, OpenJobObjectW, CreateEventW, GetStartupInfoA, IsValidCodePage, GetNumberOfConsoleInputEvents, ResumeThread, GetConsoleMode, CreateHardLinkW, GetCurrentDirectoryW, GetStdHandle, BackupRead, CancelIo, WriteConsoleA, DeleteCriticalSection, GetDateFormatW, CreateWaitableTimerW, FindResourceW, GetCurrentDirectoryA, CreateIoCompletionPort, CreateWaitableTimerA, DeleteTimerQueue, EnumResourceLanguagesA, HeapValidate, RtlMoveMemory, RegisterWaitForSingleObjectEx, GetModuleFileNameW, LocalReAlloc, FreeEnvironmentStringsW, lstrcpynW, GetBinaryTypeA, EnumSystemLocalesA, FindVolumeMountPointClose, lstrcmpW, LocalLock, lstrcmpA, GetStringTypeA, SetFileApisToOEM, GlobalDeleteAtom, OpenEventW, InterlockedCompareExchange, HeapFree, CopyFileA, CloseHandle, CreateFileMappingA, UnmapViewOfFile, MapViewOfFile, GetSystemDirectoryA, InterlockedDecrement, CreateEventA, GetModuleFileNameA, GetSystemTimeAsFileTime, CreateFileA, GetLastError, WriteFile, Sleep, DeleteFileA, ExitProcess, HeapAlloc, InterlockedIncrement, SetLastError, CreateDirectoryA, GetSystemInfo, GetProcAddress, LocalUnlock, LoadLibraryA
ole32.dll: CoGetObjectContext, OleRegEnumVerbs, StgIsStorageILockBytes, CreateDataAdviseHolder, StringFromGUID2, CreateDataCache, CreateAntiMoniker, CoTaskMemRealloc, OleIsRunning, OleSaveToStream, CoInitialize, CoUninitialize, OleRun
OLEAUT32.dll: -, -, -
SHLWAPI.dll: StrChrW, StrChrIW, wnsprintfA, StrCatW, PathRemoveFileSpecA, PathIsDirectoryW, StrChrA, SHGetValueA, StrStrIW, SHStrDupW, wnsprintfW, UrlCanonicalizeW, SHAutoComplete
SHELL32.dll: ShellAboutA, SHGetFolderPathA, DragAcceptFiles, SHGetSpecialFolderPathA, SHGetDesktopFolder, SHGetInstanceExplorer, SHGetSettings
GDI32.dll: GetGraphicsMode, GetPixel, GetLayout, PtVisible, EndPath, GetObjectW, SetStretchBltMode, PolylineTo, ResetDCA, AddFontResourceA, GetTextExtentExPointW, GetNearestColor, CreateEllipticRgnIndirect, StrokePath, CloseFigure, GetPolyFillMode, CreateMetaFileA, PlayEnhMetaFileRecord, EnumFontFamiliesW, TextOutA, SetBkMode, StretchBlt, GetNearestPaletteIndex, StartDocW, AbortPath, CreateRectRgn, CreateEnhMetaFileA, UpdateColors, EnumFontsA, StrokeAndFillPath, GetBkColor, EnumFontFamiliesA, SetTextCharacterExtra, CreateBitmapIndirect, CreateEnhMetaFileW, CreateFontIndirectW

[[ 3 export(s) ]]
CPlApplet, DllRegisterServer, DllUnregisterServer
ExifTool:
file metadata
CodeSize: 61440
EntryPoint: 0x15da
FileSize: 84 kB
FileType: Win32 DLL
ImageVersion: 0.0
InitializedDataSize: 20480
LinkerVersion: 8.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
PEType: PE32
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2010:10:10 04:39:47+02:00
UninitializedDataSize: 0


Thanks for all your help again :) x

This post has been edited by FRISC0: 05 April 2011 - 05:56 AM

#11 User is offline   Conspire 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 155
  • Joined: 29-October 10
  • Gender:Male

Posted 05 April 2011 - 07:23 AM

You're welcome :)

One more step.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.

  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE


DDS::
uRun: [UPnPRemoteEndpointInfo] regsvr32 /s /u "c:\users\jamie\appdata\local\upnpremoteendpointinfo\UPnPRemoteEndpointInfo.dll"

File::
C:\Users\Jamie\AppData\Local\UPnPRemoteEndpointInfo\UPnPRemoteEndpointInfo.dll.del
C:\Users\Jamie\AppData\Local\UPnPRemoteEndpointInfo\UPnPRemoteEndpointInfo_t.dll

Folder::
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore



In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Posted Image
Proud Graduate of the WTT Classroom
Member of ASAP and UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may Posted Image

#12 User is offline   FRISC0 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 130
  • Joined: 21-January 08
  • Gender:Male

Posted 06 April 2011 - 06:06 AM

Everything seems to be running perfectly Thankyou so much for all your hard work! :)

Heres the last log:

Quote

ComboFix 11-04-05.02 - Jamie 06/04/2011 11:49:16.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2047.1041 [GMT 1:00]
Running from: c:\users\Jamie\Desktop\ComboFix.exe
Command switches used :: c:\users\Jamie\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Jamie\AppData\Local\UPnPRemoteEndpointInfo\UPnPRemoteEndpointInfo.dll.del"
"c:\users\Jamie\AppData\Local\UPnPRemoteEndpointInfo\UPnPRemoteEndpointInfo_t.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Jamie\AppData\Local\UPnPRemoteEndpointInfo\UPnPRemoteEndpointInfo.dll.del
c:\users\Jamie\AppData\Local\UPnPRemoteEndpointInfo\UPnPRemoteEndpointInfo_t.dll
c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore
c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\C00.php
.
.
((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011-04-06 )))))))))))))))))))))))))))))))
.
.
2011-04-06 10:57 . 2011-04-06 10:57 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-04-06 10:57 . 2011-04-06 10:57 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-04-06 10:57 . 2011-04-06 10:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-06 10:57 . 2011-04-06 10:57 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-04-06 10:43 . 2011-03-23 09:11 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B30E872E-965F-4BA7-8983-5EB7C1208A8E}\mpengine.dll
2011-04-05 13:45 . 2011-04-05 13:45 -------- d-----w- c:\users\Jamie\AppData\Local\{7D4B31EA-4E9A-488B-8D03-6D7F4B21066A}
2011-04-04 16:44 . 2011-04-04 16:44 -------- d-----w- c:\users\Jamie\AppData\Roaming\Malwarebytes
2011-04-04 16:44 . 2011-04-04 16:44 -------- d-----w- c:\programdata\Malwarebytes
2011-04-04 16:44 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 16:43 . 2011-04-04 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-04 16:43 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-04 14:37 . 2011-04-04 14:37 -------- d-----w- c:\users\Jamie\AppData\Local\{11BC551F-CDC9-430E-9BC8-E924E44F670D}
2011-04-03 21:18 . 2011-04-03 21:18 -------- d-----w- c:\users\Jamie\AppData\Roaming\AVG10
2011-04-03 21:15 . 2011-04-06 10:22 -------- d-----w- c:\programdata\AVG10
2011-04-03 20:57 . 2011-04-03 20:57 4738880 ----a-w- c:\users\Jamie\avg_free_stb_all_2011_1204_cnet.exe
2011-04-03 20:45 . 2011-04-03 21:14 -------- d-----w- c:\programdata\MFAData
2011-04-01 17:00 . 2011-04-01 17:02 -------- d-----w- C:\.jagex_cache_32
2011-04-01 16:59 . 2011-04-01 16:59 -------- d-----w- c:\program files\Common Files\Java
2011-04-01 16:34 . 2011-04-01 16:34 -------- d-----w- c:\users\Jamie\AppData\Local\{F9E94D31-FD70-4046-9025-9331FF3EEEC7}
2011-03-31 18:31 . 2011-03-31 18:31 -------- d-----w- c:\users\Jamie\AppData\Local\{418BCFCB-4472-48FB-A67C-F0A800FB5462}
2011-03-30 23:13 . 2011-04-03 19:44 -------- d-----w- c:\programdata\AVAST Software
2011-03-30 23:13 . 2011-03-30 23:13 -------- d-----w- c:\program files\AVAST Software
2011-03-30 22:21 . 2011-04-02 23:00 0 ----a-w- c:\users\Jamie\AppData\Local\Syowobe.bin
2011-03-30 13:50 . 2011-03-30 13:51 -------- d-----w- c:\users\Jamie\AppData\Local\{97808D4A-D5FA-43D3-95AE-A42CD7F07FA5}
2011-03-29 17:38 . 2011-03-29 17:39 -------- d-----w- c:\users\Jamie\AppData\Local\{941FEAB4-FE37-4D6F-A2BC-0779E3F0E90F}
2011-03-28 16:47 . 2011-03-28 16:48 -------- d-----w- c:\users\Jamie\AppData\Local\{1F0EAAFC-2B5D-4E5F-BE98-C9A5553370E1}
2011-03-27 20:30 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-27 20:29 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-27 20:29 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-27 20:29 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-27 20:29 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-27 20:29 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-27 20:29 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-27 20:29 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-27 20:28 . 2011-03-27 20:28 376480 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-03-26 18:38 . 2011-03-26 18:39 -------- d-----w- c:\users\Jamie\AppData\Local\{FDC4747C-C5DA-403A-AB87-821480F8CA5C}
2011-03-23 11:16 . 2011-03-23 11:16 -------- d-----w- c:\program files\Common Files\Skype
2011-03-23 11:09 . 2011-03-23 11:09 -------- d-----w- c:\users\Jamie\AppData\Local\{5F57A843-32D5-4857-9AFC-E5C3D0857C2C}
2011-03-23 10:15 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 10:15 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 10:15 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-22 10:27 . 2011-03-22 10:27 -------- d-----w- c:\users\Jamie\AppData\Local\{6233DC08-021B-4F62-B82E-14BA0E0AD1AC}
2011-03-22 10:26 . 2011-03-22 10:27 -------- d-----w- c:\users\Jamie\AppData\Local\{A7AD0566-CD0C-4C61-8161-0FE786F7206A}
2011-03-20 21:46 . 2011-03-20 21:47 -------- d-----w- c:\users\Jamie\AppData\Local\{59CF0317-A669-4948-AD36-03953CC67D99}
2011-03-18 15:28 . 2011-03-18 15:28 -------- d-----w- c:\users\Jamie\AppData\Local\{889EF7D4-E2B2-4210-98BC-562CF820C770}
2011-03-14 22:06 . 2011-03-14 22:17 -------- d-----w- c:\program files\Free Audio Pack
2011-03-11 21:07 . 2011-03-11 21:07 -------- d-----w- c:\users\Jamie\AppData\Local\{A83C51F8-9B6A-43AD-89EB-5F57B8DED0E5}
2011-03-10 10:36 . 2011-03-10 10:36 -------- d-----w- c:\program files\iPod
2011-03-08 23:36 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-08 23:36 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-08 23:36 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-08 23:36 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-08 23:36 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-08 23:36 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-07 17:00 . 2011-03-07 17:00 -------- d-----w- c:\users\Jamie\AppData\Local\{08DAB889-D2D1-4BD1-B7E8-1C7D8C1AAC19}
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-17 20:33 . 2010-06-24 11:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-18 16:36 . 2011-02-18 16:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2011-02-18 16:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-02 20:40 . 2010-05-07 09:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 17:11 . 2009-10-03 09:15 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-31 15:52 . 2011-01-31 15:52 626688 ----a-w- c:\windows\system32\msvcr80.dll
2011-01-20 16:37 . 2011-02-09 15:31 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 15:31 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 15:31 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 15:31 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 15:31 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-09 15:31 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-09 15:31 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 15:31 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 15:31 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 15:31 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 15:31 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 15:31 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 15:31 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 15:31 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 15:31 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 15:31 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 15:31 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 15:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 15:31 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 15:31 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 15:31 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 15:31 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 15:31 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 15:31 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 15:31 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47 . 2011-02-09 15:30 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 15:30 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-03-18 17:53 . 2011-03-27 20:30 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 12:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gainward]
2007-11-27 14:40 2169352 ----a-w- c:\program files\XpertVision\TBPANEL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-04-23 11:55 133104 ----atw- c:\users\Jamie\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 23:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 15:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 13:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-12-24 14:43 396152 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 FXDrv32;FXDrv32;D:\FXDrv32.sys [x]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-03-11 13224]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [x]
R3 RTLWUSB;802.11g USB2.0 WLAN Dongle;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 335872]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-06-04 90408]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [2008-06-04 15016]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [2008-06-04 122024]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [2008-06-04 115368]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [2008-06-04 25768]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [2008-06-04 111784]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [2008-06-04 117544]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-10-15 326704]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-10-16 369256]
S3 Camdrv30;Philips ToUcam XS;c:\windows\system32\Drivers\camdrv30.sys [2001-08-17 171264]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 335872]
S4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Avgldx86
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1120449131-2099679387-1230050658-1000Core.job
- c:\users\Jamie\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-23 11:55]
.
2011-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1120449131-2099679387-1230050658-1000UA.job
- c:\users\Jamie\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-23 11:55]
.
2011-04-06 c:\windows\Tasks\User_Feed_Synchronization-{2BF8F888-5AC5-4B2A-907F-163B8026A570}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = local;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jamie\AppData\Roaming\Mozilla\Firefox\Profiles\wkfz9qgz.default\
FF - prefs.js: browser.startup.homepage - hxxp://Google.co.uk
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-06 11:57
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\Jamie\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-06 11:59:37
ComboFix-quarantined-files.txt 2011-04-06 10:59
ComboFix2.txt 2010-08-19 09:05
.
Pre-Run: 109,978,484,736 bytes free
Post-Run: 109,950,685,184 bytes free
.
- - End Of File - - AC465D91FF88165956A7C265778697AB

#13 User is offline   Conspire 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 155
  • Joined: 29-October 10
  • Gender:Male

Posted 06 April 2011 - 07:06 AM

Hello,

We're done! :thumbup2:

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now copy/paste the code into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.
Combofix /Uninstall

Posted Image

===================================================

I'm pleased to let you know that your log is clean!

Thank you for your patience, and performing all of the procedures requested. I would also like to take this opportunity to apologize for any delay that may have occurred.

--------------------------------------------------------------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.


Passwords
It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them and consider a password keeper, to keep all your passwords safe.


SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
WOT has an add-on available for both Firefox and IE.

  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here

  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.

Follow this list and keep your antivirus program and antispyware programs updated and scan with them on a regular basis. By doing so, your potential for being infected again will reduce dramatically.

Hopefully this should take care of your problems! Good luck.

Do you have any questions or problems to ask? Please do not hesitate to do so.

**Please respond this one more time to ensure it is resolved and close this topic.
Proud Graduate of the WTT Classroom
Member of ASAP and UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may Posted Image

#14 User is offline   FRISC0 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 130
  • Joined: 21-January 08
  • Gender:Male

Posted 06 April 2011 - 02:14 PM

Thankyou so much you've been a brilliant help!

No delays at all was all outstanding! :)

Problem solved!

Thanks again!

#15 User is offline   Conspire 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 155
  • Joined: 29-October 10
  • Gender:Male

Posted 06 April 2011 - 11:05 PM

You're welcome :thumbup2:
Proud Graduate of the WTT Classroom
Member of ASAP and UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may Posted Image

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users