Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack.Sound


  • Please log in to reply
32 replies to this topic

#1 Kanko

Kanko

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 02 March 2009 - 04:54 PM

Hi, i'm a returning user and I'm running on a HP Media Center Pavillion, Windows XP Professional SP3 computer and i've been having trouble with a something called HiJack.Sound which has kept on reappearing in my scan results with Malwarebytes' Anti-Malware. I've updated Malwarebytes and have scanned and attempted a removal but after a restart, HiJack.Sound eventually just returns again. I find this an annoyance as it prevents some of my programs from properly starting up. I've done scans in both normal mode AND safe mode yet none of these could remove Hijack.Sound. Honestly, even Spysweeper didn't find anything wrong when I scanned with that. On my computer I run Webroot's Spy sweeper, and the free editions of Malwarebytes and PCtools' antispyware. I hope there's a fix to this. I'm running another quick scan with malwarebytes right now.

EDIT1: I have completed my quick scan, clicked the remove button and restarted. I believe the Hijack.Sound has come back again as in my previous scans. Although this time however, after a restart I received an "explorer.exe application error" which highly worries me as well as I thought these had stopped appearing a few days ago. I hope you can help with this too.

Edited by Kanko, 02 March 2009 - 05:31 PM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:23 PM

Posted 02 March 2009 - 05:54 PM

Please rerun update and rerun malwarebytes in full mode and post a fresh log. Thanks

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Darkking711

Darkking711

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 02 March 2009 - 07:17 PM

Im not sure but. It's worth a try, as something similar happened to me. Log onto normal mode. Update Mbam. before running a scan, disconnect your internet than run a "full scan" remove it, than reboot and still with the internot disabled run the full scan one more time. If it's not there than it's probably removed. Just to make sure restart your computer after that scan log in "Enable" the internet and run a "full scan" again. This virus might have been re downloading itself because the same thing happened to me. I would get a virus remove it and it would still be there after I ran scans.

#4 Kanko

Kanko
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 02 March 2009 - 07:37 PM

Hi again, I've done as requested and have updated my Mbam again and Ran a Full Scan. Here is my log, interestingly enough it looks almost identical to a similar full scan I made 1 or 2 days ago in windows safe mode. Apparently Hijack.Sound didn't seem to disappear from this scan as well. I'll be restarting my computer now. Here is my log from the scan just now:

Edit1: After the restart, I booted up and triggered the explorer.exe application error again, and to no avail, the same programs still won't start up most likely due to Hijack.Sound I believe. I stick to this idea because I had run a quick scan and removed hijack.sound a few days ago without a restart and my programs could start and run fine. Also, I also found that the trojan agent also did reappear in this full scan as well, it appeared in a full scan earlier but never on quick scans.

Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 3

3/2/2009 7:34:20 PM
mbam-log-2009-03-02 (19-34-20).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 281405
Time elapsed: 1 hour(s), 37 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP3\A0000715.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by Kanko, 02 March 2009 - 07:59 PM.


#5 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:23 PM

Posted 02 March 2009 - 08:43 PM

Let's try this...

Before running SDFix in safe mode, please disconnect from the internet.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

After your restart, please rerun malwarebytes in Full mode.

Connect back to the internet and post their logs.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 02 March 2009 - 09:08 PM

Hello.

I just found the page regarding this infection. Worth a read if anyone is interested.

http://www.threatexpert.com/report.aspx?md...18646c99a562bec

Anyways, post the SDFix log and see if MBAM still picks it up. If so, we will try something else to reset those values back to default.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:23 PM

Posted 02 March 2009 - 09:14 PM

Welcome aboard extremeboy!

Thanks for the reference.

Kanko, extremeboy is a member of our HJT team. Please follow his lead now as we will both learn from this thread.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 Kanko

Kanko
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 02 March 2009 - 10:28 PM

I am sorry for a late reply however, I've been receiving a error with SDFix regarding a error in syntax or an incorrect volume, directory or something along those lines if I can remember it vividly while trying to finish the malware scan after the reboot, i'm trying to rerun SDfix from the start right now and editting my startup via msconfig turning off my spysweeper this time around (might have been a mistake to not try that first.) I'll be sure to post the log and my mbam log as soon as this works. Just asking right now, am I doing this correctly? I'm kind of worried I might be making a mistake in the sdfix part.

Edit 1 (10:45 EST): I continue to get the same error with SDFix on the second part after the reboot which reads:

"The file name, directory name, or volume label syntax is incorrect."

Which is repeated for 3 lines in SDfix after the reboot and it doesn't appear like SDFix is going to complete any time soon. I've made sure that i'm doing this in safe mode where my live protection antispyware/virus program isn't running on both start-ups before and after the reboot to run SDFix. I do not have a log at this time due to this error and the fact the second part is still running. I'm posting off a secondary computer as of right now with my infected computer still in the SDFix process.

Edit 3 (11:44): I have logs from SDFix only until the reboot where it hangs after the errors with no sign of finishing. I've decided to leave it like this till tomorrow morning where I'll just turn off the system and wait for the next reply in this thread tomorrow for further instruction. Thank you. If desired I'll post the incomplete sdfix log tomorrow.

Edit 2 (11:08 EST): It's been a while that i've let SDfix run and i've come to the point where I believe it's not going to finish as when I check my other computer's screen I still see the same 3 lines of error (stated above) and it doesn't appear to be showing a sign of finishing anytime soon. I would appreciate you both still continue to help me tomorrow as I might have to turn in for the day very soon. I might try one more time to run SDfix before the day comes to a close. Good night.

Edited by Kanko, 02 March 2009 - 11:45 PM.


#9 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:23 PM

Posted 03 March 2009 - 12:01 AM

Let's call it a night.

We can pick up with extremeboy tomorrow.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 03 March 2009 - 04:41 PM

Hello.

That was a tough night. Next time when you run into a problem like this, just stop the scan and let us know. :thumbsup: We will usually have alternate instructions.

I just need to see something first. Please run the following batch script and backup your registry. I have seen this infection coming with other nasty infections and sometimes this included a backdoor infection. Please do the following:

Create and Run batch script
  • Please create and execute the following batch script.
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    @Echo off
    
    Echo [color=orange]------------------------HKLM\DRIVER32 Key ----------------------------[/color] > C:\looking.txt
    
    reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32" >> C:\looking.txt
    
    Echo [color=orange]----------------------- HKLM\RUN KEY -----------------------------------[/color] >> C:\looking.txt
    
    reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" >>C:\looking.txt
    
    Echo [color=orange]----------------------- DIR FOLDER --------------------------------------[/color] >> C:\looking.txt
    
    Dir "%userprofile%\Application Data\Macromedia\Common" >> C:\looking.txt
    Notepad C:\looking.txt
    
    Exit
    
    Del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input peek.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on peek.bat, and Black DOS window shall appear and then notepad will soon open. This is normal please do not panic. Once it's complete copy and paste the contents of notepad in your next reply.

Note: If you closed notepad accidentally, it can also be found at C:\looking.txt

If the log is too big to post, attach it please.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post/Attach both logs once they are complete.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Kanko

Kanko
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 03 March 2009 - 04:42 PM

Hi again, I'm back and ready for further instruction. Last night I left my computer on with SDFix running and to no avail it did not finish. I started up my computer into normal mode just now and where SDFix ran automatically again, I decided to give it some time however I had received the same error as the night before in safe mode and it eventually, like last night, hanged and didn't complete at all. I have a photo of the error on desktop now as I just got it from the normal mode boot. My programs still do not start up because of this problem. I will post anything I can offer if necessary.

Edit 1: Whoops posted before me. I'll get started on the instructions above now.

Edited by Kanko, 03 March 2009 - 04:42 PM.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 03 March 2009 - 04:43 PM

Hello Kanko.

Seems out posts crossed. Follow the instructions above please, and post the logs once they are complete.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Kanko

Kanko
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 03 March 2009 - 05:32 PM

As instructed I ran both the .bat and gmer. I apologize greatly as I couldn't find the way to insert attachments in this forum so I have decided to simply copy and paste the logs here. Excuse my long post.
Here is my looking.txt log:
------------------------HKLM\DRIVER32 Key ----------------------------

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32
midimapper REG_SZ midimap.dll
msacm.imaadpcm REG_SZ imaadp32.acm
msacm.msadpcm REG_SZ msadp32.acm
msacm.msg711 REG_SZ msg711.acm
msacm.msgsm610 REG_SZ msgsm32.acm
msacm.trspch REG_SZ tssoft32.acm
vidc.cvid REG_SZ iccvid.dll
vidc.iv31 REG_SZ ir32_32.dll
vidc.iv32 REG_SZ ir32_32.dll
vidc.iv41 REG_SZ ir41_32.ax
VIDC.IYUV REG_SZ iyuv_32.dll
vidc.mrle REG_SZ msrle32.dll
vidc.msvc REG_SZ msvidc32.dll
VIDC.UYVY REG_SZ msyuv.dll
VIDC.YUY2 REG_SZ msyuv.dll
VIDC.YVU9 REG_SZ tsbyuv.dll
VIDC.YVYU REG_SZ msyuv.dll
wavemapper REG_SZ msacm32.drv
msacm.msg723 REG_SZ msg723.acm
vidc.M263 REG_SZ msh263.drv
vidc.M261 REG_SZ msh261.drv
msacm.msaudio1 REG_SZ msaud32.acm
msacm.sl_anet REG_SZ sl_anet.acm
msacm.iac2 REG_SZ C:\WINDOWS\system32\iac25_32.ax
vidc.iv50 REG_SZ ir50_32.dll
wave REG_SZ wdmaud.drv
midi REG_SZ wdmaud.drv
mixer REG_SZ wdmaud.drv
aux REG_SZ wdmaud.drv
MSVideo8 REG_SZ VfWWDM32.dll
vidc.LEAD REG_SZ LCODCCMP.DLL
vidc.divx REG_SZ divx.dll
vidc.xvid REG_SZ xvidvfw.dll
vidc.vp60 REG_SZ vp6vfw.dll
vidc.vp61 REG_SZ vp6vfw.dll
vidc.vp62 REG_SZ vp6vfw.dll
msacm.ac3acm REG_SZ AC3ACM.acm
msacm.at3 REG_SZ atrac3.acm
msacm.l3codec REG_SZ l3codecp.acm
vidc.ffds REG_SZ C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
msacm.divxa32 REG_SZ DivXa32.acm
msacm.l3acm REG_SZ L3codeca.acm
msacm.ac3filter REG_SZ ac3filter.acm
msacm.siren REG_SZ sirenacm.dll
msacm.lameacm REG_SZ LameACM.acm
wave1 REG_SZ C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll
midi1 REG_SZ C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll
mixer1 REG_SZ C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll
aux1 REG_SZ C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll
midi2 REG_SZ C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll
wave2 REG_SZ C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll
aux2 REG_SZ C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll
mixer2 REG_SZ C:\DOCUME~1\HP_ADM~1\APPLIC~1\MACROM~1\Common\4b3fe0881.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32\Terminal Server
----------------------- HKLM\RUN KEY -----------------------------------

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe REG_SZ "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched REG_SZ "C:\Program Files\Java\jre6\bin\jusched.exe"
RTHDCPL REG_SZ "C:\WINDOWS\RTHDCPL.EXE"
Reminder REG_SZ "C:\Windows\Creator\Remind_XP.exe"
PHIME2002ASync REG_SZ "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
PHIME2002A REG_SZ "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
PCTAVApp REG_SZ "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
PCDrProfiler REG_SZ
nwiz REG_SZ "nwiz.exe" /install
NvMediaCenter REG_SZ "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
NvCplDaemon REG_SZ "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
MSPY2002 REG_SZ "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
Kernel and Hardware Abstraction Layer REG_SZ "C:\WINDOWS\KHALMNPR.EXE"
IMJPMIG8.1 REG_SZ "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
IMEKRMIG6.1 REG_SZ "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE"
IAAnotif REG_SZ "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
HPHUPD08 REG_SZ "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
HPBootOp REG_SZ "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
HP Software Update REG_SZ "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
ehTray REG_SZ "C:\WINDOWS\ehome\ehtray.exe"
DISCover REG_SZ "C:\Program Files\DISC\DISCover.exe" nogui
SDFix REG_SZ "C:\SDFix\RunThis.bat" /second
SpySweeper REG_SZ "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
----------------------- DIR FOLDER --------------------------------------
Volume in drive C is HP_PAVILION
Volume Serial Number is D07A-DF6D

Directory of C:\Documents and Settings\HP_Administrator\Application Data\Macromedia\Common

02/28/2009 01:05 AM <DIR> .
02/28/2009 01:05 AM <DIR> ..
02/28/2009 09:17 AM 64,512 4b3fe0881.dll
1 File(s) 64,512 bytes
2 Dir(s) 93,911,404,544 bytes free

and Here is my Gmer.txt:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-03 17:18:14
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 8AD1D990 ZwAllocateVirtualMemory
SSDT 8ADC74A0 ZwCreateKey
SSDT 8AD1DEB8 ZwCreateProcess
SSDT 8AD1DE40 ZwCreateProcessEx
SSDT 8AD1DC60 ZwCreateThread
SSDT 8AE0F450 ZwDeleteKey
SSDT 8AD1DF30 ZwDeleteValueKey
SSDT spej.sys ZwEnumerateKey [0xBA6C7CA2]
SSDT spej.sys ZwEnumerateValueKey [0xBA6C8030]
SSDT spej.sys ZwOpenKey [0xBA6AA0C0]
SSDT spej.sys ZwQueryKey [0xBA6C8108]
SSDT spej.sys ZwQueryValueKey [0xBA6C7F88]
SSDT 8AD1DA08 ZwQueueApcThread
SSDT 8AD1D8A0 ZwReadVirtualMemory
SSDT 8ADB90A8 ZwRenameKey
SSDT 8AD1DAF8 ZwSetContextThread
SSDT 8ADB3470 ZwSetInformationKey
SSDT 8AD1DD50 ZwSetInformationProcess
SSDT 8AD1DB70 ZwSetInformationThread
SSDT 8AD1DFA8 ZwSetValueKey
SSDT 8AD1DCD8 ZwSuspendProcess
SSDT 8AD1DA80 ZwSuspendThread
SSDT 8AD1DDC8 ZwTerminateProcess
SSDT 8AD1DBE8 ZwTerminateThread
SSDT 8AD1D918 ZwWriteVirtualMemory

INT 0x62 ? 8ADECBF8
INT 0x63 ? 8AE35BF8
INT 0x83 ? 8A359BF8
INT 0xA4 ? 8A359BF8
INT 0xB4 ? 8A359BF8

---- Kernel code sections - GMER 1.0.14 ----

? spej.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B81998AC 5 Bytes JMP 8A3591D8
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 B7EAB4D0 39 Bytes [ 20, FF, DE, 3E, D7, CC, DE, ... ]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 28 B7EAB4F8 8 Bytes [ FA, FB, CF, 3C, E8, FC, A6, ... ]
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[160] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 27, 84 ]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[160] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[160] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[160] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[200] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, E7, 84 ]
.text C:\Program Files\Java\jre6\bin\jqs.exe[200] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[200] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[200] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[244] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, EA, 83 ]
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[244] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[244] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[244] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[328] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 16, 84 ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[328] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[328] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[328] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[520] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 24, 84 ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[520] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[520] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[520] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[520] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe[524] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 63, 88 ]
.text C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe[524] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe[524] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe[524] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\csrss.exe[732] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 34, 87 ]
.text C:\WINDOWS\system32\csrss.exe[732] KERNEL32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[732] KERNEL32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[732] KERNEL32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text D:\Nexon\Mabinogi\npkcmsvc.exe[736] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BE, 83 ]
.text D:\Nexon\Mabinogi\npkcmsvc.exe[736] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text D:\Nexon\Mabinogi\npkcmsvc.exe[736] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text D:\Nexon\Mabinogi\npkcmsvc.exe[736] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\winlogon.exe[756] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, E9, 84 ]
.text C:\WINDOWS\system32\winlogon.exe[756] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[756] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, 8B, 02, 50, ... ]
.text C:\WINDOWS\system32\winlogon.exe[756] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[756] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\winlogon.exe[756] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, 8C, 02, 50 ]
.text C:\WINDOWS\system32\winlogon.exe[756] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, A5, 01, C3 ]
.text C:\WINDOWS\system32\winlogon.exe[756] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, FB, 01, 50, ... ]
.text C:\WINDOWS\system32\winlogon.exe[756] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, FB, 01, 50, ... ]
.text C:\WINDOWS\system32\winlogon.exe[756] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, FE, 01, 50, ... ]
.text C:\WINDOWS\system32\winlogon.exe[756] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, D2, 01, 50, ... ]
.text C:\WINDOWS\system32\services.exe[800] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 7E, 84 ]
.text C:\WINDOWS\system32\services.exe[800] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[800] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[800] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\lsass.exe[812] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, E9, 84 ]
.text C:\WINDOWS\system32\lsass.exe[812] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[812] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, A5, 00, 50, ... ]
.text C:\WINDOWS\system32\lsass.exe[812] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[812] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\lsass.exe[812] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, A6, 00, 50 ]
.text C:\WINDOWS\system32\lsass.exe[812] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, 7C, 00, C3 ]
.text C:\WINDOWS\system32\lsass.exe[812] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, B6, 00, 50, ... ]
.text C:\WINDOWS\system32\lsass.exe[812] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, B6, 00, 50, ... ]
.text C:\WINDOWS\system32\lsass.exe[812] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, B9, 00, 50, ... ]
.text C:\WINDOWS\system32\lsass.exe[812] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, 74, 00, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 1A, 86 ]
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateProcessW 7C802336 13 Bytes JMP A0685000
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, EB, 00, 50 ]
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, 88, 00, C3 ]
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, 02, 01, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, 02, 01, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, 05, 01, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1000] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, 6C, 00, 50, ... ]
.text C:\WINDOWS\system32\nvsvc32.exe[1036] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 19, 84 ]
.text C:\WINDOWS\system32\nvsvc32.exe[1036] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[1036] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, D9, 00, 50, ... ]
.text C:\WINDOWS\system32\nvsvc32.exe[1036] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\nvsvc32.exe[1036] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[1036] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, DA, 00, 50 ]
.text C:\WINDOWS\system32\nvsvc32.exe[1036] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, A4, 00, C3 ]
.text C:\WINDOWS\system32\nvsvc32.exe[1036] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes JMP 70685000
.text C:\WINDOWS\system32\nvsvc32.exe[1036] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes JMP 10685000
.text C:\WINDOWS\system32\nvsvc32.exe[1036] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, ED, 00, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 74, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, 09, 01, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, 0A, 01, 50 ]
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, 88, 00, C3 ]
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, 24, 01, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, 24, 01, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, 27, 01, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1076] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, F1, 00, 50, ... ]
.text C:\Program Files\DISC\DiscStreamHub.exe[1104] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 27, 84 ]
.text C:\Program Files\DISC\DiscStreamHub.exe[1104] KERNEL32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\DISC\DiscStreamHub.exe[1104] KERNEL32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\DISC\DiscStreamHub.exe[1104] KERNEL32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\DISC\DiscStreamHub.exe[1104] KERNEL32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[1132] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, 7A, 01, 50, ... ]
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[1132] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, 7B, 01, 50 ]
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[1132] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, D8, 00, C3 ]
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[1132] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, D5, 00, 50, ... ]
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[1132] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, 95, 01, 50, ... ]
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[1132] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, 95, 01, 50, ... ]
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[1132] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, 98, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 19, 85 ]
.text C:\Program Files\DISC\DISCover.exe[1168] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\DISC\DISCover.exe[1168] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, B6, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\DISC\DISCover.exe[1168] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\DISC\DISCover.exe[1168] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\DISC\DISCover.exe[1168] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, B7, 01, 50 ]
.text C:\Program Files\DISC\DISCover.exe[1168] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, 3D, 01, C3 ]
.text C:\Program Files\DISC\DISCover.exe[1168] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, AC, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, AC, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, AF, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WININET.dll!HttpOpenRequestA 78064341 13 Bytes [ 58, 68, 41, 43, C7, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WININET.dll!InternetConnectA 7806499A 13 Bytes [ 58, 68, 9A, 49, C7, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WININET.dll!HttpOpenRequestW 78065D62 13 Bytes [ 58, 68, 62, 5D, C7, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WININET.dll!InternetReadFile 7806ABB4 13 Bytes [ 58, 68, B4, AB, C7, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WININET.dll!InternetQueryDataAvailable 7806ADF5 13 Bytes [ 58, 68, F5, AD, C7, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WININET.dll!HttpSendRequestA 7806CD40 13 Bytes [ 58, 68, 40, CD, C7, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WININET.dll!InternetWriteFile 78073645 13 Bytes [ 58, 68, 45, 36, C8, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WININET.dll!CommitUrlCacheEntryA 7807FC0A 13 Bytes [ 58, 68, 0A, FC, C8, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WININET.dll!HttpSendRequestW 78080825 13 Bytes [ 58, 68, 25, 08, C9, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WININET.dll!InternetReadFileExW 78082AAA 13 Bytes [ 58, 68, AA, 2A, C9, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WININET.dll!InternetReadFileExA 78082AE2 13 Bytes [ 58, 68, E2, 2A, C9, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WININET.dll!CommitUrlCacheEntryW 78099910 13 Bytes [ 58, 68, 10, 99, CA, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WININET.dll!InternetErrorDlg 780DC93B 13 Bytes [ 58, 68, 3B, C9, CE, 01, 50, ... ]
.text C:\Program Files\DISC\DISCover.exe[1168] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, 9F, 01, 50, ... ]
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 72, 88 ]
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, E2, 00, 50, ... ]
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, E3, 00, 50 ]
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, 88, 00, C3 ]
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, 02, 01, 50, ... ]
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, 02, 01, 50, ... ]
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, 05, 01, 50, ... ]
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, DB, 85 ]
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, EE, 00, 50, ... ]
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, EF, 00, 50 ]
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, CD, 00, C3 ]
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2A, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, B9, 00, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, BA, 00, 50 ]
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, 88, 00, C3 ]
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, D4, 00, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, D4, 00, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, D7, 00, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1304] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, A9, 00, 50, ... ]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[1332] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 26, 84 ]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[1332] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[1332] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[1332] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[1332] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe[1468] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 29, 84 ]
.text C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe[1468] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe[1468] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe[1468] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe[1468] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\conime.exe[1480] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 16, 84 ]
.text C:\WINDOWS\system32\conime.exe[1480] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\conime.exe[1480] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, D9, 00, 50, ... ]
.text C:\WINDOWS\system32\conime.exe[1480] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\conime.exe[1480] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\conime.exe[1480] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\conime.exe[1480] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, DA, 00, 50 ]
.text C:\WINDOWS\system32\conime.exe[1480] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, A0, 00, C3 ]
.text C:\WINDOWS\system32\conime.exe[1480] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, EE, 00, 50, ... ]
.text C:\WINDOWS\system32\conime.exe[1480] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, EE, 00, 50, ... ]
.text C:\WINDOWS\system32\conime.exe[1480] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, F1, 00, 50, ... ]
.text C:\WINDOWS\ehome\ehtray.exe[1496] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 35, 84 ]
.text C:\WINDOWS\ehome\ehtray.exe[1496] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\ehome\ehtray.exe[1496] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\ehome\ehtray.exe[1496] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\ehome\ehtray.exe[1496] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 0C, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, DE, 00, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, DF, 00, 50 ]
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, 88, 00, C3 ]
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, EF, 00, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, EF, 00, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, F2, 00, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, D0, 00, 50, ... ]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1544] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 14, 84 ]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1544] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1544] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1544] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1544] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 7C, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, 11, 01, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, 12, 01, 50 ]
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, 88, 00, C3 ]
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, 22, 01, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, 22, 01, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, 25, 01, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1572] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, FB, 00, 50, ... ]
.text C:\WINDOWS\system32\spoolsv.exe[1644] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 24, 85 ]
.text C:\WINDOWS\system32\spoolsv.exe[1644] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1644] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, D1, 00, 50, ... ]
.text C:\WINDOWS\system32\spoolsv.exe[1644] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1644] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1644] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, D2, 00, 50 ]
.text C:\WINDOWS\system32\spoolsv.exe[1644] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, A0, 00, C3 ]
.text C:\WINDOWS\system32\spoolsv.exe[1644] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, E2, 00, 50, ... ]
.text C:\WINDOWS\system32\spoolsv.exe[1644] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, E2, 00, 50, ... ]
.text C:\WINDOWS\system32\spoolsv.exe[1644] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, E5, 00, 50, ... ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1732] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 22, 84 ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1732] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1732] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, A5, 01, 50, ... ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1732] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1732] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1732] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1732] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, A6, 01, 50 ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1732] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, 56, 01, C3 ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1732] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, A2, 02, 50, ... ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1732] ADVAPI32.dll!CryptImportKey 77DEA1D1 4 Bytes [ 58, 68, D1, A1 ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1732] ADVAPI32.dll!CryptImportKey + 5 77DEA1D6 8 Bytes [ 02, 50, 68, 10, 5D, 56, 01, ... ]
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[1732] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, A5, 02, 50, ... ]
.text C:\WINDOWS\system32\ctfmon.exe[1736] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 33, 84 ]
.text C:\WINDOWS\system32\ctfmon.exe[1736] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1736] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, BD, 00, 50, ... ]
.text C:\WINDOWS\system32\ctfmon.exe[1736] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[1736] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1736] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, BE, 00, 50 ]
.text C:\WINDOWS\system32\ctfmon.exe[1736] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, A7, 00, C3 ]
.text C:\WINDOWS\system32\ctfmon.exe[1736] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, CE, 00, 50, ... ]
.text C:\WINDOWS\system32\ctfmon.exe[1736] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, CE, 00, 50, ... ]
.text C:\WINDOWS\system32\ctfmon.exe[1736] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, D1, 00, 50, ... ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1788] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 79, 84 ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1788] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1788] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1788] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1820] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 8E, 84 ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1820] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1820] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1820] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\eHome\ehRecvr.exe[1868] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, AF, 85 ]
.text C:\WINDOWS\eHome\ehRecvr.exe[1868] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\eHome\ehRecvr.exe[1868] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, DC, 00, 50, ... ]
.text C:\WINDOWS\eHome\ehRecvr.exe[1868] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\eHome\ehRecvr.exe[1868] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\eHome\ehRecvr.exe[1868] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, DD, 00, 50 ]
.text C:\WINDOWS\eHome\ehRecvr.exe[1868] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, A8, 00, C3 ]
.text C:\WINDOWS\eHome\ehRecvr.exe[1868] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, CE, 00, 50, ... ]
.text C:\WINDOWS\eHome\ehRecvr.exe[1868] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, CE, 00, 50, ... ]
.text C:\WINDOWS\eHome\ehRecvr.exe[1868] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, D1, 00, 50, ... ]
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[1920] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 21, 84 ]
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[1920] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[1920] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, 0B, 01, 50, ... ]
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[1920] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[1920] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[1920] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[1920] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, 0C, 01, 50 ]
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[1920] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, BC, 00, C3 ]
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[1920] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, 1C, 01, 50, ... ]
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[1920] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, 1C, 01, 50, ... ]
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[1920] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, 1F, 01, 50, ... ]
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 6D, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\eHome\ehmsas.exe[1992] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 14, 84 ]
.text C:\WINDOWS\eHome\ehmsas.exe[1992] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\eHome\ehmsas.exe[1992] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\eHome\ehmsas.exe[1992] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\eHome\ehmsas.exe[1992] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 8A, 84 ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, EB, 00, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] kernel32.dll!ExitProcess 7C81CAFA 4 Bytes [ 58, 68, FA, CA ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] kernel32.dll!ExitProcess + 5 7C81CAFF 2 Bytes [ 00, 50 ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, A1, 00, C3 ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, E0, 00, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, 28, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, 28, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, 2B, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WININET.dll!HttpOpenRequestA 78064341 13 Bytes [ 58, 68, 41, 43, 1B, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WININET.dll!InternetConnectA 7806499A 13 Bytes [ 58, 68, 9A, 49, 1B, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WININET.dll!HttpOpenRequestW 78065D62 13 Bytes [ 58, 68, 62, 5D, 1B, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WININET.dll!InternetReadFile 7806ABB4 13 Bytes [ 58, 68, B4, AB, 1B, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WININET.dll!InternetQueryDataAvailable 7806ADF5 13 Bytes [ 58, 68, F5, AD, 1B, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WININET.dll!HttpSendRequestA 7806CD40 13 Bytes [ 58, 68, 40, CD, 1B, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WININET.dll!InternetWriteFile 78073645 13 Bytes [ 58, 68, 45, 36, 1C, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WININET.dll!CommitUrlCacheEntryA 7807FC0A 13 Bytes [ 58, 68, 0A, FC, 1C, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WININET.dll!HttpSendRequestW 78080825 13 Bytes [ 58, 68, 25, 08, 1D, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WININET.dll!InternetReadFileExW 78082AAA 13 Bytes [ 58, 68, AA, 2A, 1D, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WININET.dll!InternetReadFileExA 78082AE2 13 Bytes [ 58, 68, E2, 2A, 1D, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WININET.dll!CommitUrlCacheEntryW 78099910 13 Bytes [ 58, 68, 10, 99, 1E, 01, 50, ... ]
.text C:\Program Files\PacketiX VPN Client English\vpnclient.exe[2156] WININET.dll!InternetErrorDlg 780DC93B 13 Bytes [ 58, 68, 3B, C9, 22, 01, 50, ... ]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe[2272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 23, 84 ]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe[2272] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe[2272] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe[2272] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe[2272] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 21, 84 ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, 17, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, 18, 01, 50 ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, C6, 00, C3 ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, 35, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, 35, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, 38, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, 09, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WININET.dll!HttpOpenRequestA 78064341 13 Bytes [ 58, 68, 41, 43, 28, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WININET.dll!InternetConnectA 7806499A 13 Bytes [ 58, 68, 9A, 49, 28, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WININET.dll!HttpOpenRequestW 78065D62 13 Bytes [ 58, 68, 62, 5D, 28, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WININET.dll!InternetReadFile 7806ABB4 13 Bytes [ 58, 68, B4, AB, 28, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WININET.dll!InternetQueryDataAvailable 7806ADF5 13 Bytes [ 58, 68, F5, AD, 28, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WININET.dll!HttpSendRequestA 7806CD40 13 Bytes [ 58, 68, 40, CD, 28, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WININET.dll!InternetWriteFile 78073645 13 Bytes [ 58, 68, 45, 36, 29, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WININET.dll!CommitUrlCacheEntryA 7807FC0A 13 Bytes [ 58, 68, 0A, FC, 29, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WININET.dll!HttpSendRequestW 78080825 13 Bytes [ 58, 68, 25, 08, 2A, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WININET.dll!InternetReadFileExW 78082AAA 13 Bytes [ 58, 68, AA, 2A, 2A, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WININET.dll!InternetReadFileExA 78082AE2 13 Bytes [ 58, 68, E2, 2A, 2A, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WININET.dll!CommitUrlCacheEntryW 78099910 13 Bytes [ 58, 68, 10, 99, 2B, 01, 50, ... ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2480] WININET.dll!InternetErrorDlg 780DC93B 13 Bytes [ 58, 68, 3B, C9, 2F, 01, 50, ... ]
.text C:\WINDOWS\system32\wscntfy.exe[2528] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 16, 84 ]
.text C:\WINDOWS\system32\wscntfy.exe[2528] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[2528] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\wscntfy.exe[2528] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[2528] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2548] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 26, 84 ]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2548] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2548] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2548] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2548] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\svchost.exe[2588] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, ED, 83 ]
.text C:\WINDOWS\System32\svchost.exe[2588] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[2588] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, 51, 01, 50, ... ]
.text C:\WINDOWS\System32\svchost.exe[2588] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\System32\svchost.exe[2588] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[2588] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\svchost.exe[2588] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, 52, 01, 50 ]
.text C:\WINDOWS\System32\svchost.exe[2588] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, 88, 00, C3 ]
.text C:\WINDOWS\System32\svchost.exe[2588] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, 62, 01, 50, ... ]
.text C:\WINDOWS\System32\svchost.exe[2588] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, 62, 01, 50, ... ]
.text C:\WINDOWS\System32\svchost.exe[2588] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, 65, 01, 50, ... ]
.text C:\WINDOWS\System32\svchost.exe[2588] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, 6F, 00, 50, ... ]
.text C:\WINDOWS\System32\alg.exe[2620] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, F5, 83 ]
.text C:\WINDOWS\System32\alg.exe[2620] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\alg.exe[2620] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, B9, 00, 50, ... ]
.text C:\WINDOWS\System32\alg.exe[2620] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\System32\alg.exe[2620] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[2620] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\alg.exe[2620] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, BA, 00, 50 ]
.text C:\WINDOWS\System32\alg.exe[2620] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, 80, 00, C3 ]
.text C:\WINDOWS\System32\alg.exe[2620] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, CA, 00, 50, ... ]
.text C:\WINDOWS\System32\alg.exe[2620] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, CA, 00, 50, ... ]
.text C:\WINDOWS\System32\alg.exe[2620] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, CD, 00, 50, ... ]
.text C:\WINDOWS\System32\alg.exe[2620] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, 77, 00, 50, ... ]
.text C:\Documents and Settings\HP_Administrator\Desktop\gmer.exe[2772] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2C, 84 ]
.text C:\Documents and Settings\HP_Administrator\Desktop\gmer.exe[2772] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\HP_Administrator\Desktop\gmer.exe[2772] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Documents and Settings\HP_Administrator\Desktop\gmer.exe[2772] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\HP_Administrator\Desktop\gmer.exe[2772] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe[2792] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BE, 84 ]
.text C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe[2792] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe[2792] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe[2792] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe[2792] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2940] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 26, 84 ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2940] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2940] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2940] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2940] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2956] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 30, 84 ]
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2956] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2956] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2956] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Logitech\SetPoint\SetPoint.exe[2956] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\SearchIndexer.exe[3096] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 31, 84 ]
.text C:\WINDOWS\system32\SearchIndexer.exe[3096] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\SearchIndexer.exe[3096] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\SearchIndexer.exe[3096] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\SearchIndexer.exe[3096] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 01121B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[3096] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe[3212] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 52, 84 ]
.text C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe[3212] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe[3212] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, 4B, 01, 50, ... ]
.text C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe[3212] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe[3212] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe[3212] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe[3212] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, 4C, 01, 50 ]
.text C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe[3212] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, B9, 00, C3 ]
.text C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe[3212] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, 87, 01, 50, ... ]
.text C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe[3212] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, 87, 01, 50, ... ]
.text C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe[3212] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, 8A, 01, 50, ... ]
.text C:\WINDOWS\ehome\mcrdsvc.exe[3300] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, F2, 83 ]
.text C:\WINDOWS\ehome\mcrdsvc.exe[3300] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\ehome\mcrdsvc.exe[3300] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\ehome\mcrdsvc.exe[3300] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\ehome\mcrdsvc.exe[3300] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3348] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 01, 84 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3348] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3348] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, C9, 00, 50, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3348] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3348] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3348] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3348] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, CA, 00, 50 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3348] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, 8C, 00, C3 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3348] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, E4, 00, 50, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3348] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, E4, 00, 50, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3348] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, E7, 00, 50, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3348] WS2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, B7, 00, 50, ... ]
.text C:\HP\KBD\KBD.EXE[3352] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 11, 84 ]
.text C:\HP\KBD\KBD.EXE[3352] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\HP\KBD\KBD.EXE[3352] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, F2, 01, 50, ... ]
.text C:\HP\KBD\KBD.EXE[3352] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\HP\KBD\KBD.EXE[3352] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\HP\KBD\KBD.EXE[3352] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\HP\KBD\KBD.EXE[3352] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, F3, 01, 50 ]
.text C:\HP\KBD\KBD.EXE[3352] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, 09, 01, C3 ]
.text C:\HP\KBD\KBD.EXE[3352] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, 13, 02, 50, ... ]
.text C:\HP\KBD\KBD.EXE[3352] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, 13, 02, 50, ... ]
.text C:\HP\KBD\KBD.EXE[3352] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, 16, 02, 50, ... ]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3716] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 23, 84 ]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3716] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3716] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3716] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3716] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 38, 84 ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] kernel32.dll!CreateProcessW 7C802336 13 Bytes JMP A0685001
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, EB, 01, 50 ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, AF, 00, C3 ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, 08, 02, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, 08, 02, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, 0B, 02, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] WININET.dll!HttpOpenRequestA 78064341 13 Bytes [ 58, 68, 41, 43, FB, 01, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] WININET.dll!InternetConnectA 7806499A 13 Bytes [ 58, 68, 9A, 49, FB, 01, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] WININET.dll!HttpOpenRequestW 78065D62 13 Bytes [ 58, 68, 62, 5D, FB, 01, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] WININET.dll!InternetReadFile 7806ABB4 13 Bytes [ 58, 68, B4, AB, FB, 01, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] WININET.dll!InternetQueryDataAvailable 7806ADF5 13 Bytes [ 58, 68, F5, AD, FB, 01, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] WININET.dll!HttpSendRequestA 7806CD40 13 Bytes [ 58, 68, 40, CD, FB, 01, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] WININET.dll!InternetWriteFile 78073645 13 Bytes [ 58, 68, 45, 36, FC, 01, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] WININET.dll!CommitUrlCacheEntryA 7807FC0A 13 Bytes [ 58, 68, 0A, FC, FC, 01, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] WININET.dll!HttpSendRequestW 78080825 13 Bytes [ 58, 68, 25, 08, FD, 01, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] WININET.dll!InternetReadFileExW 78082AAA 13 Bytes [ 58, 68, AA, 2A, FD, 01, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] WININET.dll!InternetReadFileExA 78082AE2 13 Bytes [ 58, 68, E2, 2A, FD, 01, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] WININET.dll!CommitUrlCacheEntryW 78099910 13 Bytes [ 58, 68, 10, 99, FE, 01, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] WININET.dll!InternetErrorDlg 780DC93B 13 Bytes [ 58, 68, 3B, C9, 02, 02, 50, ... ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3848] ws2_32.dll!send 71AB4C27 13 Bytes [ 58, 68, 27, 4C, DC, 01, 50, ... ]
.text C:\WINDOWS\RTHDCPL.EXE[3876] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 54, 85 ]
.text C:\WINDOWS\RTHDCPL.EXE[3876] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\RTHDCPL.EXE[3876] kernel32.dll!CreateProcessW 7C802336 13 Bytes [ 58, 68, 36, 23, E6, 01, 50, ... ]
.text C:\WINDOWS\RTHDCPL.EXE[3876] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\RTHDCPL.EXE[3876] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\RTHDCPL.EXE[3876] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\RTHDCPL.EXE[3876] kernel32.dll!ExitProcess 7C81CAFA 7 Bytes [ 58, 68, FA, CA, E7, 01, 50 ]
.text C:\WINDOWS\RTHDCPL.EXE[3876] kernel32.dll!ExitProcess + 8 7C81CB02 5 Bytes [ C0, 5C, AC, 01, C3 ]
.text C:\WINDOWS\RTHDCPL.EXE[3876] ADVAPI32.dll!CryptDeriveKey 77DE9FDD 13 Bytes [ 58, 68, DD, 9F, F7, 01, 50, ... ]
.text C:\WINDOWS\RTHDCPL.EXE[3876] ADVAPI32.dll!CryptImportKey 77DEA1D1 13 Bytes [ 58, 68, D1, A1, F7, 01, 50, ... ]
.text C:\WINDOWS\RTHDCPL.EXE[3876] ADVAPI32.dll!CryptGenKey 77E117D9 13 Bytes [ 58, 68, D9, 17, FA, 01, 50, ... ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6AB046] spej.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6AB142] spej.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6AB0C4] spej.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6AB7CE] spej.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6AB6A4] spej.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B6D7A] spej.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 8AD1D6C8
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 8AD1D7C0
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 8AD1D7C0
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 8AD1D6C8
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 8AD1D6C8
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 8AD1D7C0
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 8AD1D7C0
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 8AD1D6C8
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 8AD1D7C0
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 8AD1D6C8
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 8AD1D7C0
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 8AD1D7C0
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 8AD1D6C8

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8AE331F8

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs AVHook.sys (PC Tools Filter Driver for Windows 2000/XP/PC Tools Research Pty Ltd.)

Device \FileSystem\Fastfat \FatCdrom 89C47500
Device \Driver\Tcpip \Device\Ip 8A0286D8
Device \Driver\Tcpip \Device\Ip 89C8AC00
Device \Driver\Tcpip \Device\Ip 89FFB710
Device \Driver\Tcpip \Device\Ip 8A115C00

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ELkbd.sys (Intel Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ELkbd.sys (Intel Corporation)

Device \Driver\usbuhci \Device\USBPDO-0 8A3421F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8ADED1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8ADED1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8ADED1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8ADED1F8
Device \Driver\usbuhci \Device\USBPDO-1 8A3421F8
Device \Driver\usbuhci \Device\USBPDO-2 8A3421F8
Device \Driver\usbuhci \Device\USBPDO-3 8A3421F8
Device \Driver\usbstor \Device\000000a0 8A14A2D8
Device \Driver\usbehci \Device\USBPDO-4 8A3481F8
Device \Driver\Tcpip \Device\Tcp 8A0286D8
Device \Driver\Tcpip \Device\Tcp 89C8AC00
Device \Driver\Tcpip \Device\Tcp 89FFB710
Device \Driver\Tcpip \Device\Tcp 8A115C00
Device \Driver\usbstor \Device\000000a1 8A14A2D8
Device \Driver\usbstor \Device\000000a2 8A14A2D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AE361F8
Device \Driver\usbstor \Device\000000a3 8A14A2D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AE361F8
Device \Driver\Cdrom \Device\CdRom0 8A2991F8
Device \Driver\usbstor \Device\000000a4 8A14A2D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AE361F8
Device \Driver\Cdrom \Device\CdRom1 8A2991F8
Device \Driver\Cdrom \Device\CdRom2 8A2991F8
Device \Driver\PCI_PNP4748 \Device\00000067 spej.sys
Device \Driver\Cdrom \Device\CdRom3 8A2991F8
Device \Driver\Tcpip \Device\Udp 8A0286D8
Device \Driver\Tcpip \Device\Udp 89C8AC00
Device \Driver\Tcpip \Device\Udp 89FFB710
Device \Driver\Tcpip \Device\Udp 8A115C00
Device \Driver\Tcpip \Device\RawIp 8A0286D8
Device \Driver\Tcpip \Device\RawIp 89C8AC00
Device \Driver\Tcpip \Device\RawIp 89FFB710
Device \Driver\Tcpip \Device\RawIp 8A115C00
Device \Driver\usbuhci \Device\USBFDO-0 8A3421F8
Device \Driver\usbuhci \Device\USBFDO-1 8A3421F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89C4F1F8
Device \Driver\Tcpip \Device\IPMULTICAST 8A0286D8
Device \Driver\Tcpip \Device\IPMULTICAST 89C8AC00
Device \Driver\Tcpip \Device\IPMULTICAST 89FFB710
Device \Driver\Tcpip \Device\IPMULTICAST 8A115C00
Device \Driver\usbuhci \Device\USBFDO-2 8A3421F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89C4F1F8
Device \Driver\usbuhci \Device\USBFDO-3 8A3421F8
Device \Driver\usbehci \Device\USBFDO-4 8A3481F8
Device \Driver\Ftdisk \Device\FtControl 8AE361F8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target1Lun0 8A2721F8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 8A2721F8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 8A2721F8
Device \FileSystem\Fastfat \Fat 89C47500

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89ABB1F8

---- Services - GMER 1.0.14 ----

Service system32\drivers\UACnporifid.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xF3 0xBD 0x1D 0xC4 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB1 0x78 0x3D 0x42 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE0 0x3D 0x2E 0xDA ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x06 0xE5 0x70 0xAA ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xB9 0x78 0xF8 0x16 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xF3 0xBD 0x1D 0xC4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB1 0x78 0x3D 0x42 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE0 0x3D 0x2E 0xDA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC2 0x33 0xCF 0x53 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xB9 0x78 0xF8 0x16 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xF3 0xBD 0x1D 0xC4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB1 0x78 0x3D 0x42 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE0 0x3D 0x2E 0xDA ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9E 0xAF 0x64 0x23 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x78 0x2F 0xC4 0x71 ...
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACnporifid.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACnporifid.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACufjpbgdt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACvvydscbt.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UAClxeufhlq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACaadrycsh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACuyuktrii.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACdkewwnxo.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACcobxnuxp.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACicnopemd.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -2034691967
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1812888928
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xF3 0xBD 0x1D 0xC4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB1 0x78 0x3D 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE0 0x3D 0x2E 0xDA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9E 0xAF 0x64 0x23 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x06 0xE5 0x70 0xAA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACnporifid.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACnporifid.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACufjpbgdt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACvvydscbt.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UAClxeufhlq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACaadrycsh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACuyuktrii.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACdkewwnxo.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACcobxnuxp.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACicnopemd.log
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xF3 0xBD 0x1D 0xC4 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB1 0x78 0x3D 0x42 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE0 0x3D 0x2E 0xDA ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9E 0xAF 0x64 0x23 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x06 0xE5 0x70 0xAA ...
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACnporifid.sys
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACnporifid.sys
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACufjpbgdt.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACvvydscbt.dat
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UAClxeufhlq.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACaadrycsh.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACuyuktrii.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACdkewwnxo.log
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACcobxnuxp.log
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACicnopemd.log
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Intel?Quick Resume Technology
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Intel?Quick Resume Technology@SlowInfoCache 0x28 0x02 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Intel?Quick Resume Technology@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology@Size
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology@EstimatedSize 13553
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology@DisplayVersion 1.0.0.1093
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology@InstallDate 6/14/2006
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology@InstallLocation C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology@InstallSource C:\hp\drivers\Intel_Quick_Resume\
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology@ModifyPath MsiExec.exe /I{8C22F265-DE76-44D1-8A79-A71D819137DA}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology@Publisher Intel Corporation
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology@Readme C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\readme.txt
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology@UninstallString MsiExec.exe /X{8C22F265-DE76-44D1-8A79-A71D819137DA} /qb!
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology@Language 1033
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intel?Quick Resume Technology@DisplayName Intel® Quick Resume Technology Drivers
Reg HKLM\SOFTWARE\Classes\.cc\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.cod\PersistentHandler@ {098f2470-bae0-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.dsp\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.dsw\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.i\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.inl\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.mak\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.map\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.mk\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.odh\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.odl\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.rgs\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.s\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.tlh\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.tli\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.vcproj\PersistentHandler@ {eec97550-47a9-11cf-b952-00aa0051fe20}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x17 0x57 0x94 0x71 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{ac221747-4b0c-4bd0-b1a1-da2241b0bc0a}@Model 38
Reg HKLM\SOFTWARE\Classes\CLSID\{ac221747-4b0c-4bd0-b1a1-da2241b0bc0a}@Therad 18
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.@g~m\xf8f7]~?[0??x\xf8f7p\xf8f7g~\1O\5\xf8f7:~n\xf8f7]~i\xf8f7]~?_0]~s\xf8f7g~p\xf8f7??m\0p\0003\0_\0a\0u\0t\0o\0_\0f\0i\0l\0e\0\0\0\0\0\0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.@g~m\xf8f7]~?]~?Q0=\0L\0O\0V\0E\0??m\0p\0003\0_\0a\0u\0t\0o\0_\0f\0i\0l\0e\0\0\0\0

---- EOF - GMER 1.0.14 ----

I'll await for further instruction then.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 03 March 2009 - 05:52 PM

Hello.

I apologize greatly as I couldn't find the way to insert attachments in this forum so I have decided to simply copy and paste the logs here. Excuse my long post.

No. I am sorry. I forgot that you cannot attach files in this forum. I apologize for any confusion. Sorry.

The rootkit infection is here again as always. Please be warned.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Tell me what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 Kanko

Kanko
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 03 March 2009 - 06:04 PM

I would like to attempt to clean this machine, the problem I face right now is most likely the fact I have some files (music, photos, videos) that I would like to back up before a reformat but I do not own an extra hard drive to back it up to as of right now which is why I would very much like to clean this PC. I had once tried doing a repair install of XP which utterly failed as I had received an error where they wouldn't recognize my drive so that was out of the option. I would like that you continue to help me as I recall I haven't done little to none related to banking in the past few days of the infection. So I ask that you continue to assist me in the removal of the trojan. I think after the removal I will find myself a new hard drive to backup my files and begin preparing for a reformat.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users