Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I May Be Infected


  • This topic is locked This topic is locked
14 replies to this topic

#1 beedle

beedle

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 23 May 2008 - 06:40 AM

Hello to the HJT team, followed a link to this site from a google search and Ive really impressed at how efficient and professional the advice is.
Now to my problem:
Ive been experiencing lots of strange problems recently- lots of slowdown, random crashes, virus scans freezing. All quite frustrating, and, having not been able to find the source of the problem on my own, decided to seek help.
Currently running AVG8, up to date, spyware doctor free edition, spybot S&D and Zonealarm firewal.
Latest scan with avg showed a large number of adware, trojans and hijackers in activex registry entries, however they come back even after fixing them and do not register as a threat to avg. Trojans found include:
Trojan.Zapchast, Trojan.vb.aft, hijacker.morwilsearch, trojan.CWSMeup, hijacker.generic etc.
So far I've only been able to complete a scan using avg when completely disconnected from the internet. I've also tried scanning with Kaspersky Online Scanner, but, like avg, this hangs partway through and I'm, unable to pause/ cancel.
Here is the DSS/HJT log, extra log attached:

Deckard's System Scanner v20071014.68
Run by Matt on 2008-05-23 12:23:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
14: 2008-05-23 11:24:09 UTC - RP335 - Deckard's System Scanner Restore Point
13: 2008-05-23 01:07:00 UTC - RP334 - Software Distribution Service 3.0
12: 2008-05-22 18:43:00 UTC - RP333 - System Checkpoint
11: 2008-05-21 17:46:38 UTC - RP332 - Spyware Doctor: Cleaning Threats
10: 2008-05-21 01:08:25 UTC - RP331 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-05-14 02:00:19 UTC - RP322 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.78 GiB (less than 15%) free.


-- HijackThis (run as Matt.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:33, on 23/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Matt\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Matt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9252 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.5.3.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.5.3.0>

S3 DNINDIS5 (DNINDIS5 NDIS Protocol Driver) - c:\windows\system32\dnindis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 a2free (a-squared Free Service) - "c:\program files\a-squared free\a2service.exe" <Not Verified; Emsi Software GmbH; a-squared>
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_E0001458&REV_10\4&3B1D9AB8&0&5840
Manufacturer: Realtek
Name: Realtek RTL8139 Family PCI Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_E0001458&REV_10\4&3B1D9AB8&0&5840
Service: rtl8139


-- Scheduled Tasks -------------------------------------------------------------

2008-05-23 02:07:18 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-05-17 08:11:07 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-05-16 21:46:15 406 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job


-- Files created between 2008-04-23 and 2008-05-23 -----------------------------

2008-05-16 21:34:08 0 d--h----- C:\$AVG8.VAULT$
2008-05-13 19:24:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-13 19:24:24 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 11:00:02 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-10 10:59:52 0 d-------- C:\Program Files\AVG
2008-05-10 10:51:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-10 10:28:25 0 d-------- C:\Documents and Settings\Matt\Application Data\AVGTOOLBAR
2008-05-02 11:42:33 221184 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-04-30 15:18:33 25088 --a------ C:\Documents and Settings\Matt\Desktop(5)
2008-04-30 15:18:04 25088 --a------ C:\Documents and Settings\Matt\Desktop(4)
2008-04-26 16:13:48 0 d-------- C:\Program Files\Eusing Free Registry Cleaner


-- Find3M Report ---------------------------------------------------------------

2008-05-23 12:06:55 0 d-------- C:\Documents and Settings\Matt\Application Data\Azureus
2008-05-23 10:47:06 0 d-------- C:\Program Files\Spyware Doctor
2008-05-21 17:26:21 0 d-------- C:\Documents and Settings\Matt\Application Data\dvdcss
2008-05-21 13:03:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-16 22:26:51 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-16 22:22:58 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-05-16 15:00:03 0 d-------- C:\Program Files\Norton Security Scan
2008-05-08 19:43:55 0 d-------- C:\Program Files\Motorola Phone Tools
2008-04-18 07:32:30 0 d-------- C:\Program Files\Azureus
2008-04-08 13:40:01 0 d-------- C:\Program Files\Avanquest update
2008-04-05 17:43:23 0 d-------- C:\Program Files\PowerISO
2008-03-15 16:40:22 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2008-02-23 15:18:44 2549 --a------ C:\WINDOWS\unins000.dat
2008-02-23 15:17:32 691545 --a------ C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
09/01/2008 18:39 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [09/01/2008 18:39 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [21/06/2006 06:42 C:\WINDOWS\soundman.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [23/11/2006 23:10]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [06/12/2006 06:55]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [18/10/2005 19:58]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [13/01/2006 00:40]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [06/10/2006 06:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 09:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/11/2007 19:14]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 13:22]
"nwiz"="nwiz.exe" [22/10/2006 13:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [22/10/2006 13:22]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [27/10/2006 01:47]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [25/01/2008 11:08]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/02/2008 00:13]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [10/12/2007 15:53]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [18/03/2006 03:24]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [10/05/2008 10:59]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 13:00]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [18/09/2007 15:16]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 23:05:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [23/02/2008 15:32:25]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [20/03/2008 13:21:40]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [25/12/2007 17:42:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11fe4223-e123-11dc-8641-000e2e4fc208}]
AutoRun\command- I:\setup.exe /autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16006532-8536-11dc-b57e-000e2e4fc208}]
AutoRun\command- G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81007710-8278-11dc-8769-806d6172696f}]
AutoRun\command- D:\setup.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7955 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-23 12:32:19 ------------



Thanks for any help you can provide- it will be very much appreciated.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:21 AM

Posted 23 May 2008 - 08:44 PM

Hello beedle,

Welcome to Bleeping Computer :)

The good news is I don't see anything malicious in your logs. :thumbsup: What I think is happening is AVG8 is clashing with your system. So let's have a test........go offline and disable or uninstall AVG8, reboot, and see what happens for a while. Stay offline of course. If that's the problem, then try one of these other excellent free AntiVirus Programs: Avira OR Avast If it still does it, then please do this:

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 beedle

beedle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 26 May 2008 - 10:33 AM

Hey, thanks for the help, and the speedy response.
I've now uninstalled avg, had a bit of a cleanup deleting unneeded programs and cleaned the registry.
Then i tried scanning with MbAM, which came up clean, so installed Avir AntiVir.
However, when i try scanning with antivir it still stalls, whether the scan is done while online or offline.
The first time i ran a scan it came up with a suspicious file which was quarentined, but then stalled at C:\System volume information\tracking.log.
Attempted to run a second scan after cancelling the first while offline, but it stalled at the same place.
Im almost certain this is the same file which Kaspersky online scanner stalled at, but not AVG.
Attached is the report log for the first scan, where a suspicious file was found.
Thanks again for your help

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:21 AM

Posted 28 May 2008 - 12:19 PM

Hello,

This : C:\System volume information\tracking.log we can fix.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Let's look deeper though, to be sure there aren't stragglers in the registry. I'm thinking they're all in your system restore.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 beedle

beedle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 28 May 2008 - 04:05 PM

ok, here's the combofix log:

ComboFix 08-05-27.4 - Matt 2008-05-28 19:15:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.270 [GMT 1:00]
Running from: C:\Documents and Settings\Matt\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\lsprst7.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-28 16:05 . 2008-05-28 16:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-28 16:05 . 2008-05-28 16:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-28 11:12 . 2008-05-28 11:12 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-27 11:32 . 2008-05-27 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-27 11:25 . 2008-05-27 11:28 <DIR> d-------- C:\WINDOWS\nview
2008-05-27 11:25 . 2008-05-27 11:25 <DIR> d-------- C:\NVIDIA
2008-05-27 11:25 . 2005-06-15 17:20 176,128 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-05-27 11:25 . 2008-05-28 11:10 28,244 --a------ C:\WINDOWS\system32\nvapps.xml
2008-05-27 11:25 . 2005-06-15 17:20 14,757 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-05-27 11:01 . 2008-05-27 11:01 1,492 --a------ C:\ff8input.cfg
2008-05-27 10:33 . 2008-05-27 10:33 <DIR> d-------- C:\Program Files\Creative Labs
2008-05-27 10:33 . 1999-07-06 14:13 40,960 --a------ C:\WINDOWS\system32\eax.dll
2008-05-27 10:31 . 2008-05-27 10:33 <DIR> d-------- C:\Program Files\EidosNet
2008-05-26 12:30 . 2008-05-26 12:30 <DIR> d-------- C:\Program Files\Avira
2008-05-26 12:30 . 2008-05-26 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-25 17:47 . 2008-05-25 17:47 <DIR> d-------- C:\Documents and Settings\Matt\Application Data\Malwarebytes
2008-05-25 17:47 . 2008-05-25 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 17:43 . 2008-05-25 17:43 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-23 12:23 . 2008-05-23 12:23 <DIR> d-------- C:\Deckard
2008-05-13 19:24 . 2008-05-13 19:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 10:51 . 2008-05-26 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-10 10:28 . 2008-05-10 10:28 <DIR> d-------- C:\Documents and Settings\Matt\Application Data\AVGTOOLBAR
2008-05-02 11:42 . 2008-05-02 11:42 221,184 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-05-02 11:42 . 2008-05-02 11:42 81,920 --a------ C:\WINDOWS\system32\OpenAL32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 18:19 --------- d-----w C:\Documents and Settings\Matt\Application Data\Azureus
2008-05-28 18:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-05-28 18:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-27 19:12 6,494,240 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 19:12 59,300 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-27 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-27 08:19 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-26 17:18 --------- d-----w C:\Documents and Settings\Matt\Application Data\dvdcss
2008-05-26 12:26 --------- d-----w C:\Documents and Settings\Matt\Application Data\AdobeUM
2008-05-26 11:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-26 10:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 10:48 --------- d-----w C:\Program Files\Soulseek-Test
2008-05-26 10:46 --------- d-----w C:\Program Files\MagicISO
2008-05-23 14:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-05-10 09:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-08 18:43 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-04-26 15:23 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-04-24 12:06 2,019,328 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-04-18 06:32 --------- d-----w C:\Program Files\Azureus
2008-04-08 12:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-08 12:44 92,064 ----a-w C:\Documents and Settings\Matt\mqdmmdm.sys
2008-04-08 12:44 9,232 ----a-w C:\Documents and Settings\Matt\mqdmmdfl.sys
2008-04-08 12:44 79,328 ----a-w C:\Documents and Settings\Matt\mqdmserd.sys
2008-04-08 12:44 66,656 ----a-w C:\Documents and Settings\Matt\mqdmbus.sys
2008-04-08 12:44 6,208 ----a-w C:\Documents and Settings\Matt\mqdmcmnt.sys
2008-04-08 12:44 5,936 ----a-w C:\Documents and Settings\Matt\mqdmwhnt.sys
2008-04-08 12:44 4,048 ----a-w C:\Documents and Settings\Matt\mqdmcr.sys
2008-04-08 12:44 25,600 ----a-w C:\Documents and Settings\Matt\usbsermptxp.sys
2008-04-08 12:44 22,768 ----a-w C:\Documents and Settings\Matt\usbsermpt.sys
2008-04-08 12:40 --------- d-----w C:\Program Files\Avanquest update
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 22:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 22:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-05 15:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 15:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 15:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 14:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 14:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 15:16 171464]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 06:42 577536 C:\WINDOWS\soundman.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 23:10 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 06:55 54832]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 19:58 278528]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 00:40 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 09:11 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-05 19:14 185896]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2008-01-25 11:08 1032376]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-06-15 17:20 6803456]
"nwiz"="nwiz.exe" [2005-06-15 17:20 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-06-15 17:20 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 20:48 434528]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-23 15:32:25 125624]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2008-03-20 13:21:40 884840]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2007-12-25 17:42:59 1114112]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
"C:\\Program Files\\SPSSInc\\SPSS16\\spss.com"=

S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 12:21]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 13:10]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-06-20 15:57]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 21:03]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-07 16:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11fe4223-e123-11dc-8641-000e2e4fc208}]
\Shell\AutoRun\command - I:\setup.exe /autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81007710-8278-11dc-8769-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 07:11:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-28 10:29:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-05-25 16:10:40 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 19:19:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-28 19:21:48
ComboFix-quarantined-files.txt 2008-05-28 18:21:43

Pre-Run: 22,666,768,384 bytes free
Post-Run: 22,663,213,056 bytes free

162 --- E O F --- 2008-05-28 10:29:29



And the hijackthis log:
Deckard's System Scanner v20071014.68
Run by Matt on 2008-05-28 22:00:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 83% (more than 75%).


-- HijackThis (run as Matt.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:01:03, on 28/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Matt\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Matt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8355 bytes

-- Files created between 2008-04-28 and 2008-05-28 -----------------------------

2008-05-28 19:19:17 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-28 19:12:33 68096 --a------ C:\WINDOWS\zip.exe
2008-05-28 19:12:33 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-28 19:12:33 98816 --a------ C:\WINDOWS\sed.exe
2008-05-28 19:12:33 80412 --a------ C:\WINDOWS\grep.exe
2008-05-28 19:12:32 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-28 19:12:32 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-28 19:12:32 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-28 19:12:32 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-28 11:12:13 0 d-------- C:\WINDOWS\LastGood
2008-05-27 11:32:30 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-27 11:25:57 0 d-------- C:\WINDOWS\nview
2008-05-27 11:25:04 0 d-------- C:\NVIDIA
2008-05-27 10:33:43 0 d-------- C:\Program Files\Creative Labs
2008-05-27 10:31:58 0 d-------- C:\Program Files\EidosNet
2008-05-26 12:30:46 0 d-------- C:\Program Files\Avira
2008-05-26 12:30:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-25 17:47:58 0 d-------- C:\Documents and Settings\Matt\Application Data\Malwarebytes
2008-05-25 17:47:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 17:43:16 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-13 19:24:24 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 10:51:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-10 10:28:25 0 d-------- C:\Documents and Settings\Matt\Application Data\AVGTOOLBAR
2008-05-02 11:42:33 221184 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-04-30 15:18:33 25088 --a------ C:\Documents and Settings\Matt\Desktop(5)
2008-04-30 15:18:04 25088 --a------ C:\Documents and Settings\Matt\Desktop(4)


-- Find3M Report ---------------------------------------------------------------

2008-05-28 22:01:21 0 d-------- C:\Documents and Settings\Matt\Application Data\Azureus
2008-05-27 09:19:47 0 d-------- C:\Program Files\Spyware Doctor
2008-05-26 18:18:57 0 d-------- C:\Documents and Settings\Matt\Application Data\dvdcss
2008-05-26 13:26:27 0 d-------- C:\Documents and Settings\Matt\Application Data\AdobeUM
2008-05-26 12:10:14 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-26 11:48:24 0 d-------- C:\Program Files\Soulseek-Test
2008-05-26 11:48:15 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-26 11:46:01 0 d-------- C:\Program Files\MagicISO
2008-05-26 11:45:02 0 d-------- C:\Program Files\Common Files
2008-05-23 15:00:00 0 d-------- C:\Program Files\Norton Security Scan
2008-05-16 22:22:58 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-05-08 19:43:55 0 d-------- C:\Program Files\Motorola Phone Tools
2008-04-26 16:23:07 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-04-18 07:32:30 0 d-------- C:\Program Files\Azureus
2008-04-08 13:40:01 0 d-------- C:\Program Files\Avanquest update


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [21/06/2006 06:42 C:\WINDOWS\soundman.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [23/11/2006 23:10]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [06/12/2006 06:55]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [18/10/2005 19:58]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [13/01/2006 00:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 09:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/11/2007 19:14]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [27/10/2006 01:47]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [25/01/2008 11:08]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/02/2008 00:13]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [12/02/2008 10:06]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [15/06/2005 17:20]
"nwiz"="nwiz.exe" [15/06/2005 17:20 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [15/06/2005 17:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 13:00]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [18/09/2007 15:16]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 17:45]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 23:05:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [23/02/2008 15:32:25]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [20/03/2008 13:21:40]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [25/12/2007 17:42:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11fe4223-e123-11dc-8641-000e2e4fc208}]
AutoRun\command- I:\setup.exe /autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81007710-8278-11dc-8769-806d6172696f}]
AutoRun\command- D:\setup.exe

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-05-28 22:02:49 ------------

Thank you again for all your help
matt

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:21 AM

Posted 28 May 2008 - 04:26 PM

Hi Matt,

You're welcome. :thumbsup:

......but then stalled at C:\System volume information\tracking.log.

Did that take care of the problem?

Did you set this entry yourself? R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/uk/
If not, then please include it in the HijackThis fixes below. :)

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

In your reply, please post a new HijackThis log. Please also let me know how your computer is running. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 beedle

beedle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 29 May 2008 - 05:24 AM

Right, removed all those registry entries and restarted.
Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:53, on 29/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7932 bytes


Tried another antivirus scan after all this and its still stalling at tracking.log. Damn.
Thanks
matt

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:21 AM

Posted 29 May 2008 - 09:54 AM

Hi,

Uninstall Zone Alarm and tell me what happens. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 beedle

beedle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 29 May 2008 - 12:59 PM

uninstalled zonealarm, but no change with the antivirus. Also having a strange problem with disk defragmentor- thought id defrag C: while doing all this, but it stalls at 24% each time (on different files though).
Also what free firewalls do you recommend, thought id try a different one to zonealarm.
Thanks

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:21 AM

Posted 29 May 2008 - 01:32 PM

Hello,

You're welcome. :)

Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com

The problem you're having is a common one, and it seems there are very few ways to totally eliminate it. :thumbsup: You can try to delete it in safe mode, but it may well come back upon reboot.

Let me know,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 beedle

beedle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 31 May 2008 - 05:58 PM

Tried an antivirus scan in safemode, which ran fine but came up clean. Spywaredoctor and Spybot also came up clean.
I've been reading up on the internet and have read that it could be a rootkit, so downloaded rootkitrevealer and ran a scan, results of which are:

HKU\.DEFAULT\Control Panel\International 28/05/2008 19:21 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 28/05/2008 19:21 0 bytes Security mismatch.
HKU\S-1-5-21-682003330-796845957-839522115-1004\Control Panel\International 28/05/2008 19:21 0 bytes Security mismatch.
HKU\S-1-5-21-682003330-796845957-839522115-1004\Control Panel\International\Geo 28/05/2008 19:21 0 bytes Security mismatch.
HKU\S-1-5-21-682003330-796845957-839522115-1004\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 11/11/2007 13:33 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-18\Control Panel\International 28/05/2008 19:21 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 28/05/2008 19:21 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 25/10/2007 06:47 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 25/10/2007 06:47 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 31/05/2008 22:50 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\PCTools\Spyware Doctor\AUXSVCSTAT 31/05/2008 22:51 22 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 11/11/2007 12:50 0 bytes Access is denied.



Others have had success by disabling system restore and deleting the system restore folder, although im not really sure how to do this, and whether it would mess up my system even more.
thanks

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:21 AM

Posted 31 May 2008 - 06:06 PM

Hello,

Others have had success by disabling system restore and deleting the system restore folder

No, we won't go there......but we can clear all the Restore Points and start fresh. :thumbsup:

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

I don't really like that program for rootkits....let's have a better look:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 beedle

beedle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 01 June 2008 - 01:14 PM

Strangely enough its now working after clearing the old restore points, despite it not working after the last time i did it. Whether or not it this will last remains to be seen.
Heres the results of the gmer scan, just in case there is something there.


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-01 15:25:51
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xEFFDBC8C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwConnectPort [0xEFFDB3C4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateFile [0xEFFDB8A0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateKey [0xEFFDC43C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreatePort [0xEFFDB080]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xF0008794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xF0008F1E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSection [0xEFFDD084]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xEFFDBE72]
SSDT F18A329C ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteKey [0xEFFDC0B8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteValueKey [0xEFFDC268]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDuplicateObject [0xEFFDAB02]
SSDT sptd.sys ZwEnumerateKey [0xF772AFB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF772B340]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwLoadDriver [0xEFFDCD24]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenFile [0xEFFDBAB0]
SSDT sptd.sys ZwOpenKey [0xF77250B0]
SSDT F18A3288 ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenSection [0xEFFDB744]
SSDT F18A328D ZwOpenThread
SSDT sptd.sys ZwQueryKey [0xF772B418]
SSDT sptd.sys ZwQueryValueKey [0xF772B298]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRenameKey [0xEFFDC7F2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xEFFDB196]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSecureConnectPort [0xEFFDCAE6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetSystemInformation [0xEFFDCEC4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetValueKey [0xEFFDC602]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwShutdownSystem [0xEFFDB5D2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSystemDebugControl [0xEFFDB638]
SSDT F18A3297 ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateThread [0xEFFDAE18]
SSDT F18A3292 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 80, B0, FD, EF, 94, 87, 00, ... ]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F6F4A62C 5 Bytes JMP 86545770
? System32\Drivers\a4oj4ukt.SYS The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[584] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[584] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[584] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\Explorer.EXE[584] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[584] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\Explorer.EXE[584] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[584] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\Explorer.EXE[584] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[584] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Explorer.EXE[584] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[584] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[584] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[584] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\Explorer.EXE[584] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[584] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[584] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[584] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[584] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\csrss.exe[588] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[588] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\csrss.exe[588] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[588] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\csrss.exe[588] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[588] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[612] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[612] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[612] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[612] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[612] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[612] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[612] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[612] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[612] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[612] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[660] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[660] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[660] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\services.exe[660] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[660] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\services.exe[660] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[660] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\services.exe[660] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[660] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[660] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[660] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[660] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[660] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[660] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[660] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[660] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\services.exe[660] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[660] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[672] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[672] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[672] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\lsass.exe[672] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[672] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\lsass.exe[672] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[672] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\lsass.exe[672] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[672] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\lsass.exe[672] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[672] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[672] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[672] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[672] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[672] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[672] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\lsass.exe[672] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[672] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[816] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[816] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[816] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[816] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[816] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[816] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[816] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[816] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[816] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[880] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[880] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[880] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[880] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[880] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[880] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[964] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1020] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1020] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1020] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1020] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1020] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1020] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1020] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[1020] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1020] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1072] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1104] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1104] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1104] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1104] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1104] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1104] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1104] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[1104] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1104] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1132] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1132] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1132] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 8B, 96, C3, 83 ]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1132] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1132] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1132] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1132] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1132] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1132] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1132] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1132] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1132] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1164] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1164] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1164] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1164] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[1164] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1164] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunes.exe[1192] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunes.exe[1192] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunes.exe[1192] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\iTunes\iTunes.exe[1192] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunes.exe[1192] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\iTunes\iTunes.exe[1192] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunes.exe[1192] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\iTunes\iTunes.exe[1192] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunes.exe[1192] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\iTunes\iTunes.exe[1192] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\iTunes\iTunes.exe[1192] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunes.exe[1192] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunes.exe[1192] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunes.exe[1192] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\iTunes\iTunes.exe[1192] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunes.exe[1192] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunes.exe[1192] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunes.exe[1192] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunes.exe[1192] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1232] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1232] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1232] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1232] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1232] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1232] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1232] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1232] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\spoolsv.exe[1232] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1232] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1232] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1232] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\spoolsv.exe[1232] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1232] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1232] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1232] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1232] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text c:\program files\a-squared free\a2service.exe[1376] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text c:\program files\a-squared free\a2service.exe[1376] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text c:\program files\a-squared free\a2service.exe[1376] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text c:\program files\a-squared free\a2service.exe[1376] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text c:\program files\a-squared free\a2service.exe[1376] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text c:\program files\a-squared free\a2service.exe[1376] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text c:\program files\a-squared free\a2service.exe[1376] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text c:\program files\a-squared free\a2service.exe[1376] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text c:\program files\a-squared free\a2service.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text c:\program files\a-squared free\a2service.exe[1376] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text c:\program files\a-squared free\a2service.exe[1376] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text c:\program files\a-squared free\a2service.exe[1376] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text c:\program files\a-squared free\a2service.exe[1376] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text c:\program files\a-squared free\a2service.exe[1376] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text c:\program files\a-squared free\a2service.exe[1376] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text c:\program files\a-squared free\a2service.exe[1376] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text c:\program files\a-squared free\a2service.exe[1376] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text c:\program files\a-squared free\a2service.exe[1376] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1432] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1432] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1432] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1432] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1432] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1432] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1432] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1432] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1432] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1432] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1432] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1504] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KService.exe[1696] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KService.exe[1696] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Kontiki\KService.exe[1696] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\Kontiki\KService.exe[1696] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Kontiki\KService.exe[1696] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Kontiki\KService.exe[1696] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Kontiki\KService.exe[1696] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Kontiki\KService.exe[1696] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KService.exe[1696] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Kontiki\KService.exe[1696] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KService.exe[1696] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KService.exe[1696] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KService.exe[1696] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Kontiki\KService.exe[1696] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KService.exe[1696] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KService.exe[1696] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KService.exe[1696] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KService.exe[1696] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\nvsvc32.exe[1756] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\nvsvc32.exe[1756] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\nvsvc32.exe[1756] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\nvsvc32.exe[1756] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\nvsvc32.exe[1756] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\nvsvc32.exe[1756] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\nvsvc32.exe[1756] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1828] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1884] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1920] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1920] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1920] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 5F, 98, C3, 83 ]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1920] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1920] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1920] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1920] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1920] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1920] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1920] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1920] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1920] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2248] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2304] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[2420] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2568] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[2612] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[2744] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[2744] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[2744] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[2744] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[2744] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[2744] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[2744] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[2744] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2780] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KHost.exe[2928] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KHost.exe[2928] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Kontiki\KHost.exe[2928] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\Kontiki\KHost.exe[2928] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Kontiki\KHost.exe[2928] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Kontiki\KHost.exe[2928] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Kontiki\KHost.exe[2928] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Kontiki\KHost.exe[2928] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KHost.exe[2928] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Kontiki\KHost.exe[2928] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Kontiki\KHost.exe[2928] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KHost.exe[2928] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KHost.exe[2928] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KHost.exe[2928] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Kontiki\KHost.exe[2928] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KHost.exe[2928] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KHost.exe[2928] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KHost.exe[2928] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Kontiki\KHost.exe[2928] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[3016] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3028] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\iPod\bin\iPodService.exe[3044] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iPod\bin\iPodService.exe[3044] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iPod\bin\iPodService.exe[3044] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\iPod\bin\iPodService.exe[3044] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iPod\bin\iPodService.exe[3044] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\iPod\bin\iPodService.exe[3044] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iPod\bin\iPodService.exe[3044] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\iPod\bin\iPodService.exe[3044] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iPod\bin\iPodService.exe[3044] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\iPod\bin\iPodService.exe[3044] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\iPod\bin\iPodService.exe[3044] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iPod\bin\iPodService.exe[3044] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iPod\bin\iPodService.exe[3044] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iPod\bin\iPodService.exe[3044] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\iPod\bin\iPodService.exe[3044] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iPod\bin\iPodService.exe[3044] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iPod\bin\iPodService.exe[3044] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iPod\bin\iPodService.exe[3044] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\iPod\bin\iPodService.exe[3044] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3124] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3124] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[3124] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[3124] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[3124] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[3124] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[3124] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[3124] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3124] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\ctfmon.exe[3124] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\ctfmon.exe[3124] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3124] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3124] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3124] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3124] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3124] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3124] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\ctfmon.exe[3124] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3124] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 00375060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00374F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00371860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 00371230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 003713C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 45, 88 ]
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] USER32.dll!EndTask 7E459E75 5 Bytes JMP 00374C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] USER32.dll!mouse_event 7E466515 5 Bytes JMP 003716D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] USER32.dll!keybd_event 7E466559 5 Bytes JMP 00371550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 00374960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\DAEMON Tools\daemon.exe[3180] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 00374AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3436] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 00365060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00364F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] USER32.dll!EndTask 7E459E75 5 Bytes JMP 00364C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] USER32.dll!mouse_event 7E466515 5 Bytes JMP 003616D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] USER32.dll!keybd_event 7E466559 5 Bytes JMP 00361550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00361860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 00361230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 003613C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 44, 88 ]
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 00364960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\NETGEAR\WG111T\wlan111t.exe[3504] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 00364AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3544] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3544] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\alg.exe[3544] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\System32\alg.exe[3544] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\alg.exe[3544] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\System32\alg.exe[3544] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\alg.exe[3544] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\System32\alg.exe[3544] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3544] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\alg.exe[3544] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\System32\alg.exe[3544] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3544] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3544] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3544] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3544] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3544] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3544] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\alg.exe[3544] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3544] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 00375060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00374F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] USER32.dll!EndTask 7E459E75 5 Bytes JMP 00374C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] USER32.dll!mouse_event 7E466515 5 Bytes JMP 003716D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] USER32.dll!keybd_event 7E466559 5 Bytes JMP 00371550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00371860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 00371230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 003713C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 45, 88 ]
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 00374960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\RALINK\Common\RaUI.exe[3548] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 00374AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 0E, 98 ]
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Matt\Desktop\gmer\gmer.exe[3568] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 003C5060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 05, 5F ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 003C4F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 003C1860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] GDI32.dll!CreateDCA 77F1B249 5 Bytes JMP 003C1230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] GDI32.dll!CreateDCW 77F1BE89 2 Bytes JMP 003C13C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] GDI32.dll!CreateDCW + 3 77F1BE8C 2 Bytes [ 4A, 88 ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] USER32.dll!EndTask 7E459E75 5 Bytes JMP 003C4C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] USER32.dll!mouse_event 7E466515 5 Bytes JMP 003C16D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] USER32.dll!keybd_event 7E466559 5 Bytes JMP 003C1550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 003C4960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3824] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 003C4AD0 C:\WINDOWS\system32\guard32.dll

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F773C06C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F773C018] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F775E9AE] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F773C06C] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7725AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7725C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7725B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7726748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F772661E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F773B29A] sptd.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F75AF710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F75AF770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F75AF990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F75AF950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F75AF950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F75AF770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F75AF710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F75AF990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F75AF990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F75AF950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F75AF770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F75AF710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F75AF950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F75AF710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F75AF770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F75AF990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F75AF710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F75AF770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F75AF950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F75AF990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F75AF950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F75AF770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F75AF710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 867651E8
Device \FileSystem\Udfs \UdfsCdRom 86459790
Device \FileSystem\Udfs \UdfsDisk 86459790

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

Device \Driver\usbohci \Device\USBPDO-0 86544790
Device \Driver\usbohci \Device\USBPDO-1 86544790
Device \Driver\usbehci \Device\USBPDO-2 86536790

AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

Device \Driver\PCI_NTPNP0486 \Device\00000049 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 867671E8
Device \Driver\Cdrom \Device\CdRom0 86541790
Device \Driver\Ftdisk \Device\HarddiskVolume3 867671E8
Device \Driver\Cdrom \Device\CdRom1 86541790
Device \Driver\NetBT \Device\NetBT_Tcpip_{71FA4BBE-F784-4F04-B32E-E0088EA5DC89} 86455790
Device \Driver\Cdrom \Device\CdRom2 86541790
Device \Driver\Cdrom \Device\CdRom3 86541790
Device \Driver\NetBT \Device\NetBt_Wins_Export 86455790
Device \Driver\NetBT \Device\NetbiosSmb 86455790

AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

Device \Driver\usbohci \Device\USBFDO-0 86544790
Device \Driver\usbohci \Device\USBFDO-1 86544790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86453790
Device \Driver\usbehci \Device\USBFDO-2 86536790
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86453790
Device \Driver\Ftdisk \Device\FtControl 867671E8
Device \Driver\a4oj4ukt \Device\Scsi\a4oj4ukt1Port1Path0Target0Lun0 864883F8
Device \Driver\a4oj4ukt \Device\Scsi\a4oj4ukt1Port1Path0Target2Lun0 864883F8
Device \Driver\a4oj4ukt \Device\Scsi\a4oj4ukt1 864883F8
Device \Driver\a4oj4ukt \Device\Scsi\a4oj4ukt1Port1Path0Target1Lun0 864883F8
Device \FileSystem\Cdfs \Cdfs 854D8790

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1747002677
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -139549406
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6A 0xE1 0x55 0x4B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0x10 0x49 0xE5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x7E 0x1E 0xAB 0xB3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFA 0x81 0x40 0x3E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x75 0x5A 0x1A 0x9B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x7E 0x10 0x86 0xA0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x48 0x80 0x37 0xFA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6A 0xE1 0x55 0x4B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0x10 0x49 0xE5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x7E 0x1E 0xAB 0xB3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFA 0x81 0x40 0x3E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x75 0x5A 0x1A 0x9B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x7E 0x10 0x86 0xA0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x48 0x80 0x37 0xFA ...

---- EOF - GMER 1.0.14 ----

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:21 AM

Posted 01 June 2008 - 01:57 PM

Hello there,

That's great! :thumbsup: Nothing screamed rootkit from Gmer. So it's all right now? Your last log looked good too. You can delete all the tools we used to get this far. Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Let me know. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:21 AM

Posted 15 June 2008 - 03:02 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users