Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected vista :(


  • This topic is locked This topic is locked
11 replies to this topic

#1 jonospoon

jonospoon

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 18 April 2009 - 03:30 AM

Hey okes... I realise you guys are super busy with fixing peoples computers... and although I can usually fix my own pc, this time it is different
My pc runs almost fine, except it seems to lag a bit here and there, Windows defender keeps coming up with delete some or other file.. And I cant run ANY av or malware removal programs...

I have tried running Combofix, at first the .exe didnt respond at all, then when I renamed it combofxx.exe it opened but just hung.. Nothing happened for about 10 minutes. I cant open up my KAV, or Spybot S&D..

My interenet connection seems to be unaaffected, but when gaming it lags quite alot.. This is not normal at all, as my PC is quite powerful, Having a 9600gt and some other good stats.. Anyway would be greatly appreciated if you could help... :)


DDS log provided :thumbup2:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Jonathan (WORKING) at 10:09:58.36 on 2009-04-18
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3070.1819 [GMT 2:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\winupdates.exe
C:\Users\Jonathan (WORKING)\AppData\Roaming\pidle\pidle.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Users\Jonathan (WORKING)\AppData\Roaming\nettray.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Users\Jonathan (WORKING)\AppData\Roaming\svchost.exe"
C:\Users\Jonathan (WORKING)\AppData\Roaming\_a8c43f614d4babc1c97dcc802a3e9235\down\im000.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jonathan (WORKING)\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.my-homepage.cn
uSearch Bar = hxxp://www.my-homepage.cn
mStart Page = hxxp://www.my-homepage.cn
mDefault_Page_URL = hxxp://www.my-homepage.cn
mDefault_Search_URL = hxxp://www.my-homepage.cn
mSearch Page = hxxp://www.my-homepage.cn
mSearch Bar = hxxp://www.my-homepage.cn
uInternet Settings,ProxyOverride = *.local
uCustomizeSearch = hxxp://www.my-homepage.cn
uSearchAssistant = hxxp://www.my-homepage.cn
mCustomizeSearch = hxxp://www.my-homepage.cn
mSearchAssistant = hxxp://www.my-homepage.cn
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Auslogics BoostSpeed 4] c:\program files\auslogics\auslogics boostspeed\boostspeed.exe
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [WinProx32_1] c:\users\jonathan (working)\appdata\roaming\psvrr.exe
uRun: [MS Windows Update] "c:\windows\system32\winupdates.exe"
uRun: [pidle] "c:\users\jonathan (working)\appdata\roaming\pidle\pidle.exe" 61A847B5BBF72813329D31466188719AB689201522886B092CBD44BD8689220221DD3257
uRun: [Windows Network Setup Manager] c:\users\jonathan (working)\appdata\roaming\nettray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [<NO NAME>]
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinProx32_1] c:\users\jonathan (working)\appdata\roaming\psvrr.exe
mRun: [Gregohaw] rundll32.exe "c:\windows\KBDapcle.dll",e
mRun: [*ctfmon32] "c:\users\jonathan (working)\appdata\roaming\svchost.exe"
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232653210437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Notify: Antiwpa - antiwpa.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2008-7-9 20496]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-4-14 1153368]

=============== Created Last 30 ================

2009-04-18 09:19 <DIR> --d----- C:\ComboFxx
2009-04-18 09:19 338,944 a------- c:\windows\system32\CF9366.exe
2009-04-18 09:09 338,944 a------- c:\windows\system32\CF7622.exe
2009-04-18 09:09 338,944 a------- c:\windows\system32\CF7557.exe
2009-04-18 08:50 338,944 a------- c:\windows\system32\CF3814.exe
2009-04-18 08:34 30,720 a--shr-- c:\users\jonath~1\appdata\roaming\nettray.exe
2009-04-17 17:28 <DIR> --d----- c:\users\jonathan (working)\eee
2009-04-17 17:23 108,336 a------- c:\windows\system32\mswinsck.ocx
2009-04-17 17:23 167,936 a------- c:\windows\system32\winupdates.exe
2009-04-14 19:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-14 15:49 <DIR> --d----- c:\users\jonath~1\appdata\roaming\pidle
2009-04-14 15:49 465,874 a------- c:\users\jonath~1\appdata\roaming\psvrr.exe
2009-04-14 15:47 917,293 a------- c:\users\jonath~1\appdata\roaming\svchost.exe
2009-04-14 15:47 <DIR> --d----- c:\users\jonath~1\appdata\roaming\_a8c43f614d4babc1c97dcc802a3e9235
2009-04-14 15:29 171,136 a--shr-- C:\grldr
2009-04-14 15:28 32 a------- c:\users\jonath~1\appdata\roaming\__t.bin
2009-04-13 11:25 <DIR> --d----- c:\users\jonath~1\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-04-09 14:02 0 a----r-- C:\logwmemory.bin
2009-04-09 07:48 <DIR> --d----- c:\program files\Microsoft Windows Vista Upgrade Advisor
2009-04-06 20:31 <DIR> --d----- c:\users\jonath~1\appdata\roaming\Microsoft Games
2009-04-06 18:13 <DIR> --d----- c:\program files\common files\Microsoft Games
2009-04-03 20:54 <DIR> --d----- c:\program files\VideoLAN
2009-04-01 10:08 <DIR> --ds---- c:\program files\HLSW
2009-04-01 10:08 <DIR> --d----- c:\users\jonath~1\appdata\roaming\HLSW
2009-03-31 20:59 <DIR> --d----- c:\program files\BitLocker
2009-03-31 20:45 233,888 a------- c:\windows\system32\DreamScene.dll
2009-03-31 20:41 711 a------- c:\windows\system32\CPSOKBTasks.xml
2009-03-31 20:41 1,171,848 a------- c:\windows\system32\SecureKeyBackupCPL.dll
2009-03-31 20:34 97,800 a------- c:\windows\system32\infocardapi.dll
2009-03-31 20:34 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-03-31 20:34 622,080 a------- c:\windows\system32\icardagt.exe
2009-03-31 20:34 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-03-31 20:34 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-03-31 20:34 11,264 a------- c:\windows\system32\icardres.dll
2009-03-31 20:34 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-03-31 20:34 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-03-31 20:27 96,760 a------- c:\windows\system32\dfshim.dll
2009-03-31 20:27 282,112 a------- c:\windows\system32\mscoree.dll
2009-03-31 20:26 41,984 a------- c:\windows\system32\netfxperf.dll
2009-03-31 20:26 158,720 a------- c:\windows\system32\mscorier.dll
2009-03-31 20:26 83,968 a------- c:\windows\system32\mscories.dll
2009-03-31 20:18 22,328 a------- c:\users\jonath~1\appdata\roaming\PnkBstrK.sys
2009-03-31 20:18 267 a------- c:\windows\game.ini
2009-03-31 19:36 <DIR> --dsh--- c:\windows\ftpcache
2009-03-31 15:26 827,392 a------- c:\windows\system32\wininet.dll
2009-03-31 15:26 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-03-31 15:05 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-03-31 15:05 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-03-31 15:05 801,280 a------- c:\windows\system32\NaturalLanguage6.dll
2009-03-31 15:02 988,216 a------- c:\windows\system32\winload.exe
2009-03-31 15:02 927,288 a------- c:\windows\system32\winresume.exe
2009-03-31 15:02 615,992 a------- c:\windows\system32\ci.dll
2009-03-31 15:02 19,000 a------- c:\windows\system32\kd1394.dll
2009-03-31 15:02 378,368 a------- c:\windows\system32\srcore.dll
2009-03-31 15:02 338,432 a------- c:\windows\system32\rstrui.exe
2009-03-31 15:02 46,592 a------- c:\windows\system32\setbcdlocale.dll
2009-03-31 15:02 40,960 a------- c:\windows\system32\srclient.dll
2009-03-31 15:02 14,848 a------- c:\windows\system32\srdelayed.exe
2009-03-31 15:02 6,656 a------- c:\windows\system32\kbd106n.dll
2009-03-31 14:46 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-03-31 14:46 891,448 a------- c:\windows\system32\drivers\tcpip.sys
2009-03-31 14:46 72,192 a------- c:\windows\system32\drivers\pacer.sys
2009-03-31 14:46 15,360 a------- c:\windows\system32\pacerprf.dll
2009-03-31 14:45 430,080 a------- c:\windows\system32\vbscript.dll
2009-03-31 14:45 180,224 a------- c:\windows\system32\scrobj.dll
2009-03-31 14:45 155,648 a------- c:\windows\system32\wscript.exe
2009-03-31 14:45 155,648 a------- c:\windows\system32\cscript.exe
2009-03-31 14:45 135,168 a------- c:\windows\system32\wshom.ocx
2009-03-31 14:45 90,112 a------- c:\windows\system32\wshext.dll
2009-03-31 14:45 172,032 a------- c:\windows\system32\scrrun.dll
2009-03-31 14:44 625,152 a------- c:\windows\system32\drivers\dxgkrnl.sys
2009-03-31 14:44 565,248 a------- c:\windows\system32\emdmgmt.dll
2009-03-31 14:44 148,480 a------- c:\windows\system32\drivers\nwifi.sys
2009-03-31 14:44 45,056 a------- c:\windows\system32\dataclen.dll
2009-03-31 14:44 36,864 a------- c:\windows\system32\cdd.dll
2009-03-31 14:44 885,248 a------- c:\windows\system32\RacEngn.dll
2009-03-31 14:44 9,127 a------- c:\windows\system32\RacUR.xml
2009-03-31 14:44 153 a------- c:\windows\system32\RacUREx.xml
2009-03-31 14:44 147,456 a------- c:\windows\system32\Faultrep.dll
2009-03-31 14:44 125,952 a------- c:\windows\system32\wersvc.dll
2009-03-31 14:43 468,992 a------- c:\windows\system32\newdev.dll
2009-03-31 14:43 74,752 a------- c:\windows\system32\newdev.exe
2009-03-31 14:43 269,312 a------- c:\windows\system32\es.dll
2009-03-31 12:02 189,072 a------- c:\windows\system32\PnkBstrB.xtr
2009-03-30 15:50 <DIR> --d----- c:\programdata\Ubisoft
2009-03-30 10:14 <DIR> --d----- c:\windows\system32\RTCOM
2009-03-30 10:11 1,773,568 a------- c:\windows\system32\WavesLib.dll
2009-03-30 10:11 1,847,296 a------- c:\windows\SkyTel.exe
2009-03-30 10:11 135,168 a------- c:\windows\system32\SRSWOW.dll
2009-03-30 10:11 1,216,512 a------- c:\windows\RtlUpd.exe
2009-03-30 10:11 185,776 a------- c:\windows\system32\SRSTSHD.dll
2009-03-30 10:11 167,936 a------- c:\windows\system32\SRSHP360.dll
2009-03-30 10:11 694,272 a------- c:\windows\system32\RtkPgExt.dll
2009-03-30 10:11 285,216 a------- c:\windows\system32\RtkApoApi.dll
2009-03-30 10:11 6,111,232 a------- c:\windows\RtHDVCpl.exe
2009-03-30 10:11 2,098,904 a------- c:\windows\system32\drivers\RTKVHDA.sys
2009-03-30 10:11 532,480 a------- c:\windows\system32\RTSndMgr.cpl
2009-03-30 10:10 1,929,216 a------- c:\windows\system32\MaxxAudioEQ.dll
2009-03-30 10:10 155,648 a------- c:\windows\system32\MaxxAudioAPO20.dll
2009-03-30 10:10 126,976 a------- c:\windows\system32\MaxxAudioAPO.dll
2009-03-30 10:10 140,288 a------- c:\windows\system32\FMAPO.dll
2009-03-30 10:10 <DIR> --d----- c:\program files\Realtek
2009-03-30 10:10 520,192 -----r-- c:\windows\RtlExUpd.dll
2009-03-29 10:07 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-03-29 10:07 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-03-29 10:06 17,515,040 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-29 10:06 1,105,952 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-03-29 10:06 144,204 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-29 10:06 10,100 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-03-29 10:06 <DIR> --d----- c:\program files\Kaspersky Lab
2009-03-28 12:08 <DIR> --d----- c:\windows\pss
2009-03-28 12:02 <DIR> --d----- C:\Documents and Settings
2009-03-28 11:35 <DIR> --d----- c:\program files\CCleaner
2009-03-27 16:16 <DIR> --d----- c:\programdata\FLEXnet
2009-03-27 16:03 <DIR> --d----- c:\program files\common files\Control Panels
2009-03-27 16:00 <DIR> --d----- c:\programdata\ALM
2009-03-27 16:00 <DIR> --d----- c:\progra~2\ALM
2009-03-27 15:27 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-03-27 14:07 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-03-27 14:07 1,695,744 a------- c:\windows\system32\gameux.dll
2009-03-27 14:07 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-03-27 14:05 428,544 a------- c:\windows\system32\EncDec.dll
2009-03-27 14:05 293,376 a------- c:\windows\system32\psisdecd.dll
2009-03-27 14:05 217,088 a------- c:\windows\system32\psisrndr.ax
2009-03-27 14:05 80,896 a------- c:\windows\system32\MSNP.ax
2009-03-27 14:05 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-03-27 14:05 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-03-27 13:41 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-03-27 13:34 <DIR> --d----- c:\windows\NV12321296.TMP
2009-03-27 13:26 <DIR> --d----- c:\windows\NV32083212.TMP
2009-03-27 13:08 <DIR> --d----- C:\PerfLogs
2009-03-27 12:52 152,576 a------- c:\windows\system32\SPWizUI.dll
2009-03-27 12:52 47,560 a------- c:\windows\system32\SPReview.exe
2009-03-27 12:37 193,024 a------- c:\windows\system32\recdisc.exe
2009-03-27 12:37 6,656 a------- c:\windows\system32\sdspres.dll
2009-03-27 12:37 599,552 a------- c:\windows\system32\vsp1cln.exe
2009-03-27 12:35 2,061,824 a------- c:\windows\system32\mstscax.dll
2009-03-27 12:34 1,381,376 a------- c:\windows\system32\Query.dll
2009-03-27 12:33 882,176 a------- c:\windows\system32\IMJP10.IME
2009-03-27 12:29 44,032 a------- c:\windows\system32\cbsra.exe
2009-03-27 12:27 196,608 a------- c:\windows\SPInstall.etl
2009-03-27 12:24 <DIR> --d----- c:\programdata\NVIDIA
2009-03-27 11:09 61,440 a------- c:\windows\system32\winipsec.dll
2009-03-27 11:09 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2009-03-27 11:09 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2009-03-27 11:09 272,896 a------- c:\windows\system32\polstore.dll
2009-03-27 11:09 1,820 a------- c:\windows\system32\rasctrnm.h
2009-03-27 11:08 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-03-27 11:08 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-03-27 11:08 94,720 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-03-27 11:05 296,960 a------- c:\windows\system32\gdi32.dll
2009-03-27 11:05 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-03-27 11:04 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-03-27 11:04 1,191,936 a------- c:\windows\system32\msxml3.dll
2009-03-27 11:04 2,048 a------- c:\windows\system32\msxml3r.dll
2009-03-27 11:02 2,048 a------- c:\windows\system32\tzres.dll
2009-03-27 11:01 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-27 11:01 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-27 11:01 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-27 11:01 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-27 10:59 2,927,104 a------- c:\windows\explorer.exe
2009-03-27 10:56 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-03-27 10:56 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2009-03-27 10:56 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-03-27 10:56 443,392 a------- c:\windows\system32\win32spl.dll
2009-03-27 10:56 37,888 a------- c:\windows\system32\printcom.dll
2009-03-27 10:55 113,664 a------- c:\windows\system32\drivers\rmcast.sys
2009-03-27 10:55 14,848 a------- c:\windows\system32\wshrm.dll
2009-03-27 10:55 678,408 a------- c:\windows\system32\gpprefcl.dll
2009-03-27 10:54 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-03-27 10:54 268,288 a------- c:\windows\system32\schannel.dll
2009-03-27 10:54 2,868,736 a------- c:\windows\system32\mf.dll
2009-03-27 10:54 98,816 a------- c:\windows\system32\mfps.dll
2009-03-27 10:54 53,248 a------- c:\windows\system32\rrinstaller.exe
2009-03-27 10:54 24,576 a------- c:\windows\system32\mfpmp.exe
2009-03-27 10:54 2,048 a------- c:\windows\system32\mferror.dll
2009-03-27 10:54 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-03-27 10:54 94,720 a------- c:\windows\system32\logagent.exe
2009-03-27 10:53 738,304 a------- c:\windows\system32\inetcomm.dll
2009-03-27 10:53 84,480 a------- c:\windows\system32\INETRES.dll
2009-03-27 10:52 1,645,568 a------- c:\windows\system32\connect.dll
2009-03-27 10:52 1,314,816 a------- c:\windows\system32\quartz.dll
2009-03-27 10:52 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-27 10:50 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-27 10:50 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2009-03-27 10:50 1,334,272 a------- c:\windows\system32\msxml6.dll
2009-03-27 10:50 2,048 a------- c:\windows\system32\msxml6r.dll
2009-03-27 10:45 110,624 a------- c:\windows\system32\drivers\nvstor32.sys
2009-03-27 10:44 1,040,544 a------- c:\windows\system32\drivers\nvmfdx32.sys
2009-03-27 10:44 203,264 a------- c:\windows\system32\fdco1ins.dll
2009-03-27 10:44 203,264 a------- c:\windows\system32\fdco1.dll
2009-03-27 10:39 319,456 a------- c:\windows\DIFxAPI.dll
2009-03-27 10:39 339,968 a------- c:\windows\system32\SRSTSXT.dll
2009-03-27 10:39 2,172,416 a------- c:\windows\system32\RtkAPO.dll
2009-03-27 10:39 31,232 a------- c:\windows\system32\RtkCoInst.dll
2009-03-27 04:43 <DIR> --d----- c:\windows\Panther
2009-03-27 04:42 353,280 a------- c:\windows\system32\idecoiins.dll
2009-03-27 04:42 353,280 a------- c:\windows\system32\idecoi.dll
2009-03-27 04:42 102,400 a------- c:\windows\system32\drivers\nvgts.sys
2009-03-27 04:42 24,592 a------- c:\windows\system32\drivers\klim5.sys
2009-03-27 04:42 862 a------- c:\windows\system32\termcap
2009-03-26 22:18 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-03-26 22:18 83,456 a------- c:\windows\system32\wudriver.dll
2009-03-26 22:18 162,064 a------- c:\windows\system32\wuwebv.dll
2009-03-26 22:18 51,200 a------- c:\windows\system32\wuapp.exe
2009-03-26 19:21 408 a--shr-- C:\Boot.ini.saved
2009-03-26 19:19 22,216 a------- c:\windows\system32\emptyregdb.dat
2009-03-26 18:52 <DIR> --d----- c:\users\Jonathan (WORKING)
2009-03-26 18:49 54,016 a----r-- c:\windows\system32\drivers\NVENETFD.sys
2009-03-26 18:48 943,872 a----r-- c:\windows\system32\drivers\nvnrm.sys
2009-03-26 18:48 35,328 a----r-- c:\windows\system32\nvconrm.dll
2009-03-26 18:48 22,016 a----r-- c:\windows\system32\drivers\nvnetbus.sys
2009-03-26 18:48 9,216 a----r-- c:\windows\system32\bdco1ins.dll
2009-03-26 18:48 9,216 a----r-- c:\windows\system32\bdco1.dll
2009-03-26 18:47 4,032 a---h--- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2009-03-26 18:47 4,032 a---h--- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2009-03-26 18:25 8,192 a--s-r-- C:\BOOTSECT.BAK
2009-03-26 18:25 333,203 a--shr-- C:\bootmgr
2009-03-26 18:25 <DIR> --dsh--- C:\Boot
2009-03-26 13:40 <DIR> --d----- c:\programdata\Microsoft Corporation
2009-03-26 13:31 1,887 a------- c:\windows\diagwrn.xml
2009-03-26 13:31 1,887 a------- c:\windows\diagerr.xml

==================== Find3M ====================

2009-04-08 22:12 139,280 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-08 22:12 202,000 a------- c:\windows\system32\PnkBstrB.exe
2009-04-01 10:32 86,016 a------- c:\windows\inf\infstrng.dat
2009-04-01 10:32 51,200 a------- c:\windows\inf\infpub.dat
2009-04-01 10:31 86,016 a------- c:\windows\inf\infstor.dat
2009-03-31 20:40 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-03-31 18:35 665,600 a------- c:\windows\inf\drvindex.dat
2009-03-29 17:38 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-03-27 15:15 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-03-27 13:16 174 a--sh--- c:\program files\desktop.ini
2009-03-27 13:02 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-03-27 13:02 82,432 a------- c:\windows\system32\axaltocm.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 17:42 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-21 16:34 389,120 a------- c:\windows\system32\CF23265.exe
2009-02-21 16:30 389,120 a------- c:\windows\system32\CF22383.exe
2009-02-21 16:28 389,120 a------- c:\windows\system32\CF21968.exe
2009-02-21 08:25 691,592 a------- c:\windows\system32\OGACheckControl.DLL
2009-02-16 23:17 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-02-11 16:20 389,120 a------- c:\windows\system32\CF17034.exe
2009-02-11 16:16 389,120 a------- c:\windows\system32\CF16368.exe
2009-01-19 19:37 81,984 a------- c:\windows\system32\bdod.bin
2006-11-02 14:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 14:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 14:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 14:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 11:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 11:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 11:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 11:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2004-10-01 15:00 61,440 a------- c:\program files\Uninstall_CDS.exe

============= FINISH: 10:13:41.73 ===============

Thank you so much for your help... Thanks in advance

Attached Files



BC AdBot (Login to Remove)

 


#2 jonospoon

jonospoon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 27 April 2009 - 09:44 AM

ummmm... I know it says that you musn't bump your post or whatever... Buts its been 9 days since I first posted... Sorry if I seem rude or whatever, but the popups and crap is just geting worse... Everytime I open Opera a new popup comes... Something about regcure... A search engine pops up, and everytime you search "virus" or "antivirus" all the links just go straight to Regcure...
I feel as if my PC is not the same anymore... Also yesterday my power supply blew... A 500 watt just blowing is not something that usually just happens.....
I bought a new 470 watt....
My PC has started to become very slow, and sometimes not responding at all...
My desktop has not been hijacked, nor has anything else, except opening almost all of my programs is almost impossible...
They all just "stop responding"... Therefore no gaming :thumbup2:

I still need you help as running a antivirus program or even Combofix is futile... All attempts to fix my PC has not worked... This is very alarming for me, as I can fix all of my friends pc with ease........

I belive that you have the expertise to help me as you have before (When I was ignorant)
It seems that Vista is a completely different ball game compared to XP in fixing viruses....

Thank you in advance...
Jonospoon

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 03 May 2009 - 12:51 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 jonospoon

jonospoon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 03 May 2009 - 01:20 PM

YAY!! A reply :thumbup2:
Thank goodness.. Like hell I still need your help :) :step4:

I can't run ANY antivirus software at all. No combofix, no Spybot, Mbam.. Half of my games also do not work. This is very disturbing. Also Internet Explorer does not work, and when it does is EXTREMELY slow... I use Opera rather. Cannot update windows (vista). Luckily iTunes still works... Bitdefender still works but is useless anyway.. Have done multiple scans and it has found nothing. Also some new popup on taskbar saying "would you like to install windows radio and TV"... Obviosly I didnt open it... Anyway your help would be VERY much appreciated. HJT had some problem while running... Said that another program was running, but nothing was. I checked in the processes and a process was taking a huge amount of my CPU power. Closed it

Here is new DDS log as required


DDS (Ver_09-03-16.01) - NTFSx86
Run by Jonathan (WORKING) at 20:13:47.61 on 2009-05-03
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.my-homepage.cn/
uSearch Bar = hxxp://www.my-homepage.cn/
mStart Page = hxxp://www.my-homepage.cn/
mDefault_Page_URL = hxxp://www.my-homepage.cn/
mDefault_Search_URL = hxxp://www.my-homepage.cn/
mSearch Page = hxxp://www.my-homepage.cn/
mSearch Bar = hxxp://www.my-homepage.cn/
uInternet Settings,ProxyOverride = *.local
uCustomizeSearch = hxxp://www.my-homepage.cn/
uSearchAssistant = hxxp://www.my-homepage.cn/
mCustomizeSearch = hxxp://www.my-homepage.cn/
mSearchAssistant = hxxp://www.my-homepage.cn/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Auslogics BoostSpeed 4] c:\program files\auslogics\auslogics boostspeed\boostspeed.exe
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [WinProx32_1] c:\users\jonathan (working)\appdata\roaming\psvrr.exe
uRun: [MS Windows Update] "c:\windows\system32\winupdates.exe"
uRun: [pidle] "c:\users\jonathan (working)\appdata\roaming\pidle\pidle.exe" 61A847B5BBF72813329D31466188719AB689201522886B092CBD44BD8689220221DD3257
uRun: [Windows Network Setup Manager] c:\users\jonathan (working)\appdata\roaming\sectray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [<NO NAME>]
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinProx32_1] c:\users\jonathan (working)\appdata\roaming\psvrr.exe
mRun: [Gregohaw] rundll32.exe "c:\windows\KBDapcle.dll",e
mRun: [*ctfmon32] "c:\users\jonathan (working)\appdata\roaming\svchost.exe"
mRun: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
mRun: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
mRunOnce: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
dRun: [svc] c:\program files\thunmail\testabd.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232653210437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Notify: Antiwpa - antiwpa.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\thunmail\testabd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-03 15:56 <DIR> --d----- c:\program files\Trend Micro
2009-04-28 21:39 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-04-28 17:03 20,016 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-04-28 17:03 1,233,920 a------- c:\windows\system32\msxml4.dll
2009-04-28 17:03 82,432 a------- c:\windows\system32\msxml4r.dll
2009-04-25 15:49 230,912 a------- c:\windows\system32\tpsaxyd.exe
2009-04-23 19:18 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-23 19:18 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 19:18 <DIR> --d----- c:\programdata\Malwarebytes
2009-04-23 19:18 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-23 19:18 <DIR> --d----- c:\progra~2\Malwarebytes
2009-04-23 18:30 <DIR> --dshr-- c:\program files\ThunMail
2009-04-22 08:23 231,424 a------- c:\windows\system32\w.exe
2009-04-22 08:23 36,864 a------- c:\windows\system32\dpcxool64.sys
2009-04-22 08:23 8 a------- c:\windows\system32\comsa32.sys
2009-04-22 08:23 <DIR> --d----- c:\windows\system32\3361
2009-04-22 08:23 <DIR> --d----- c:\windows\dhcp
2009-04-19 14:55 46,080 a--shr-- c:\users\jonath~1\appdata\roaming\sectray.exe
2009-04-18 18:06 <DIR> --d----- C:\ComboFxx(0)
2009-04-18 11:38 <DIR> --d----- C:\ComboFxx
2009-04-18 11:38 338,944 a------- c:\windows\system32\CF3954.exe
2009-04-18 09:19 338,944 a------- c:\windows\system32\CF9366.exe
2009-04-18 09:09 338,944 a------- c:\windows\system32\CF7622.exe
2009-04-18 09:09 338,944 a------- c:\windows\system32\CF7557.exe
2009-04-18 08:50 338,944 a------- c:\windows\system32\CF3814.exe
2009-04-18 08:34 50,688 a--shr-- c:\users\jonath~1\appdata\roaming\nettray.exe
2009-04-17 17:23 108,336 a------- c:\windows\system32\mswinsck.ocx
2009-04-17 17:23 188,416 a------- c:\windows\system32\winupdates.exe
2009-04-14 19:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-14 15:49 <DIR> --d----- c:\users\jonath~1\appdata\roaming\pidle
2009-04-14 15:49 465,874 a------- c:\users\jonath~1\appdata\roaming\psvrr.exe
2009-04-14 15:47 917,293 a------- c:\users\jonath~1\appdata\roaming\svchost.exe
2009-04-14 15:47 <DIR> --d----- c:\users\jonath~1\appdata\roaming\_a8c43f614d4babc1c97dcc802a3e9235
2009-04-14 15:29 171,136 a--shr-- C:\grldr
2009-04-14 15:28 32 a------- c:\users\jonath~1\appdata\roaming\__t.bin
2009-04-13 11:25 <DIR> --d----- c:\users\jonath~1\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-04-09 14:02 0 a----r-- C:\logwmemory.bin
2009-04-09 07:48 <DIR> --d----- c:\program files\Microsoft Windows Vista Upgrade Advisor
2009-04-06 20:31 <DIR> --d----- c:\users\jonath~1\appdata\roaming\Microsoft Games
2009-04-06 18:13 <DIR> --d----- c:\program files\common files\Microsoft Games
2009-04-03 20:54 <DIR> --d----- c:\program files\VideoLAN

==================== Find3M ====================

2009-04-30 20:58 17,515,040 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-30 20:58 1,105,952 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-30 20:58 144,204 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-30 20:58 10,100 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-08 22:12 139,280 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-08 22:12 202,000 a------- c:\windows\system32\PnkBstrB.exe
2009-04-01 10:32 86,016 a------- c:\windows\inf\infstrng.dat
2009-04-01 10:32 51,200 a------- c:\windows\inf\infpub.dat
2009-04-01 10:31 86,016 a------- c:\windows\inf\infstor.dat
2009-03-31 20:40 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-03-31 20:18 22,328 a------- c:\users\jonath~1\appdata\roaming\PnkBstrK.sys
2009-03-31 18:35 665,600 a------- c:\windows\inf\drvindex.dat
2009-03-30 10:11 319,456 a------- c:\windows\DIFxAPI.dll
2009-03-29 17:38 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-03-29 17:38 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-03-29 17:38 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-03-27 15:15 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-03-27 13:41 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-03-27 13:16 174 a--sh--- c:\program files\desktop.ini
2009-03-27 13:02 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-03-27 13:02 82,432 a------- c:\windows\system32\axaltocm.dll
2009-03-27 12:27 152,576 a------- c:\windows\system32\SPWizUI.dll
2009-03-27 12:27 47,560 a------- c:\windows\system32\SPReview.exe
2009-03-27 11:09 61,440 a------- c:\windows\system32\winipsec.dll
2009-03-27 11:09 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2009-03-27 11:09 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2009-03-27 11:09 272,896 a------- c:\windows\system32\polstore.dll
2009-03-27 11:08 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-03-27 11:08 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-03-27 11:08 94,720 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-03-27 11:05 296,960 a------- c:\windows\system32\gdi32.dll
2009-03-27 11:05 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-03-27 11:04 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-03-27 11:04 1,191,936 a------- c:\windows\system32\msxml3.dll
2009-03-27 11:04 2,048 a------- c:\windows\system32\msxml3r.dll
2009-03-27 11:02 2,048 a------- c:\windows\system32\tzres.dll
2009-03-27 11:01 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-27 11:01 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-27 11:01 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-27 10:59 2,927,104 a------- c:\windows\explorer.exe
2009-03-27 10:56 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-03-27 10:56 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2009-03-27 10:56 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-03-27 10:56 443,392 a------- c:\windows\system32\win32spl.dll
2009-03-27 10:56 37,888 a------- c:\windows\system32\printcom.dll
2009-03-27 10:55 113,664 a------- c:\windows\system32\drivers\rmcast.sys
2009-03-27 10:55 14,848 a------- c:\windows\system32\wshrm.dll
2009-03-27 10:55 678,408 a------- c:\windows\system32\gpprefcl.dll
2009-03-27 10:54 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-03-27 10:54 268,288 a------- c:\windows\system32\schannel.dll
2009-03-27 10:54 2,868,736 a------- c:\windows\system32\mf.dll
2009-03-27 10:54 98,816 a------- c:\windows\system32\mfps.dll
2009-03-27 10:54 73,216 a------- c:\windows\system32\rrinstaller.exe
2009-03-27 10:54 44,544 a------- c:\windows\system32\mfpmp.exe
2009-03-27 10:54 2,048 a------- c:\windows\system32\mferror.dll
2009-03-27 10:54 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-03-27 10:54 114,688 a------- c:\windows\system32\logagent.exe
2009-03-27 10:53 738,304 a------- c:\windows\system32\inetcomm.dll
2009-03-27 10:53 84,480 a------- c:\windows\system32\INETRES.dll
2009-03-27 10:52 1,645,568 a------- c:\windows\system32\connect.dll
2009-03-27 10:52 1,314,816 a------- c:\windows\system32\quartz.dll
2009-03-27 10:52 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-27 10:50 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-27 10:50 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2009-03-27 10:50 1,334,272 a------- c:\windows\system32\msxml6.dll
2009-03-27 10:50 2,048 a------- c:\windows\system32\msxml6r.dll
2009-03-26 22:18 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-03-26 22:18 83,456 a------- c:\windows\system32\wudriver.dll
2009-03-26 22:18 162,064 a------- c:\windows\system32\wuwebv.dll
2009-03-26 22:18 51,200 a------- c:\windows\system32\wuapp.exe
2009-03-26 19:19 22,216 a------- c:\windows\system32\emptyregdb.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 17:42 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-21 16:34 409,088 a------- c:\windows\system32\CF23265.exe
2009-02-21 16:30 409,088 a------- c:\windows\system32\CF22383.exe
2009-02-21 16:28 409,088 a------- c:\windows\system32\CF21968.exe
2009-02-21 08:25 691,592 a------- c:\windows\system32\OGACheckControl.DLL
2009-02-16 23:17 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-02-11 16:20 409,088 a------- c:\windows\system32\CF17034.exe
2009-02-11 16:16 409,088 a------- c:\windows\system32\CF16368.exe
2006-11-02 14:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 14:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 14:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 14:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 11:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 11:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 11:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 11:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2004-10-01 15:00 61,440 a------- c:\program files\Uninstall_CDS.exe
2004-08-17 20:00 74,752 ---sh--- c:\windows\system32\RfmothC.dll

============= FINISH: 20:16:29.28 ===============

Attached Files



#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 03 May 2009 - 01:30 PM

Yikes! :thumbup2:

Your computer is extremly infected. One of them is a backdoor, let me kow if you wish to continue to disinfect the machine or format and start over.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 jonospoon

jonospoon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 04 May 2009 - 10:28 AM

ok... Well I am 15, and I don't do any banking... So I rate we can clean it ey... WOuld be nice to use my PC again :step1: Ya.. I just wana play my games again :thumbup2: :) :step4: So PLEASE help me to fix it... And I would like to gain experience on what I already know on how to fix computers. Can fix my friends computers as well.. :step5:

Edited by jonospoon, 04 May 2009 - 10:48 AM.


#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 04 May 2009 - 03:23 PM

Hello.

Follow the steps below then.

Download and Run ComboFix (Rename Before Saving)


Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it. Refer to this page if you are unsure how.

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
    Alternate Download Site 3
  • Unzip/extract the file to its own folder. Right-Click and select Extract All...
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will now start extracting.
  • Once it is done, check (tick) the Show extracted files box and click Finish
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Right click on gmer.exe and select Run as administrator to run it. It will start running a scan.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
If you receive no notice, click on the Scan button near the bottom.

  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 jonospoon

jonospoon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 05 May 2009 - 10:34 AM

Cannot run Combofix... Even after i have renamed it as suggested.. here is the gmer report



GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-05 17:30:28
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

INT 0x52 ? 84A5FBF8
INT 0x62 ? 84A60BF8
INT 0x63 ? 87466BF8
INT 0x72 ? 84A60BF8
INT 0x82 ? 84A60BF8
INT 0x83 ? 84A5FBF8

Code 87898EE8 ZwEnumerateKey
Code 8885D398 ZwFlushInstructionCache
Code 8880134D IofCallDriver
Code 8885415E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 8284C169 5 Bytes JMP 88801352
.text ntoskrnl.exe!IofCompleteRequest 8284C1D6 5 Bytes JMP 88854163
? System32\Drivers\splv.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8AB8A46F 5 Bytes JMP 874661D8

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\Dwm.exe[584] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\Dwm.exe[584] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\Dwm.exe[584] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\Dwm.exe[584] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\Dwm.exe[584] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\system32\Dwm.exe[584] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\Dwm.exe[584] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\system32\Dwm.exe[584] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\Dwm.exe[584] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\system32\Dwm.exe[584] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\system32\Dwm.exe[584] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\Dwm.exe[584] USER32.dll!GetWindowTextW 778EACC3 5 Bytes JMP 7FFA8688
.text C:\Windows\system32\Dwm.exe[584] USER32.dll!GetWindowTextA 778F0F7B 5 Bytes JMP 7FFA8554
.text C:\Windows\system32\Dwm.exe[584] WS2_32.dll!WSASend 76744496 5 Bytes CALL 7FFA8300
.text C:\Windows\system32\Dwm.exe[584] WS2_32.dll!send 7674659B 5 Bytes JMP 7FFA849C
.text C:\Windows\system32\Dwm.exe[584] WS2_32.dll!WSARecv 76748400 5 Bytes CALL 7FFA83FC
.text C:\Windows\Explorer.EXE[648] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\Explorer.EXE[648] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\Explorer.EXE[648] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\Explorer.EXE[648] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\Explorer.EXE[648] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\Explorer.EXE[648] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\Explorer.EXE[648] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\Explorer.EXE[648] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\Explorer.EXE[648] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\Explorer.EXE[648] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\Explorer.EXE[648] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\Explorer.EXE[648] USER32.dll!GetWindowTextW 778EACC3 5 Bytes JMP 7FFA8688
.text C:\Windows\Explorer.EXE[648] USER32.dll!GetWindowTextA 778F0F7B 5 Bytes JMP 7FFA8554
.text C:\Windows\Explorer.EXE[648] WS2_32.dll!WSASend 76744496 5 Bytes CALL 7FFA8300
.text C:\Windows\Explorer.EXE[648] WS2_32.dll!send 7674659B 5 Bytes JMP 7FFA849C
.text C:\Windows\Explorer.EXE[648] WS2_32.dll!WSARecv 76748400 5 Bytes CALL 7FFA83FC
.text C:\Windows\system32\wininit.exe[684] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\wininit.exe[684] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\wininit.exe[684] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\wininit.exe[684] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\wininit.exe[684] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\wininit.exe[684] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\wininit.exe[684] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\csrss.exe[692] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\csrss.exe[692] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\csrss.exe[692] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\csrss.exe[692] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\csrss.exe[692] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\csrss.exe[692] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\csrss.exe[692] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\services.exe[728] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\services.exe[728] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\services.exe[728] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\services.exe[728] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\services.exe[728] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\services.exe[728] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\services.exe[728] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\lsass.exe[740] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\lsass.exe[740] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\lsass.exe[740] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\lsass.exe[740] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\lsass.exe[740] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\lsass.exe[740] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\lsass.exe[740] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\winlogon.exe[828] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\winlogon.exe[828] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\winlogon.exe[828] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\winlogon.exe[828] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\winlogon.exe[828] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\winlogon.exe[828] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\winlogon.exe[828] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\nvvsvc.exe[992] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\nvvsvc.exe[992] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\nvvsvc.exe[992] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\nvvsvc.exe[992] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\nvvsvc.exe[992] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\nvvsvc.exe[992] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\nvvsvc.exe[992] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\svchost.exe[1020] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\svchost.exe[1020] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\svchost.exe[1020] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\svchost.exe[1020] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\svchost.exe[1020] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\svchost.exe[1020] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\svchost.exe[1020] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\System32\svchost.exe[1256] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\System32\svchost.exe[1256] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\System32\svchost.exe[1256] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\System32\svchost.exe[1256] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\System32\svchost.exe[1256] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\System32\svchost.exe[1256] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\System32\svchost.exe[1256] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\svchost.exe[1300] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\svchost.exe[1300] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\svchost.exe[1300] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\svchost.exe[1300] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\svchost.exe[1300] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\svchost.exe[1300] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\svchost.exe[1300] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\svchost.exe[1392] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\svchost.exe[1392] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\svchost.exe[1392] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\svchost.exe[1392] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\svchost.exe[1392] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\svchost.exe[1392] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\svchost.exe[1392] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\SLsvc.exe[1448] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\SLsvc.exe[1448] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\SLsvc.exe[1448] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\SLsvc.exe[1448] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\SLsvc.exe[1448] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\SLsvc.exe[1448] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\SLsvc.exe[1448] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\rundll32.exe[1500] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\rundll32.exe[1500] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\rundll32.exe[1500] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\rundll32.exe[1500] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\rundll32.exe[1500] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\rundll32.exe[1500] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\rundll32.exe[1500] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\taskeng.exe[1516] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\taskeng.exe[1516] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\taskeng.exe[1516] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\taskeng.exe[1516] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\taskeng.exe[1516] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\system32\taskeng.exe[1516] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\taskeng.exe[1516] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\system32\taskeng.exe[1516] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\taskeng.exe[1516] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\system32\taskeng.exe[1516] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\system32\taskeng.exe[1516] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\taskeng.exe[1516] USER32.dll!GetWindowTextW 778EACC3 5 Bytes JMP 7FFA8688
.text C:\Windows\system32\taskeng.exe[1516] USER32.dll!GetWindowTextA 778F0F7B 5 Bytes JMP 7FFA8554
.text C:\Windows\system32\taskeng.exe[1516] WS2_32.dll!WSASend 76744496 5 Bytes CALL 7FFA8300
.text C:\Windows\system32\taskeng.exe[1516] WS2_32.dll!send 7674659B 5 Bytes JMP 7FFA849C
.text C:\Windows\system32\taskeng.exe[1516] WS2_32.dll!WSARecv 76748400 5 Bytes CALL 7FFA83FC
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\System32\spoolsv.exe[1860] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\System32\spoolsv.exe[1860] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\System32\spoolsv.exe[1860] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\System32\spoolsv.exe[1860] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\System32\spoolsv.exe[1860] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\System32\spoolsv.exe[1860] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\System32\spoolsv.exe[1860] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\svchost.exe[1908] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\svchost.exe[1908] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\svchost.exe[1908] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\svchost.exe[1908] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\svchost.exe[1908] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\svchost.exe[1908] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\svchost.exe[1908] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\taskeng.exe[2032] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\taskeng.exe[2032] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\taskeng.exe[2032] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\taskeng.exe[2032] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\taskeng.exe[2032] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\taskeng.exe[2032] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\taskeng.exe[2032] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] USER32.dll!GetWindowTextW 778EACC3 5 Bytes JMP 7FFA8688
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] USER32.dll!GetWindowTextA 778F0F7B 5 Bytes JMP 7FFA8554
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] WS2_32.dll!WSASend 76744496 5 Bytes CALL 7FFA8300
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] WS2_32.dll!send 7674659B 5 Bytes JMP 7FFA849C
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2240] WS2_32.dll!WSARecv 76748400 5 Bytes CALL 7FFA83FC
.text C:\Windows\ehome\ehmsas.exe[2300] ntdll.dll!LdrLoadDll 77A87933 5 Bytes JMP 7FFA7D40
.text C:\Windows\ehome\ehmsas.exe[2300] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\ehome\ehmsas.exe[2300] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\ehome\ehmsas.exe[2300] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\ehome\ehmsas.exe[2300] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\ehome\ehmsas.exe[2300] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\ehome\ehmsas.exe[2300] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\ehome\ehmsas.exe[2300] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\ehome\ehmsas.exe[2300] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\ehome\ehmsas.exe[2300] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\ehome\ehmsas.exe[2300] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\ehome\ehmsas.exe[2300] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\Bonjour\mDNSResponder.exe[2320] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Program Files\Bonjour\mDNSResponder.exe[2320] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Program Files\Bonjour\mDNSResponder.exe[2320] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Program Files\Bonjour\mDNSResponder.exe[2320] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Program Files\Bonjour\mDNSResponder.exe[2320] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Program Files\Bonjour\mDNSResponder.exe[2320] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Program Files\Bonjour\mDNSResponder.exe[2320] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\svchost.exe[2332] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\svchost.exe[2332] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\svchost.exe[2332] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\svchost.exe[2332] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\svchost.exe[2332] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\svchost.exe[2332] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\svchost.exe[2332] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\Java\jre6\bin\jqs.exe[2428] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Program Files\Java\jre6\bin\jqs.exe[2428] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Program Files\Java\jre6\bin\jqs.exe[2428] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Program Files\Java\jre6\bin\jqs.exe[2428] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Program Files\Java\jre6\bin\jqs.exe[2428] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Program Files\Java\jre6\bin\jqs.exe[2428] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Program Files\Java\jre6\bin\jqs.exe[2428] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\System32\svchost.exe[2464] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\System32\svchost.exe[2464] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\System32\svchost.exe[2464] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\System32\svchost.exe[2464] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\System32\svchost.exe[2464] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\System32\svchost.exe[2464] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\System32\svchost.exe[2464] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2608] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2608] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2608] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2608] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2608] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2608] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2608] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\svchost.exe[2732] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\svchost.exe[2732] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\svchost.exe[2732] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\svchost.exe[2732] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\svchost.exe[2732] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\svchost.exe[2732] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\svchost.exe[2732] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\conime.exe[2816] ntdll.dll!LdrLoadDll 77A87933 5 Bytes JMP 7FFA7D40
.text C:\Windows\system32\conime.exe[2816] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\conime.exe[2816] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\conime.exe[2816] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\conime.exe[2816] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\conime.exe[2816] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\system32\conime.exe[2816] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\conime.exe[2816] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\system32\conime.exe[2816] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\conime.exe[2816] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\system32\conime.exe[2816] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\system32\conime.exe[2816] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\System32\svchost.exe[2860] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\System32\svchost.exe[2860] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\System32\svchost.exe[2860] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\System32\svchost.exe[2860] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\System32\svchost.exe[2860] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\System32\svchost.exe[2860] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\System32\svchost.exe[2860] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\SearchIndexer.exe[2960] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\SearchIndexer.exe[2960] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\SearchIndexer.exe[2960] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\SearchIndexer.exe[2960] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\SearchIndexer.exe[2960] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\SearchIndexer.exe[2960] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\SearchIndexer.exe[2960] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] USER32.dll!GetWindowTextW 778EACC3 5 Bytes JMP 7FFA8688
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] USER32.dll!GetWindowTextA 778F0F7B 5 Bytes JMP 7FFA8554
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ws2_32.dll!WSASend 76744496 5 Bytes CALL 7FFA8300
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ws2_32.dll!send 7674659B 5 Bytes JMP 7FFA849C
.text C:\Program Files\Windows Defender\MSASCui.exe[3000] ws2_32.dll!WSARecv 76748400 5 Bytes CALL 7FFA83FC
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3008] ntdll.dll!LdrLoadDll 77A87933 5 Bytes JMP 7FFA7D40
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3008] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3008] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3008] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3008] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3008] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3008] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3008] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3008] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3008] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3008] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3008] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\System32\rundll32.exe[3024] ntdll.dll!LdrLoadDll 77A87933 5 Bytes JMP 7FFA7D40
.text C:\Windows\System32\rundll32.exe[3024] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\System32\rundll32.exe[3024] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\System32\rundll32.exe[3024] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\System32\rundll32.exe[3024] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\System32\rundll32.exe[3024] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\System32\rundll32.exe[3024] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\System32\rundll32.exe[3024] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\System32\rundll32.exe[3024] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\System32\rundll32.exe[3024] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\System32\rundll32.exe[3024] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\System32\rundll32.exe[3024] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3100] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3100] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3100] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3100] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3100] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3100] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[3100] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\RtHDVCpl.exe[3204] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\RtHDVCpl.exe[3204] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\RtHDVCpl.exe[3204] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\RtHDVCpl.exe[3204] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\RtHDVCpl.exe[3204] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\RtHDVCpl.exe[3204] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\RtHDVCpl.exe[3204] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\RtHDVCpl.exe[3204] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\RtHDVCpl.exe[3204] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\RtHDVCpl.exe[3204] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\RtHDVCpl.exe[3204] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\RtHDVCpl.exe[3204] USER32.dll!GetWindowTextW 778EACC3 5 Bytes JMP 7FFA8688
.text C:\Windows\RtHDVCpl.exe[3204] USER32.dll!GetWindowTextA 778F0F7B 5 Bytes JMP 7FFA8554
.text C:\Windows\RtHDVCpl.exe[3204] WS2_32.dll!WSASend 76744496 5 Bytes CALL 7FFA8300
.text C:\Windows\RtHDVCpl.exe[3204] WS2_32.dll!send 7674659B 5 Bytes JMP 7FFA849C
.text C:\Windows\RtHDVCpl.exe[3204] WS2_32.dll!WSARecv 76748400 5 Bytes CALL 7FFA83FC
.text C:\Program Files\iPod\bin\iPodService.exe[3224] ntdll.dll!LdrLoadDll 77A87933 5 Bytes JMP 7FFA7D40
.text C:\Program Files\iPod\bin\iPodService.exe[3224] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Program Files\iPod\bin\iPodService.exe[3224] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Program Files\iPod\bin\iPodService.exe[3224] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Program Files\iPod\bin\iPodService.exe[3224] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Program Files\iPod\bin\iPodService.exe[3224] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Program Files\iPod\bin\iPodService.exe[3224] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Program Files\iPod\bin\iPodService.exe[3224] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Program Files\iPod\bin\iPodService.exe[3224] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Program Files\iPod\bin\iPodService.exe[3224] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Program Files\iPod\bin\iPodService.exe[3224] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Program Files\iPod\bin\iPodService.exe[3224] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] USER32.dll!GetWindowTextW 778EACC3 5 Bytes JMP 7FFA8688
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] USER32.dll!GetWindowTextA 778F0F7B 5 Bytes JMP 7FFA8554
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ws2_32.dll!WSASend 76744496 5 Bytes CALL 7FFA8300
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ws2_32.dll!send 7674659B 5 Bytes JMP 7FFA849C
.text C:\Program Files\Java\jre6\bin\jusched.exe[3252] ws2_32.dll!WSARecv 76748400 5 Bytes CALL 7FFA83FC
.text C:\Windows\System32\rundll32.exe[3272] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\System32\rundll32.exe[3272] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\System32\rundll32.exe[3272] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\System32\rundll32.exe[3272] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\System32\rundll32.exe[3272] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\System32\rundll32.exe[3272] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\System32\rundll32.exe[3272] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\System32\rundll32.exe[3272] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\System32\rundll32.exe[3272] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\System32\rundll32.exe[3272] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\System32\rundll32.exe[3272] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\System32\rundll32.exe[3272] USER32.dll!GetWindowTextW 778EACC3 5 Bytes JMP 7FFA8688
.text C:\Windows\System32\rundll32.exe[3272] USER32.dll!GetWindowTextA 778F0F7B 5 Bytes JMP 7FFA8554
.text C:\Windows\System32\rundll32.exe[3272] WS2_32.dll!WSASend 76744496 5 Bytes CALL 7FFA8300
.text C:\Windows\System32\rundll32.exe[3272] WS2_32.dll!send 7674659B 5 Bytes JMP 7FFA849C
.text C:\Windows\System32\rundll32.exe[3272] WS2_32.dll!WSARecv 76748400 5 Bytes CALL 7FFA83FC
.text C:\Windows\System32\VT100.EXE[3376] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\System32\VT100.EXE[3376] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\System32\VT100.EXE[3376] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\System32\VT100.EXE[3376] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\System32\VT100.EXE[3376] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\System32\VT100.EXE[3376] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\System32\VT100.EXE[3376] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\System32\VT100.EXE[3376] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\System32\VT100.EXE[3376] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\System32\VT100.EXE[3376] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\System32\VT100.EXE[3376] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\System32\VT100.EXE[3376] USER32.dll!GetWindowTextW 778EACC3 5 Bytes JMP 7FFA8688
.text C:\Windows\System32\VT100.EXE[3376] USER32.dll!GetWindowTextA 778F0F7B 5 Bytes JMP 7FFA8554
.text C:\Windows\System32\VT100.EXE[3376] WS2_32.dll!WSASend 76744496 5 Bytes CALL 7FFA8300
.text C:\Windows\System32\VT100.EXE[3376] WS2_32.dll!send 7674659B 5 Bytes JMP 7FFA849C
.text C:\Windows\System32\VT100.EXE[3376] WS2_32.dll!WSARecv 76748400 5 Bytes CALL 7FFA83FC
.text C:\Windows\system32\WUDFHost.exe[3480] ntdll.dll!LdrLoadDll 77A87933 5 Bytes JMP 7FFA7D40
.text C:\Windows\system32\WUDFHost.exe[3480] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\WUDFHost.exe[3480] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\WUDFHost.exe[3480] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\WUDFHost.exe[3480] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\WUDFHost.exe[3480] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\system32\WUDFHost.exe[3480] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\WUDFHost.exe[3480] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\system32\WUDFHost.exe[3480] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\WUDFHost.exe[3480] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\system32\WUDFHost.exe[3480] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\system32\WUDFHost.exe[3480] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] kernel32.dll!CreateThread + 1A 779C46E2 4 Bytes CALL 59839FC5 C:\Program Files\Auslogics\Auslogics BoostSpeed\madExcept_.bpl
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] user32.dll!GetWindowTextW 778EACC3 5 Bytes JMP 7FFA8688
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] user32.dll!GetWindowTextA 778F0F7B 5 Bytes JMP 7FFA8554
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] WS2_32.dll!WSASend 76744496 5 Bytes CALL 7FFA8300
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] WS2_32.dll!send 7674659B 5 Bytes JMP 7FFA849C
.text C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] WS2_32.dll!WSARecv 76748400 5 Bytes CALL 7FFA83FC
.text C:\Windows\ehome\ehtray.exe[3676] ntdll.dll!LdrLoadDll 77A87933 5 Bytes JMP 7FFA7D40
.text C:\Windows\ehome\ehtray.exe[3676] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\ehome\ehtray.exe[3676] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\ehome\ehtray.exe[3676] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\ehome\ehtray.exe[3676] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\ehome\ehtray.exe[3676] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\ehome\ehtray.exe[3676] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\ehome\ehtray.exe[3676] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\ehome\ehtray.exe[3676] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\ehome\ehtray.exe[3676] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\ehome\ehtray.exe[3676] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\ehome\ehtray.exe[3676] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] USER32.dll!GetWindowTextW 778EACC3 5 Bytes JMP 7FFA8688
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] USER32.dll!GetWindowTextA 778F0F7B 5 Bytes JMP 7FFA8554
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] WS2_32.dll!WSASend 76744496 5 Bytes CALL 7FFA8300
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] WS2_32.dll!send 7674659B 5 Bytes JMP 7FFA849C
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3688] WS2_32.dll!WSARecv 76748400 5 Bytes CALL 7FFA83FC
.text C:\Windows\system32\SearchProtocolHost.exe[4224] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\SearchProtocolHost.exe[4224] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\SearchProtocolHost.exe[4224] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\SearchProtocolHost.exe[4224] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\SearchProtocolHost.exe[4224] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\system32\SearchProtocolHost.exe[4224] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\SearchProtocolHost.exe[4224] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\system32\SearchProtocolHost.exe[4224] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\SearchProtocolHost.exe[4224] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\system32\SearchProtocolHost.exe[4224] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\system32\SearchProtocolHost.exe[4224] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\SearchProtocolHost.exe[4224] USER32.dll!GetWindowTextW 778EACC3 5 Bytes JMP 7FFA8688
.text C:\Windows\system32\SearchProtocolHost.exe[4224] USER32.dll!GetWindowTextA 778F0F7B 5 Bytes JMP 7FFA8554
.text C:\Windows\system32\SearchProtocolHost.exe[4224] WS2_32.dll!WSASend 76744496 5 Bytes CALL 7FFA8300
.text C:\Windows\system32\SearchProtocolHost.exe[4224] WS2_32.dll!send 7674659B 5 Bytes JMP 7FFA849C
.text C:\Windows\system32\SearchProtocolHost.exe[4224] WS2_32.dll!WSARecv 76748400 5 Bytes CALL 7FFA83FC
.text C:\Windows\system32\SearchFilterHost.exe[4256] ntdll.dll!LdrLoadDll 77A87933 5 Bytes JMP 7FFA7D40
.text C:\Windows\system32\SearchFilterHost.exe[4256] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\SearchFilterHost.exe[4256] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\SearchFilterHost.exe[4256] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\SearchFilterHost.exe[4256] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\SearchFilterHost.exe[4256] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\system32\SearchFilterHost.exe[4256] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\SearchFilterHost.exe[4256] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\system32\SearchFilterHost.exe[4256] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\SearchFilterHost.exe[4256] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\system32\SearchFilterHost.exe[4256] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\system32\SearchFilterHost.exe[4256] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Users\Jonathan (WORKING)\Desktop\gmer.exe[4364] ntdll.dll!LdrLoadDll 77A87933 5 Bytes JMP 7FFA7D40
.text C:\Users\Jonathan (WORKING)\Desktop\gmer.exe[4364] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Users\Jonathan (WORKING)\Desktop\gmer.exe[4364] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Users\Jonathan (WORKING)\Desktop\gmer.exe[4364] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Users\Jonathan (WORKING)\Desktop\gmer.exe[4364] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Users\Jonathan (WORKING)\Desktop\gmer.exe[4364] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Users\Jonathan (WORKING)\Desktop\gmer.exe[4364] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Users\Jonathan (WORKING)\Desktop\gmer.exe[4364] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Users\Jonathan (WORKING)\Desktop\gmer.exe[4364] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Users\Jonathan (WORKING)\Desktop\gmer.exe[4364] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Users\Jonathan (WORKING)\Desktop\gmer.exe[4364] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Users\Jonathan (WORKING)\Desktop\gmer.exe[4364] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\System32\mobsync.exe[5312] ntdll.dll!LdrLoadDll 77A87933 5 Bytes JMP 7FFA7D40
.text C:\Windows\System32\mobsync.exe[5312] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\System32\mobsync.exe[5312] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\System32\mobsync.exe[5312] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\System32\mobsync.exe[5312] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\System32\mobsync.exe[5312] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\System32\mobsync.exe[5312] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\System32\mobsync.exe[5312] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\System32\mobsync.exe[5312] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\System32\mobsync.exe[5312] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\System32\mobsync.exe[5312] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\System32\mobsync.exe[5312] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741
.text C:\Windows\system32\taskeng.exe[6108] ntdll.dll!LdrLoadDll 77A87933 5 Bytes JMP 7FFA7D40
.text C:\Windows\system32\taskeng.exe[6108] ntdll.dll!NtCreateFile 77AB8008 5 Bytes CALL 7FFA4698
.text C:\Windows\system32\taskeng.exe[6108] ntdll.dll!NtCreateProcess 77AB80C8 5 Bytes CALL 7FFA4727
.text C:\Windows\system32\taskeng.exe[6108] ntdll.dll!NtCreateProcessEx 77AB80D8 5 Bytes CALL 7FFA4734
.text C:\Windows\system32\taskeng.exe[6108] ntdll.dll!NtDeviceIoControlFile 77AB8438 5 Bytes CALL 7FFA49B8
.text C:\Windows\system32\taskeng.exe[6108] ntdll.dll!NtEnumerateValueKey 77AB84C8 5 Bytes JMP 7FFA7DCC
.text C:\Windows\system32\taskeng.exe[6108] ntdll.dll!NtOpenFile 77AB87E8 5 Bytes CALL 7FFA471D
.text C:\Windows\system32\taskeng.exe[6108] ntdll.dll!NtQueryDirectoryFile 77AB89E8 5 Bytes JMP 7FFA7FD4
.text C:\Windows\system32\taskeng.exe[6108] ntdll.dll!NtQueryInformationProcess 77AB8A88 5 Bytes CALL 7FFA4775
.text C:\Windows\system32\taskeng.exe[6108] ntdll.dll!NtQuerySystemInformation 77AB8BC8 5 Bytes JMP 7FFA80D0
.text C:\Windows\system32\taskeng.exe[6108] ntdll.dll!NtVdmControl 77AB9218 5 Bytes JMP 7FFA8054
.text C:\Windows\system32\taskeng.exe[6108] ntdll.dll!NtCreateUserProcess 77AB9438 5 Bytes CALL 7FFA4741

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 84A5E4A8
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [83260C4C] \SystemRoot\System32\Drivers\splv.sys
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [83260CA0] \SystemRoot\System32\Drivers\splv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [832306D2] \SystemRoot\System32\Drivers\splv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [83230040] \SystemRoot\System32\Drivers\splv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [832307FC] \SystemRoot\System32\Drivers\splv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [832300BE] \SystemRoot\System32\Drivers\splv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8323013C] \SystemRoot\System32\Drivers\splv.sys
IAT \SystemRoot\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] 84A602D8
IAT \SystemRoot\system32\DRIVERS\storport.sys[ntoskrnl.exe!DbgBreakPoint] 84A5F2D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [83240048] \SystemRoot\System32\Drivers\splv.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 874662D8

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [5983A11C] C:\Program Files\Auslogics\Auslogics BoostSpeed\madExcept_.bpl
IAT C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe[3596] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!QueueUserWorkItem] [5983A11C] C:\Program Files\Auslogics\Auslogics BoostSpeed\madExcept_.bpl

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85C231F8
Device \FileSystem\fastfat \FatCdrom 893DB1F8
Device \Driver\volmgr \Device\VolMgrControl 85C1E1F8
Device \Driver\usbohci \Device\USBPDO-0 874F21F8
Device \Driver\usbehci \Device\USBPDO-1 875A81F8
Device \Driver\USBSTOR \Device\00000061 872D2500
Device \Driver\PCI_PNP7596 \Device\00000048 splv.sys

AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\USBSTOR \Device\00000062 872D2500
Device \Driver\nvstor32 \Device\00000056 85C221F8
Device \Driver\sptd \Device\1043711346 splv.sys
Device \Driver\volmgr \Device\HarddiskVolume1 85C1E1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 85C1E1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume3 85C1E1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdePort0 85C201F8
Device \Driver\atapi \Device\Ide\IdePort1 85C201F8
Device \Driver\atapi \Device\Ide\IdePort2 85C201F8
Device \Driver\atapi \Device\Ide\IdePort3 85C201F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 85C201F8
Device \Driver\netbt \Device\NetBt_Wins_Export 888F3500
Device \Driver\netbt \Device\NetBT_Tcpip_{3D8EBC08-12DA-4E69-B9AE-76FDABE0F76F} 888F3500
Device \Driver\Smb \Device\NetbiosSmb 888EF1F8
Device \Driver\nvstor32 \Device\RaidPort0 85C221F8

AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\nvstor32 \Device\RaidPort1 85C221F8
Device \Driver\iScsiPrt \Device\RaidPort2 876081F8
Device \Driver\usbohci \Device\USBFDO-0 874F21F8
Device \Driver\usbehci \Device\USBFDO-1 875A81F8
Device \Driver\a5a5gguq \Device\Scsi\a5a5gguq1Port7Path0Target1Lun0 875981F8
Device \Driver\a5a5gguq \Device\Scsi\a5a5gguq1Port7Path0Target0Lun0 875981F8
Device \Driver\a5a5gguq \Device\Scsi\a5a5gguq1Port7Path0Target2Lun0 875981F8
Device \Driver\a5a5gguq \Device\Scsi\a5a5gguq1 875981F8
Device \FileSystem\fastfat \Fat 893DB1F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 891D51F8

---- Processes - GMER 1.0.15 ----

Process C:\Windows\System32\VT100.EXE (*** hidden *** ) 3376
Library C:\Windows\System32\VT100.EXE (*** hidden *** ) @ C:\Windows\System32\VT100.EXE [3376] 0x00400000

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\ovfsthxbiinuqyc.sys (*** hidden *** ) [SYSTEM] ovfsthxtxybooif <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif@imagepath \systemroot\system32\drivers\ovfsthxbiinuqyc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif@inst 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main@ver icv140409
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main@cid 01
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main@bid 144571987-789336058-1343024091-1417001333
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main@aid 303410
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main@sid 52
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main@cmddelay 28801
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main@logoffset 253607
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main\ff
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{7C4531C5-5475-48A2-873A-AAE66B17F4CF}
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main\ff@version 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main\injector@iexplore.exe ovfsthxwi.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main\injector@explorer.exe ovfsthxff.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\modules@ovfsthx.sys \systemroot\system32\drivers\ovfsthxbiinuqyc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\modules@ovfsthx.dll \systemroot\system32\ovfsthxxpumyerm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\modules@ovfsthxlog.dat \systemroot\system32\ovfsthxksgwwvxp.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\modules@ovfsthxwi.dll \systemroot\system32\ovfsthxkxbpnfvu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\modules@ovfsthxff.dll \systemroot\system32\ovfsthxsaqjviwm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxtxybooif\modules@ovfsthx.dat \systemroot\system32\ovfsthxykqieidc.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x52 0x45 0x44 0xD1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x23 0x93 0x3D 0xB3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x94 0x43 0x85 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xB5 0xAF 0xF4 0x53 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x6F 0xC7 0x27 0x8B ...
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif@imagepath \systemroot\system32\drivers\ovfsthxbiinuqyc.sys
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif@inst 0
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main@ver icv140409
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main@cid 01
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main@bid 144571987-789336058-1343024091-1417001333
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main@aid 303410
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main@sid 52
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main@cmddelay 28801
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main@logoffset 250318
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main\delete
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main\ff
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{7C4531C5-5475-48A2-873A-AAE66B17F4CF}
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main\ff@version 1
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main\injector
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main\injector@iexplore.exe ovfsthxwi.dll
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main\injector@explorer.exe ovfsthxff.dll
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\main\tasks
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\modules
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\modules@ovfsthx.sys \systemroot\system32\drivers\ovfsthxbiinuqyc.sys
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\modules@ovfsthx.dll \systemroot\system32\ovfsthxxpumyerm.dll
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\modules@ovfsthxlog.dat \systemroot\system32\ovfsthxksgwwvxp.dat
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\modules@ovfsthxwi.dll \systemroot\system32\ovfsthxkxbpnfvu.dll
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\modules@ovfsthxff.dll \systemroot\system32\ovfsthxsaqjviwm.dll
Reg HKLM\SYSTEM\ControlSet009\Services\ovfsthxtxybooif\modules@ovfsthx.dat \systemroot\system32\ovfsthxykqieidc.dat
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x52 0x45 0x44 0xD1 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x23 0x93 0x3D 0xB3 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x94 0x43 0x85 0xAD ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xB5 0xAF 0xF4 0x53 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x6F 0xC7 0x27 0x8B ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@VT100 Emulator C:\Windows\System32\VT100.EXE
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LogName C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy1855.gthr
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LogNumber 1856
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x12 0x75 0x04 0x82 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{c707ef67-95a7-4d05-9f6b-f9e175697110}@MData 0x73 0xD5 0xCF 0xB8 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{c707ef67-95a7-4d05-9f6b-f9e175697110}@Model 84
Reg HKLM\SOFTWARE\Classes\CLSID\{c707ef67-95a7-4d05-9f6b-f9e175697110}@Therad 1

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS16F77.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS16F78.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS16F79.log 0 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS16F7A.log 0 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS16F7B.log 0 bytes
File C:\Users\Jonathan (WORKING)\AppData\Local\Temp\msdone.DLL 1055 bytes
File C:\Users\Jonathan (WORKING)\AppData\Local\Temp\mspnd.DLL 0 bytes
File C:\Users\Jonathan (WORKING)\AppData\Local\Temp\mmsg32.DLL 1021 bytes
File C:\Users\Jonathan (WORKING)\AppData\Local\Temp\ms2chk.DLL 0 bytes
File C:\Windows\System32\ovfsthxksgwwvxp.dat 253705 bytes
File C:\Windows\System32\ovfsthxkxbpnfvu.dll 18432 bytes executable
File C:\Windows\System32\ovfsthxsaqjviwm.dll 18432 bytes executable
File C:\Windows\System32\ovfsthxxpumyerm.dll 60928 bytes executable
File C:\Windows\System32\ovfsthxykqieidc.dat 43 bytes
File C:\Windows\System32\drivers\ovfsthxbiinuqyc.sys 83456 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\mmsg32.DLL 2399 bytes
File C:\Windows\System32\ms2chk.DLL 0 bytes
File C:\Windows\System32\msdone.DLL 898 bytes
File C:\Windows\System32\mspnd.DLL 0 bytes
File C:\Windows\System32\VT100.EXE 132096 bytes
File C:\Windows\winsxs\x86_microsoft-windows-capturewizard_31bf3856ad364e35_6.0.6001.18000_none_6caf21de31abd9cf\CaptureWizard.exe (size mismatch) 2964480/2944512 bytes executable
File C:\Windows\winsxs\x86_microsoft-windows-icm-ui_31bf3856ad364e35_6.0.6000.16386_none_3821f56ea3e455ca\colorcpl.exe (size mismatch) 104960/84992 bytes executable
File C:\Windows\winsxs\x86_windowssearchengine_31bf3856ad364e35_7.0.6001.16503_none_3b8c27e8ba3dd3dd\SearchFilterHost.exe (size mismatch) 107520/87552 bytes executable
File C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18000_none_adf3c981d68ad9ed\setup_wm.exe (size mismatch) 1438720/1418752 bytes executable

---- EOF - GMER 1.0.15 ----


This is going to be quite difficult to eradicate... :thumbup2:

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 05 May 2009 - 03:35 PM

Hello.

Cannot run Combofix... Even after i have renamed it as suggested.. here is the gmer report

I believe you re-named it BEFORE saving it on your desktop?

Let's try the following. Please delete Combofix.exe you currently have and re-download it like last time, this time when saving it rename it to CFIX.exe and save it to your desktop.

Do NOT RUN it yet. Please do the following. It would be best if you print or save the instructions below on notepad or something so you can refrence to it later on.
  • Save all document or windows that are open because when running combofix you won't have internet connection and everything will be closed.
  • Click on your Start Menu, then Run, In the run box type:
    "%userprofile%\desktop\CFIX.exe" /killall
  • Combofix will now run
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Let me know how it goes.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 jonospoon

jonospoon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 06 May 2009 - 11:53 AM

Attempted new way of running Combofix... Renamed it, ran the run command...
This time it tuned that It IS NOT SAFE TO CONTINUE!!!!!! hahahaha, said that the contents of the package could have been compromised. Might have a patching virus.
Like the worst thing is I dont have a flippen clue how I got this virus. Didn't dl nothing sketchy.. nothing of the sort. It just started... Oh well.. I guess we got to try something else

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 07 May 2009 - 02:59 PM

Hello.

After seeing the GMER log, it's fairly obvious of what infection you have now. Not only do you have the rootkit you have a file infector infection known as Virut. This one is also hidden and some of your backed up windows vista files are infected. You HAVE to format and start over. You can backup any data files but no executables. IF you have a recover parition you can use that to format as well, since most computers now have it. Let me know if you need help on that.

Posted ImageVirut File Infector Warning

Your system is infected with a polymorphic file infector called Virut and also has IRC bot functionality. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.

For these reasons, you really can't truly fix Virut. You will need to reinstall and format the operating system on this machine. As of now, security experts suggest that a clean Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, pictures etc..) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

More information on Virut can be found over here and here

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 09 May 2009 - 02:36 PM

Hello.

As the resolution of this issue requires a reformat, and there have been no further questions or comments posted regarding this, the topic will now be closed.

This applies only to the original topic starter only.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users