Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I believe I have a keylogger...


  • This topic is locked This topic is locked
11 replies to this topic

#1 Arsenic181

Arsenic181

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 03 February 2009 - 09:51 PM

I was browsing the official World of Warcraft forums back in November or December or something and I clicked a link that someone told me was a keylogger. At the time I thought my virus protection program had gotten rid of it, but in the beginning of December my WoW account was stolen and then retrieved, and then was stolen again before the end of the month... So I took the steps required to retrieve it again and he tried to steal it again within an hour of being given back to me. So basically, I'm pretty damn sure I have a keylogger and this persistent S-O-B is annoying the crap out of me. I just downloaded a keyscrambler so he won't be able to read anything I type into Firefox, but that's really only a partial solution. Anyway, I just want to get rid of the damn thing. Any help would be GREATLY appreciated.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Nick at 21:22:09.75 on Tue 02/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2027 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ehome\ehRec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\My Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent
uRun: [P2kAutostart]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IDTSysTrayApp] sttray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [UltraMon] "c:\program files\ultramon\UltraMon.exe" /auto
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\nick\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: Antiwpa - wpa.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: MCPClient - c:\program files\common files\stardock\mcpstub.dll
Notify: wvUoPHbx - wvUoPHbx.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\program files\common files\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxywVmml

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-10-27 40840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-17 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-17 26824]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-10-27 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-10-27 81288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 213640]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-2 353680]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-17 231704]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-24 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-24 144704]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-10-27 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-10-27 1079176]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-2-3 113896]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-24 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-24 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-24 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-24 40552]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-24 34216]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-12-3 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-12-3 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-12-3 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-12-3 23680]

=============== Created Last 30 ================

2009-02-03 21:09 <DIR> --d----- c:\program files\Trend Micro
2009-02-03 14:25 113,896 a------- c:\windows\system32\drivers\keyscrambler.sys
2009-02-03 14:25 <DIR> --d----- c:\program files\KeyScrambler
2009-02-03 00:18 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-03 00:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-02 16:14 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-02 16:11 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-02-02 16:11 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-02-02 16:11 <DIR> --d----- c:\program files\Zone Labs
2009-02-02 16:11 348,371 a------- c:\windows\system32\vsconfig.xml
2009-02-02 16:10 <DIR> --d----- c:\windows\Internet Logs
2009-02-01 21:20 <DIR> --d----- c:\windows\pss
2009-01-28 13:18 <DIR> --d----- c:\program files\FLAC
2009-01-26 19:55 <DIR> --d----- c:\program files\MP3Gain
2009-01-26 16:49 <DIR> --d----- c:\docume~1\nick\applic~1\SorensonMedia
2009-01-26 16:46 <DIR> --d----- c:\program files\Sorenson Media
2009-01-26 15:46 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-01-26 15:46 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-01-26 15:45 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-01-26 15:45 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-01-26 15:35 <DIR> --d----- c:\program files\Motorola
2009-01-22 20:25 <DIR> --d----- C:\mywebsite
2009-01-22 00:55 <DIR> --d----- c:\program files\common files\Control Panels
2009-01-22 00:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-01-21 21:09 2,463,976 a------- c:\windows\system32\NPSWF32.dll
2009-01-21 21:09 190,696 a------- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-01-21 20:47 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-01-17 18:59 13,646 a------- c:\windows\system32\wpa.bak
2009-01-17 04:00 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-17 03:20 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-17 03:20 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-17 03:20 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-17 03:20 <DIR> --d----- c:\program files\AVG
2009-01-17 03:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-16 19:36 76,924 a------- c:\windows\War3Unin.dat
2009-01-16 19:36 139,264 a------- c:\windows\War3Unin.exe
2009-01-16 19:36 2,829 a------- c:\windows\War3Unin.pif
2009-01-09 20:25 <DIR> --d----- c:\windows\system32\LogFiles

==================== Find3M ====================

2009-01-09 12:03 213,640 a------- c:\windows\system32\drivers\mfehidk.sys
2009-01-09 12:03 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-01-09 12:03 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-01-09 12:03 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-01-09 12:03 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-10 01:27 71,098 a------- c:\windows\hpqins01.dat
2008-12-09 22:45 112,923 a------- c:\windows\hpoins07.dat
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 16:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 16:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 21:23:51.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:54 AM

Posted 17 February 2009 - 10:20 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Arsenic181

Arsenic181
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 17 February 2009 - 01:56 PM

My situation has not changed. I believe I still have the keylogger, but I've been crafty about putting in passwords... so nothing bad has really happened since my last post. But here's the DDS file:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Nick at 13:52:26.29 on Tue 02/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1748 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\My Downloads\dds(2).scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent
uRun: [P2kAutostart]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IDTSysTrayApp] sttray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [UltraMon] "c:\program files\ultramon\UltraMon.exe" /auto
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\nick\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: Antiwpa - wpa.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: MCPClient - c:\program files\common files\stardock\mcpstub.dll
Notify: wvUoPHbx - wvUoPHbx.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\program files\common files\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxywVmml

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-10-27 40840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-17 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-17 27656]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-10-27 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-10-27 81288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 213640]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-2 353680]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-17 298264]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-24 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-24 144704]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-10-27 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-10-27 1079176]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-2-3 113896]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-24 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-24 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-24 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-24 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-24 40552]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-12-3 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-12-3 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-12-3 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-12-3 23680]

=============== Created Last 30 ================

2009-02-09 14:16 <DIR> --d----- c:\program files\RivaTuner v2.22
2009-02-03 21:09 <DIR> --d----- c:\program files\Trend Micro
2009-02-03 14:25 113,896 a------- c:\windows\system32\drivers\keyscrambler.sys
2009-02-03 14:25 <DIR> --d----- c:\program files\KeyScrambler
2009-02-03 00:18 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-03 00:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-02 16:14 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-02 16:11 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-02-02 16:11 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-02-02 16:11 <DIR> --d----- c:\program files\Zone Labs
2009-02-02 16:11 348,371 a------- c:\windows\system32\vsconfig.xml
2009-02-02 16:10 <DIR> --d----- c:\windows\Internet Logs
2009-02-01 21:20 <DIR> --d----- c:\windows\pss
2009-01-28 13:18 <DIR> --d----- c:\program files\FLAC
2009-01-26 19:55 <DIR> --d----- c:\program files\MP3Gain
2009-01-26 16:49 <DIR> --d----- c:\docume~1\nick\applic~1\SorensonMedia
2009-01-26 16:46 <DIR> --d----- c:\program files\Sorenson Media
2009-01-26 15:46 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-01-26 15:46 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-01-26 15:45 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-01-26 15:45 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-01-26 15:35 <DIR> --d----- c:\program files\Motorola
2009-01-22 20:25 <DIR> --d----- C:\mywebsite
2009-01-22 00:55 <DIR> --d----- c:\program files\common files\Control Panels
2009-01-22 00:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-01-21 21:09 2,463,976 a------- c:\windows\system32\NPSWF32.dll
2009-01-21 21:09 190,696 a------- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-01-21 20:47 <DIR> --d----- c:\program files\common files\Macrovision Shared

==================== Find3M ====================

2009-02-04 13:24 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-04 13:24 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-16 22:27 76,924 a------- c:\windows\War3Unin.dat
2009-01-16 20:00 139,264 a------- c:\windows\War3Unin.exe
2009-01-16 20:00 2,829 a------- c:\windows\War3Unin.pif
2009-01-09 12:03 213,640 a------- c:\windows\system32\drivers\mfehidk.sys
2009-01-09 12:03 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-01-09 12:03 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-01-09 12:03 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-01-09 12:03 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-10 01:27 71,098 a------- c:\windows\hpqins01.dat
2008-12-09 22:45 112,923 a------- c:\windows\hpoins07.dat
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 16:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 16:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll

============= FINISH: 13:53:58.32 ===============

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:54 AM

Posted 17 February 2009 - 02:04 PM

Hang on. A Tech is comming.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 Arsenic181

Arsenic181
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 17 February 2009 - 02:06 PM

Thanks a bunch!

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 AM

Posted 17 February 2009 - 08:31 PM

Hello.

My name is Extremeboy (or EB for short), and I will be helping you with your log.

I see a few sings of vundo in your machine. There may not be any keyloggers but we will check for that :thumbup2:

Perform the following actions please.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Arsenic181

Arsenic181
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 19 February 2009 - 01:17 AM

Here's the DDS file contents:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Nick at 13:52:26.29 on Tue 02/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1748 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\My Downloads\dds(2).scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent
uRun: [P2kAutostart]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IDTSysTrayApp] sttray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [UltraMon] "c:\program files\ultramon\UltraMon.exe" /auto
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\nick\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: Antiwpa - wpa.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: MCPClient - c:\program files\common files\stardock\mcpstub.dll
Notify: wvUoPHbx - wvUoPHbx.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\program files\common files\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxywVmml

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-10-27 40840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-17 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-17 27656]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-10-27 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-10-27 81288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 213640]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-2 353680]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-17 298264]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-24 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-24 144704]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-10-27 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-10-27 1079176]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-2-3 113896]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-24 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-24 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-24 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-24 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-24 40552]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-12-3 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-12-3 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-12-3 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-12-3 23680]

=============== Created Last 30 ================

2009-02-09 14:16 <DIR> --d----- c:\program files\RivaTuner v2.22
2009-02-03 21:09 <DIR> --d----- c:\program files\Trend Micro
2009-02-03 14:25 113,896 a------- c:\windows\system32\drivers\keyscrambler.sys
2009-02-03 14:25 <DIR> --d----- c:\program files\KeyScrambler
2009-02-03 00:18 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-03 00:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-02 16:14 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-02 16:11 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-02-02 16:11 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-02-02 16:11 <DIR> --d----- c:\program files\Zone Labs
2009-02-02 16:11 348,371 a------- c:\windows\system32\vsconfig.xml
2009-02-02 16:10 <DIR> --d----- c:\windows\Internet Logs
2009-02-01 21:20 <DIR> --d----- c:\windows\pss
2009-01-28 13:18 <DIR> --d----- c:\program files\FLAC
2009-01-26 19:55 <DIR> --d----- c:\program files\MP3Gain
2009-01-26 16:49 <DIR> --d----- c:\docume~1\nick\applic~1\SorensonMedia
2009-01-26 16:46 <DIR> --d----- c:\program files\Sorenson Media
2009-01-26 15:46 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-01-26 15:46 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-01-26 15:45 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-01-26 15:45 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-01-26 15:35 <DIR> --d----- c:\program files\Motorola
2009-01-22 20:25 <DIR> --d----- C:\mywebsite
2009-01-22 00:55 <DIR> --d----- c:\program files\common files\Control Panels
2009-01-22 00:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-01-21 21:09 2,463,976 a------- c:\windows\system32\NPSWF32.dll
2009-01-21 21:09 190,696 a------- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-01-21 20:47 <DIR> --d----- c:\program files\common files\Macrovision Shared

==================== Find3M ====================

2009-02-04 13:24 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-04 13:24 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-16 22:27 76,924 a------- c:\windows\War3Unin.dat
2009-01-16 20:00 139,264 a------- c:\windows\War3Unin.exe
2009-01-16 20:00 2,829 a------- c:\windows\War3Unin.pif
2009-01-09 12:03 213,640 a------- c:\windows\system32\drivers\mfehidk.sys
2009-01-09 12:03 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-01-09 12:03 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-01-09 12:03 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-01-09 12:03 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-10 01:27 71,098 a------- c:\windows\hpqins01.dat
2008-12-09 22:45 112,923 a------- c:\windows\hpoins07.dat
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 16:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 16:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll

============= FINISH: 13:53:58.32 ===============


And here's the GMER file contents:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-19 01:12:44
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB6FD38D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB6FD06E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB6FDD490]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB6FD3E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB6FDAC80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB6FDAE90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB6FDED50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB6FD3F80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB6FD0C70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB6FDDD10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB6FDDAC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB6FDA600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB6FDE230]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB6FDE2B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB6FD0AD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB6FDC4F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB6FDC2B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB6FDE970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB6FDE3D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB6FD34F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB6FDE7C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB6FD3AA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB6FD0EA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB6FDD800]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB6FDB580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB6FDB400]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xB715C384]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB6E9A56C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB6E9A556]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB6E9A488]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB6E9A598]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB6E9A4B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB6E9A45C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB6E9A5D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB6E9A540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB6E9A52A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB6E9A434]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB6E9A420]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB6E9A582]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB6E9A49E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB6E9A472]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [ 90, 3E, FD, B6, 80, AC, FD, ... ]
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B6E9A476 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B6E9A48C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B6E9A4A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B6E9A460 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B6E9A424 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B6E9A438 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP B6E9A52E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP B6E9A586 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP B6E9A544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 7 Bytes JMP B6E9A570 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP B6E9A55A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP B6E9A4B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP B6E9A5D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP B6E9A59C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? srescan.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[192] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[192] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[192] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[192] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[192] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[192] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[192] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 16, 86 ]
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[340] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[340] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[340] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[340] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[340] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[340] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[340] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2B, 86 ]
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[376] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[376] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[376] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[376] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[376] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[376] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[376] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 43, 84 ]
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[376] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[496] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[496] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[496] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[496] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[496] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[496] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[496] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 25, 86 ]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[496] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[496] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\csrss.exe[516] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[516] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\csrss.exe[516] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[516] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\csrss.exe[516] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[516] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\csrss.exe[516] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 9E, 84 ]
.text C:\WINDOWS\system32\winlogon.exe[540] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[540] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[540] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[540] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[540] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[540] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[540] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 48, 84 ]
.text C:\WINDOWS\system32\services.exe[584] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[584] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\services.exe[584] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[584] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\services.exe[584] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[584] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01140FEF
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01140F70
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01140F81
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0114005B
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 8B, 84 ]
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0114004A
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01140F9E
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01140F38
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01140F55
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01140F0C
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01140F1D
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 011400CA
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01140025
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01140FD4
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01140080
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01140014
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01140FC3
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 0114009B
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01130047
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01130FC0
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0113002C
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01130011
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0113007D
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01130000
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01130FD1
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 33, 89 ]
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01130058
.text C:\WINDOWS\system32\services.exe[584] WS2_32.dll!socket 71AB4211 5 Bytes JMP 010D0FE5
.text C:\WINDOWS\system32\lsass.exe[596] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[596] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\lsass.exe[596] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[596] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\lsass.exe[596] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[596] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E3000A
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E30F79
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E30F8A
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E3006E
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 85, 83 ]
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E30FA5
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E30051
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E300A6
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E30095
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E30F0D
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E30F32
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E30EFC
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E30FCA
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E3001B
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E30F68
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E30036
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E30FE5
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E30F43
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E20039
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E20080
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E20FDE
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E20014
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E20FC3
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E2006F
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E2004A
.text C:\WINDOWS\system32\lsass.exe[596] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00070000
.text C:\Program Files\Stardock\ObjectDock\ObjectDock.exe[640] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Stardock\ObjectDock\ObjectDock.exe[640] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Stardock\ObjectDock\ObjectDock.exe[640] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Stardock\ObjectDock\ObjectDock.exe[640] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Stardock\ObjectDock\ObjectDock.exe[640] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Stardock\ObjectDock\ObjectDock.exe[640] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Stardock\ObjectDock\ObjectDock.exe[640] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 55, 84 ]
.text C:\Program Files\Stardock\ObjectDock\ObjectDock.exe[640] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\svchost.exe[772] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[772] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[772] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[772] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[772] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[772] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F41
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F68
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 69, 84 ]
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F83
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0F02
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F1F
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD009B
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0080
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BD00AC
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BD0025
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BD0F30
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[772] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BD0065
.text C:\WINDOWS\system32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BC0087
.text C:\WINDOWS\system32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BC0011
.text C:\WINDOWS\system32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BC0076
.text C:\WINDOWS\system32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00BC0065
.text C:\WINDOWS\system32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[772] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0000
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[824] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[824] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[824] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[824] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[824] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[824] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[824] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, E8, 85 ]
.text C:\WINDOWS\system32\svchost.exe[836] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[836] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[836] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[836] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[836] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[836] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D90FE5
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D9005B
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D9004A
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D9002F
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 7B, 84 ]
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90F72
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D90F94
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D90093
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90076
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D90F29
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D90F3A
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D90F0E
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D90F83
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D90F55
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D90FB9
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D900B8
.text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D8002C
.text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D80F9B
.text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D80FD1
.text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D80011
.text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D80058
.text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D8003D
.text C:\WINDOWS\system32\svchost.exe[836] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D80FC0
.text C:\WINDOWS\system32\svchost.exe[836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\System32\svchost.exe[876] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\svchost.exe[876] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\System32\svchost.exe[876] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\svchost.exe[876] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\System32\svchost.exe[876] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\svchost.exe[876] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02CF0000
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02CF00B3
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02CF00A2
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02CF0091
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, CE, 85 ]
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02CF0FD4
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02CF0FE5
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02CF00F3
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02CF0FA1
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02CF0F50
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02CF0F6B
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02CF0F35
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02CF0076
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02CF0025
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02CF00D8
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02CF005B
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02CF0040
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02CF0F86
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02CD0FDE
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02CD0054
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02CD0025
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02CD0014
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02CD0F97
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02CD0FEF
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02CD0FB2
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ ED, 8A ]
.text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02CD0FC3
.text C:\WINDOWS\System32\svchost.exe[876] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0275000A
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02CE0FEF
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02CE0000
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02CE0FD4
.text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02CE0FB9
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0F68
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B005D
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0F79
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 28, 84 ]
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0F8A
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B002C
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B0089
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B0F41
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B0F15
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B00AE
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 007B00BF
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 007B0FA5
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 007B0078
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 007B0FC0
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 007B001B
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 007B0F26
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007A0036
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007A0F83
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007A0FDB
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007A001B
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007A0F9E
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007A000A
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 007A0FAF
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 9A, 88 ]
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007A0FCA
.text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FE5
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90096
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90F97
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90FA8
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 1E, 84 ]
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C9005B
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FC3
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoW 7C801E54 1 Byte [ E9 ]
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoW + 2 7C801E56 3 Bytes [ F0, 48, 84 ]
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90F75
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90F2C
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C90F3D
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C900E0
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C9004A
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C90014
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C90F86
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C9002F
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C900BB
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C70FB9
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C70051
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C70FCA
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C70040
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00C70F9E
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ E7, 88 ]
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C70025
.text C:\WINDOWS\system32\svchost.exe[960] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[960] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[960] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[960] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\svchost.exe[960] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00C80FB9
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[1040] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[1040] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[1040] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[1040] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[1040] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[1040] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[1040] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 4E, 84 ]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[1040] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1108] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1108] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1108] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1108] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1108] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1108] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1108] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2F, 88 ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1168] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1168] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1168] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1168] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1168] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1168] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1168] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BC, 83 ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1168] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1340] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1340] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1340] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1340] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1340] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1340] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1340] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 56, 84 ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BD, 83 ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[1452] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[1452] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[1452] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[1452] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[1452] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[1452] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[1452] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2C, 84 ]
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[1452] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015A0FEF
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 015A0F88
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 015A007D
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015A006C
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 07, 85 ]
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 015A0FB9
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 015A0047
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015A0F4B
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015A0F5C
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015A0F04
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015A0F15
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 015A0EF3
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 015A0FCA
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 015A000A
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 015A0F77
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 015A0036
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 015A0025
.text C:\WINDOWS\Explorer.EXE[1464] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 015A0F30
.text C:\WINDOWS\Explorer.EXE[1464] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0158002C
.text C:\WINDOWS\Explorer.EXE[1464] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01580FA2
.text C:\WINDOWS\Explorer.EXE[1464] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0158001B
.text C:\WINDOWS\Explorer.EXE[1464] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0158000A
.text C:\WINDOWS\Explorer.EXE[1464] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01580069
.text C:\WINDOWS\Explorer.EXE[1464] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01580FEF
.text C:\WINDOWS\Explorer.EXE[1464] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01580058
.text C:\WINDOWS\Explorer.EXE[1464] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0158003D
.text C:\WINDOWS\Explorer.EXE[1464] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01590FEF
.text C:\WINDOWS\Explorer.EXE[1464] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 0159000A
.text C:\WINDOWS\Explorer.EXE[1464] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 0159001B
.text C:\WINDOWS\Explorer.EXE[1464] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 0159002C
.text C:\WINDOWS\Explorer.EXE[1464] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C80000
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1592] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1592] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1592] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1592] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1592] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1592] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1592] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, DE, 87 ]
.text C:\WINDOWS\system32\spoolsv.exe[1700] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1700] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1700] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1700] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1700] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1700] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1700] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 92, 84 ]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1740] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1740] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1740] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1740] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1740] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1740] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1740] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, B5, 85 ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1796] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1796] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1796] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1796] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1796] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1796] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1796] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BE, 83 ]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1816] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1816] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1816] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1816] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1816] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1816] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1816] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, B6, 86 ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1828] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1828] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1828] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1828] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1828] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1828] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1828] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 02, 84 ]
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1840] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1840] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1840] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1840] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1840] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1840] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1840] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 94, 86 ]
.text C:\WINDOWS\ehome\ehSched.exe[1888] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\ehome\ehSched.exe[1888] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\ehome\ehSched.exe[1888] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\ehome\ehSched.exe[1888] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\ehome\ehSched.exe[1888] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\ehome\ehSched.exe[1888] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\ehome\ehSched.exe[1888] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 7D, 84 ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1908] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1908] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1908] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1908] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1908] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1908] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1908] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, E6, 83 ]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BB, 84 ]
.text C:\WINDOWS\ehome\ehmsas.exe[2008] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\ehome\ehmsas.exe[2008] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\ehome\ehmsas.exe[2008] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\ehome\ehmsas.exe[2008] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\ehome\ehmsas.exe[2008] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\ehome\ehmsas.exe[2008] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\ehome\ehmsas.exe[2008] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BC, 83 ]
.text C:\WINDOWS\ehome\ehmsas.exe[2008] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\UltraMon\UltraMon.exe[2012] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\UltraMon\UltraMon.exe[2012] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\UltraMon\UltraMon.exe[2012] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\UltraMon\UltraMon.exe[2012] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\UltraMon\UltraMon.exe[2012] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\UltraMon\UltraMon.exe[2012] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\UltraMon\UltraMon.exe[2012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BE, 83 ]
.text C:\Program Files\UltraMon\UltraMon.exe[2012] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\nvsvc32.exe[2092] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\nvsvc32.exe[2092] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\nvsvc32.exe[2092] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\nvsvc32.exe[2092] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\nvsvc32.exe[2092] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\nvsvc32.exe[2092] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\nvsvc32.exe[2092] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 0C, 84 ]
.text C:\WINDOWS\system32\HPZipm12.exe[2160] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\HPZipm12.exe[2160] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\HPZipm12.exe[2160] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\HPZipm12.exe[2160] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\HPZipm12.exe[2160] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\HPZipm12.exe[2160] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\HPZipm12.exe[2160] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BE, 83 ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2212] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2212] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2212] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2212] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2212] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2212] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2212] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, F2, 83 ]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2312] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes [ 23, A1, C3, 83 ]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2328] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2328] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2328] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2328] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2328] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2328] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2328] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 31, 86 ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2368] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2368] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2368] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2368] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2368] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2368] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2368] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 51, 84 ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2368] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\UltraMon\UltraMonTaskbar.exe[2416] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\UltraMon\UltraMonTaskbar.exe[2416] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\UltraMon\UltraMonTaskbar.exe[2416] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\UltraMon\UltraMonTaskbar.exe[2416] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\UltraMon\UltraMonTaskbar.exe[2416] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\UltraMon\UltraMonTaskbar.exe[2416] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\UltraMon\UltraMonTaskbar.exe[2416] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BE, 83 ]
.text C:\Program Files\UltraMon\UltraMonTaskbar.exe[2416] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[2484] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes [ 37, A1, C3, 83 ]
.text C:\WINDOWS\system32\ctfmon.exe[2504] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2504] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2504] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2504] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2504] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2504] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2504] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2F, 84 ]
.text C:\WINDOWS\system32\ctfmon.exe[2504] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[2540] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[2540] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[2540] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[2540] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[2540] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[2540] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[2540] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 39, 84 ]
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[2540] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\svchost.exe[2548] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[2548] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[2548] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[2548] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[2548] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[2548] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C9007D
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90062
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90051
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 77, 84 ]
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90040
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FB9
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90F50
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90098
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C900DF
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C900C4
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C900F0
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C90F94
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C90011
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C90F6D
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C90FCA
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C90FDB
.text C:\WINDOWS\system32\svchost.exe[2548] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C900B3
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C8002C
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C80F9B
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C80058
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00C80FB6
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes CALL C89FEDB5
.text C:\WINDOWS\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C8003D
.text C:\WINDOWS\system32\svchost.exe[2572] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[2572] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[2572] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[2572] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[2572] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[2572] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013E0FE5
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013E0F70
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013E0F8B
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013E0FA8
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, EB, 84 ]
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013E0065
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013E0FB9
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013E0091
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013E0F55
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013E0F24
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013E00BD
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 013E0F13
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 013E0040
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 013E0FD4
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 013E0080
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 013E0025
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 013E000A
.text C:\WINDOWS\system32\svchost.exe[2572] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 013E00AC
.text C:\WINDOWS\system32\svchost.exe[2572] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 013D0036
.text C:\WINDOWS\system32\svchost.exe[2572] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 013D0062
.text C:\WINDOWS\system32\svchost.exe[2572] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 013D0025
.text C:\WINDOWS\system32\svchost.exe[2572] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 013D0014
.text C:\WINDOWS\system32\svchost.exe[2572] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 013D0051
.text C:\WINDOWS\system32\svchost.exe[2572] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 013D0FEF
.text C:\WINDOWS\system32\svchost.exe[2572] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 013D0FB9
.text C:\WINDOWS\system32\svchost.exe[2572] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 5D, 89 ]
.text C:\WINDOWS\system32\svchost.exe[2572] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 013D0FCA
.text C:\WINDOWS\system32\svchost.exe[2572] WS2_32.dll!socket 71AB4211 5 Bytes JMP 013B0FEF
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2664] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2664] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2664] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2664] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2664] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2664] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2664] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 0B, 84 ]
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2664] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\AIM\aim.exe[2676] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\AIM\aim.exe[2676] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\AIM\aim.exe[2676] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\AIM\aim.exe[2676] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\AIM\aim.exe[2676] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\AIM\aim.exe[2676] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\AIM\aim.exe[2676] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 41, 84 ]
.text C:\Program Files\AIM\aim.exe[2676] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2916] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2916] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2916] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2916] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2916] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2916] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2916] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 74, 84 ]
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[2916] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[2944] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[2944] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[2944] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[2944] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[2944] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[2944] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[2944] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 55, 84 ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[2944] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2972] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2972] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2972] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2972] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2972] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2972] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2972] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, FE, 83 ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2972] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\stsystra.exe[3060] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\stsystra.exe[3060] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\stsystra.exe[3060] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\stsystra.exe[3060] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\stsystra.exe[3060] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\stsystra.exe[3060] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\stsystra.exe[3060] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 1A, 84 ]
.text C:\WINDOWS\stsystra.exe[3060] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Skype\Phone\Skype.exe[3412] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Skype\Phone\Skype.exe[3412] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Skype\Phone\Skype.exe[3412] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Skype\Phone\Skype.exe[3412] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Skype\Phone\Skype.exe[3412] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Skype\Phone\Skype.exe[3412] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Skype\Phone\Skype.exe[3412] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, B6, 85 ]
.text C:\Program Files\Skype\Phone\Skype.exe[3412] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Curse\CurseClient.exe[3444] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Curse\CurseClient.exe[3444] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Curse\CurseClient.exe[3444] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Curse\CurseClient.exe[3444] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Curse\CurseClient.exe[3444] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Curse\CurseClient.exe[3444] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Curse\CurseClient.exe[3444] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 7B, 84 ]
.text C:\Program Files\Curse\CurseClient.exe[3444] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\System32\alg.exe[3608] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\alg.exe[3608] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\System32\alg.exe[3608] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\alg.exe[3608] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\System32\alg.exe[3608] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\System32\alg.exe[3608] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\System32\alg.exe[3608] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, ED, 83 ]
.text C:\WINDOWS\System32\alg.exe[3608] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\iPod\bin\iPodService.exe[3632] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iPod\bin\iPodService.exe[3632] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\iPod\bin\iPodService.exe[3632] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iPod\bin\iPodService.exe[3632] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\iPod\bin\iPodService.exe[3632] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iPod\bin\iPodService.exe[3632] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\iPod\bin\iPodService.exe[3632] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 0A, 84 ]
.text C:\Program Files\iPod\bin\iPodService.exe[3632] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3652] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3652] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3652] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3652] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3652] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3652] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3652] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 73, 84 ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3652] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3980] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3980] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3980] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3980] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3980] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3980] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3980] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 18, 84 ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3980] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\ehome\ehtray.exe[4024] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\ehome\ehtray.exe[4024] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\ehome\ehtray.exe[4024] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\ehome\ehtray.exe[4024] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\ehome\ehtray.exe[4024] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\ehome\ehtray.exe[4024] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\ehome\ehtray.exe[4024] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 28, 84 ]
.text C:\WINDOWS\ehome\ehtray.exe[4024] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[4088] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[4088] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[4088] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[4088] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[4088] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[4088] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[4088] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 3E, 84 ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[4088] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[4124] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[4124] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[4124] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[4124] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[4124] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[4124] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[4124] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 42, 84 ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[4124] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Documents and Settings\Nick\Desktop\gmer.exe[5384] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Nick\Desktop\gmer.exe[5384] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 05, 5F ]
.text C:\Documents and Settings\Nick\Desktop\gmer.exe[5384] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Nick\Desktop\gmer.exe[5384] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 0B, 5F ]
.text C:\Documents and Settings\Nick\Desktop\gmer.exe[5384] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Nick\Desktop\gmer.exe[5384] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 0E, 5F ]
.text C:\Documents and Settings\Nick\Desktop\gmer.exe[5384] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BB, 83 ]
.text C:\Documents and Settings\Nick\Desktop\gmer.exe[5384] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B6FD8410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B6FD8220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B6FD8B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B6FD6780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B6FD6780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B6FD8410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B6FD8220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B6FD8B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B6FD8410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B6FD6780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B6FD8B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B6FD8220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B6FD8B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B6FD8220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B6FD8410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B6FD6780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B6FD8410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B6FD8220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B6FD8B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B6FD8410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B6FD6780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B6FD8B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B6FD8220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 AM

Posted 19 February 2009 - 04:56 PM

Hello.

Where is the MBAM Scan??

Also, I am very disappointed that you are using An illegal software crack used to bypass copy protection for Windows. from what I have seen in the logs.

Posted ImageCracks and Key Generators Warning

Your system is full of "cracks and keygens", this means You have used cracks or key generators.

Some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, these sites are infested with a sm?rg?sbord of malware. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling Windows.


Merely visiting such sites without downloading ANYTHING is one of the worst things a user can do online. They are illegal. Cracked software is notorious for carrying malware/infections. How do you think these people make their money... they aren't really giving you this software out of the goodness of their hearts.

I would like to see the MBAM scan before proceeding and after we clean you up and you get re-infected because you are bypassing windows and/or using crack/keygen programs that I can not provide any support after that. Please reply back letting me know you understand.

With Regards,
extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Arsenic181

Arsenic181
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 19 February 2009 - 07:59 PM

First, I assure you that my copy of Windows is legal. As for other software, I will not comment.

Second, I apologize for not including the MBAM log file in my previous post, here it is:

Malwarebytes' Anti-Malware 1.34
Database version: 1772
Windows 5.1.2600 Service Pack 3

2/17/2009 10:28:45 PM
mbam-log-2009-02-17 (22-28-45).txt

Scan type: Quick Scan
Objects scanned: 63509
Time elapsed: 8 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e9349597-6e81-47f3-b05d-469763764fb7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 AM

Posted 19 February 2009 - 08:10 PM

Hello.

No need to apologize. The vundos didn't get removed by MBAM. We will use Combofix to remove them.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with:
-Combofix log
-What problems do you still have?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 AM

Posted 22 February 2009 - 10:44 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 AM

Posted 24 February 2009 - 05:14 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users