Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Running SUPERAntiSpyware causes crash / Multiple Trojan Infections


  • This topic is locked This topic is locked
27 replies to this topic

#1 johnomally

johnomally

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 12 August 2009 - 03:33 PM

Hi

Eight days ago my wife's laptop crashed after running starting a SUPERAntiSpyware scan. Since the crash when I run SUPERAntiSpyware and download updates I get an error message saying THotkey cannot run Powrprof.dll. My firewall, Sunbelt Kerio Personal Firewall also says it cannot connect to service and although the WiFi appears to be connected you cannot connect to anything. Then the blue screen appears and begins a physical memory dump before restarting the laptop. On restarting everything appears to be normal until you run SUPERAntiSpyware again. On one occasion SUPERAntiSpywre also brought up a message saying my home page had been changed before it crashed. Removing and re-installing the program has no effect. I have run several other Anti Virus/Spyware/Malware/Root Kit scans since which have removed some infections but the problem with loading SUPERAntiSpyware remains. A-Squared Free deleted Gen.Trojan!IK in a System Volume Information\_restore file A0059192.exe but it appeared again when running A-Squared in safe mode and deleted it again and hasn't detected it since. Malwarebytes Anti-Malware found one infected file and two infected Registry Data items:
C:\WINDOWS\meta4.exe (Trojan.Agent) -> Quarantined and deleted successfully and two infected Registry Data items:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Subsequent scans haven't detected anything. Dr Web Cure It found 1 infected file:
>C:\WINDOWS\system32\vbwFunctionsVB6.dll infected with Trojan.Siggen.2468 - deleted
Subsequent scans haven't found anything. Panda Anti-Rootkit and Trend Microsystems Rootkit Buster did not detect anything, nor has Avira AntiVir. I can run and update SUPERAntiSpyware in safe mode but it has not detected anything except tracking cookies. I have cleaned the Temporary Files with CCleaner several times and disabled and reenabled System Restore to try and get rid of anything hiding there. Other than the problem with SUPERAntiSpyware the laptop seems to run normally with no popups or suspicious changes and not particularly slower than normal. Not sure if the system is still infected or what else I can do. Hope you can help.

Many thanks, Matt

DDS (Ver_09-07-30.01) - NTFSx86
Run by Matthew at 20:28:33.12 on 12/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.278 [GMT 1:00]

AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Sunbelt Kerio Personal Firewall *enabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\DLA\DLACTRLW.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Matthew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [TPSMain] TPSMain.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TFNF5] TFNF5.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [TOSDCR] TOSDCR.EXE
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe"
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ATICCC] c:\program files\ati technologies\ati.ace\cli.exe runtime -Delay
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startf~1.lnk - c:\windows\system32\net.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\notharmful\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\notharmful\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matthew\applic~1\mozilla\firefox\profiles\ilylf7yu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2007-10-18 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2007-10-18 46864]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-27 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-6-22 6144]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-5 11608]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2006-7-18 284184]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2006-7-18 91672]
R1 SASDIFSV;SASDIFSV;c:\program files\notharmful\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\notharmful\SASKUTIL.SYS [2009-8-5 74480]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-8-6 719392]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-5 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-5 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-4 55656]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-6-22 14336]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-11-24 17149]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2007-10-18 33552]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-6-22 35968]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 SASENUM;SASENUM;c:\program files\notharmful\SASENUM.SYS [2009-8-5 7408]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2006-11-24 362944]

=============== Created Last 30 ================

2009-08-11 16:59 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-08-11 16:55 <DIR> --d----- c:\windows\ERUNT
2009-08-11 16:49 <DIR> --d----- C:\SDFix
2009-08-10 21:49 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-08-10 21:49 <DIR> --d----- c:\documents and settings\matthew\log
2009-08-10 07:38 <DIR> --d----- c:\documents and settings\matthew\DoctorWeb
2009-08-10 03:05 <DIR> --d----- c:\program files\NotHarmful
2009-08-10 02:03 1,482 a------- C:\installer.reg
2009-08-10 00:01 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-09 22:29 <DIR> --d----- c:\program files\common files\xing shared
2009-08-09 22:19 <DIR> --d----- c:\program files\common files\DivX Shared
2009-08-09 22:12 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-09 22:12 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-09 21:17 <DIR> --d----- c:\program files\Secunia
2009-08-09 20:58 <DIR> --dsh--- c:\documents and settings\matthew\IECompatCache
2009-08-09 20:57 <DIR> --dsh--- c:\documents and settings\matthew\PrivacIE
2009-08-09 20:54 <DIR> --dsh--- c:\documents and settings\matthew\IETldCache
2009-08-09 20:43 <DIR> --d----- c:\windows\ie8updates
2009-08-09 20:39 <DIR> -cd-h--- c:\windows\ie8
2009-08-09 20:35 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-09 20:35 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-09 20:33 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-09 19:49 268 a---h--- C:\sqmdata02.sqm
2009-08-09 19:49 244 a---h--- C:\sqmnoopt02.sqm
2009-08-09 19:44 268 a---h--- C:\sqmdata01.sqm
2009-08-09 19:44 244 a---h--- C:\sqmnoopt01.sqm
2009-08-09 12:16 <DIR> --d----- c:\docume~1\matthew\applic~1\Uniblue
2009-08-09 10:38 244 a---h--- C:\sqmnoopt00.sqm
2009-08-09 10:38 232 a---h--- C:\sqmdata00.sqm
2009-08-08 23:28 <DIR> --d----- c:\docume~1\matthew\applic~1\Malwarebytes
2009-08-08 23:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 23:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 23:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-08 20:48 11,904 a------- c:\windows\system32\drivers\hitmanpro35.sys
2009-08-08 20:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro
2009-08-08 20:48 <DIR> --d----- c:\program files\Hitman Pro 3.5
2009-08-07 21:22 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-07 21:22 <DIR> --d----- c:\docume~1\matthew\applic~1\SUPERAntiSpyware.com
2009-08-06 23:53 <DIR> --d----- c:\program files\a-squared Free
2009-08-05 23:22 <DIR> --d----- c:\documents and settings\Matthew
2009-08-05 03:56 <DIR> --d----- c:\program files\Avira
2009-08-05 03:43 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-05 02:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira(3)
2009-08-05 02:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-08-04 18:52 55,656 a------- c:\windows\system32\drivers\avgntflt.sys

==================== Find3M ====================

2009-08-11 22:00 1,408,694 a------- c:\windows\system32\drivers\fwdrv.err
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-29 17:12 827,392 a------- c:\windows\system32\wininet(2)(2).dll
2009-06-29 17:12 1,159,680 a------- c:\windows\system32\urlmon(2)(2).dll
2009-06-29 17:12 105,984 a------- c:\windows\system32\url(2)(2).dll
2009-06-29 17:12 268,288 a------- c:\windows\system32\iertutil(2)(2).dll
2009-06-19 21:37 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-06-19 21:37 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-06-19 21:37 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-06-17 13:20 12,648 a------- c:\windows\system32\drivers\psi_mf.sys
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 20:31:27.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 AM

Posted 23 August 2009 - 06:32 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 johnomally

johnomally
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 24 August 2009 - 04:58 PM

DDS (Ver_09-07-30.01) - NTFSx86
Run by Matthew at 22:47:49.89 on 24/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.329 [GMT 1:00]

AV: ThreatFire *On-access scanning enabled* (Outdated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Sunbelt Kerio Personal Firewall *enabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\DLA\DLACTRLW.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matthew\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [TPSMain] TPSMain.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TFNF5] TFNF5.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [TOSDCR] TOSDCR.EXE
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe"
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ATICCC] c:\program files\ati technologies\ati.ace\cli.exe runtime -Delay
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startf~1.lnk - c:\windows\system32\net.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\notharmful\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\notharmful\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matthew\applic~1\mozilla\firefox\profiles\ilylf7yu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2007-10-18 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2007-10-18 46864]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-27 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-6-22 6144]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-5 11608]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2006-7-18 284184]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2006-7-18 91672]
R1 SASDIFSV;SASDIFSV;c:\program files\notharmful\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\notharmful\SASKUTIL.SYS [2009-8-5 74480]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-8-6 719392]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-5 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-5 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-4 55656]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-6-22 14336]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2007-10-18 33552]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-11-24 17149]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-6-22 35968]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 SASENUM;SASENUM;c:\program files\notharmful\SASENUM.SYS [2009-8-5 7408]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2006-11-24 362944]

=============== Created Last 30 ================

2009-08-12 21:12 <DIR> --d----- c:\documents and settings\matthew\Pavark
2009-08-12 20:23 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 20:23 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-11 16:59 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-08-11 16:55 <DIR> --d----- c:\windows\ERUNT
2009-08-11 16:49 <DIR> --d----- C:\SDFix
2009-08-10 21:49 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-08-10 21:49 <DIR> --d----- c:\documents and settings\matthew\log
2009-08-10 07:38 <DIR> --d----- c:\documents and settings\matthew\DoctorWeb
2009-08-10 03:05 <DIR> --d----- c:\program files\NotHarmful
2009-08-10 02:03 1,482 a------- C:\installer.reg
2009-08-10 00:01 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-09 22:29 <DIR> --d----- c:\program files\common files\xing shared
2009-08-09 22:19 <DIR> --d----- c:\program files\common files\DivX Shared
2009-08-09 22:12 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-09 22:12 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-09 21:17 <DIR> --d----- c:\program files\Secunia
2009-08-09 20:58 <DIR> --dsh--- c:\documents and settings\matthew\IECompatCache
2009-08-09 20:57 <DIR> --dsh--- c:\documents and settings\matthew\PrivacIE
2009-08-09 20:54 <DIR> --dsh--- c:\documents and settings\matthew\IETldCache
2009-08-09 20:43 <DIR> --d----- c:\windows\ie8updates
2009-08-09 20:39 <DIR> -cd-h--- c:\windows\ie8
2009-08-09 20:35 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-09 20:35 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-09 20:33 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-09 19:49 268 a---h--- C:\sqmdata02.sqm
2009-08-09 19:49 244 a---h--- C:\sqmnoopt02.sqm
2009-08-09 19:44 268 a---h--- C:\sqmdata01.sqm
2009-08-09 19:44 244 a---h--- C:\sqmnoopt01.sqm
2009-08-09 12:16 <DIR> --d----- c:\docume~1\matthew\applic~1\Uniblue
2009-08-09 10:38 244 a---h--- C:\sqmnoopt00.sqm
2009-08-09 10:38 232 a---h--- C:\sqmdata00.sqm
2009-08-08 23:28 <DIR> --d----- c:\docume~1\matthew\applic~1\Malwarebytes
2009-08-08 23:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 23:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 23:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-08 20:48 11,904 a------- c:\windows\system32\drivers\hitmanpro35.sys
2009-08-08 20:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro
2009-08-08 20:48 <DIR> --d----- c:\program files\Hitman Pro 3.5
2009-08-07 21:22 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-07 21:22 <DIR> --d----- c:\docume~1\matthew\applic~1\SUPERAntiSpyware.com
2009-08-06 23:53 <DIR> --d----- c:\program files\a-squared Free
2009-08-05 23:22 <DIR> --d----- c:\documents and settings\Matthew
2009-08-05 10:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 03:56 <DIR> --d----- c:\program files\Avira
2009-08-05 03:43 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-05 02:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira(3)
2009-08-05 02:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-08-04 18:52 55,656 a------- c:\windows\system32\drivers\avgntflt.sys

==================== Find3M ====================

2009-08-11 22:00 1,408,694 a------- c:\windows\system32\drivers\fwdrv.err
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-29 17:12 827,392 a------- c:\windows\system32\wininet(2)(2).dll
2009-06-29 17:12 1,159,680 a------- c:\windows\system32\urlmon(2)(2).dll
2009-06-29 17:12 105,984 a------- c:\windows\system32\url(2)(2).dll
2009-06-29 17:12 268,288 a------- c:\windows\system32\iertutil(2)(2).dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 13:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 15:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 22:50:56.37 ===============

Attached Files



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:26 AM

Posted 29 August 2009 - 05:21 PM

Hello johnomally :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and I would suggest you removing ThreatFire since it is showing as outdated anyway.


I need to get a little different look at your system so please perform the following:


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 johnomally

johnomally
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 30 August 2009 - 02:45 PM

Hi,

Thanks very much for your help. I've deinstalled Threatfire as instructed. Here are the results of the GMER scan:

GMER 1.0.15.15077 [pl7plz52.exe] - http://www.gmer.net
Rootkit scan 2009-08-30 20:40:30
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwClose [0xEDF9A110]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwCreateFile [0xEDF99920]
SSDT F7B9CB6E ZwCreateKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwCreateProcess [0xEDF98F20]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwCreateProcessEx [0xEDF98D90]
SSDT F7B9CB64 ZwCreateThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwDeleteFile [0xEDF9A190]
SSDT F7B9CB73 ZwDeleteKey
SSDT F7B9CB7D ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\khips.sys (Sunbelt Kerio Host Intrusion Prevention Driver/Sunbelt Software) ZwLoadDriver [0xEDDB19A0]
SSDT F7B9CB82 ZwLoadKey
SSDT \SystemRoot\system32\drivers\khips.sys (Sunbelt Kerio Host Intrusion Prevention Driver/Sunbelt Software) ZwMapViewOfSection [0xEDDB1B30]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwOpenFile [0xEDF99BF0]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwOpenKey [0xEDF96140]
SSDT F7B9CB50 ZwOpenProcess
SSDT F7B9CB55 ZwOpenThread
SSDT F7B9CB8C ZwReplaceKey
SSDT F7B9CB87 ZwRestoreKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwResumeThread [0xEDF99510]
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwSetInformationFile [0xEDF99F00]
SSDT F7B9CB78 ZwSetValueKey
SSDT F7B9CB5F ZwTerminateProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwWriteFile [0xEDF99E50]

---- Kernel code sections - GMER 1.0.15 ----

PAGENDSM NDIS.sys!NdisMIndicateStatus F73E89EF 6 Bytes JMP EDF8DED0 \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000301A8
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00030090
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00030694
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000302C0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00030234
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00030004
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0003011C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000304F0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0003057C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000303D8
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0003034C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00030464
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00030608
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000307AC
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00030720
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000308C4
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00030838
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00030950
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 00030F54
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] WININET.dll!InternetConnectW 3D94F862 5 Bytes JMP 00030FE0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00030D24
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00030DB0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00030E3C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[200] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00030EC8
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[540] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\ThpSrv.exe[544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\ThpSrv.exe[544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\ThpSrv.exe[544] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\ThpSrv.exe[544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\ThpSrv.exe[544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\ThpSrv.exe[544] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\ThpSrv.exe[544] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\ThpSrv.exe[544] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\ThpSrv.exe[544] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\ThpSrv.exe[544] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\ThpSrv.exe[544] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\ThpSrv.exe[544] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\ThpSrv.exe[544] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\ThpSrv.exe[544] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\ThpSrv.exe[544] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\TPSMain.exe[604] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\TPSMain.exe[604] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\TPSMain.exe[604] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\TPSMain.exe[604] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\TPSMain.exe[604] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\TPSMain.exe[604] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\TPSMain.exe[604] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\TPSMain.exe[604] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\TPSMain.exe[604] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\TPSMain.exe[604] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\TPSMain.exe[604] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\TPSMain.exe[604] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\TPSMain.exe[604] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\TPSMain.exe[604] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\TPSMain.exe[604] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\TFNF5.exe[648] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\TFNF5.exe[648] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\TFNF5.exe[648] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\TFNF5.exe[648] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\TFNF5.exe[648] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\TFNF5.exe[648] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\TFNF5.exe[648] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\TFNF5.exe[648] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\TFNF5.exe[648] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\TFNF5.exe[648] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\TFNF5.exe[648] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\TFNF5.exe[648] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\TFNF5.exe[648] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\TFNF5.exe[648] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\TFNF5.exe[648] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\TOSHIBA\TouchED\TouchED.Exe[684] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001601A8
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00160090
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00160694
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 001602C0
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00160234
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00160004
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0016011C
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001604F0
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!CreateThread 7C8106D7 5 Bytes JMP 0016057C
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001603D8
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0016034C
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!WinExec 7C86250D 5 Bytes JMP 00160464
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00160608
.text C:\WINDOWS\system32\csrss.exe[688] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001607AC
.text C:\WINDOWS\system32\csrss.exe[688] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00160720
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe[692] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\winlogon.exe[716] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\winlogon.exe[716] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\winlogon.exe[716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000708C4
.text C:\WINDOWS\system32\winlogon.exe[716] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00070838
.text C:\WINDOWS\system32\winlogon.exe[716] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\winlogon.exe[716] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 00070F54
.text C:\WINDOWS\system32\winlogon.exe[716] WININET.dll!InternetConnectW 3D94F862 5 Bytes JMP 00070FE0
.text C:\WINDOWS\system32\winlogon.exe[716] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00070D24
.text C:\WINDOWS\system32\winlogon.exe[716] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00070DB0
.text C:\WINDOWS\system32\winlogon.exe[716] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00070E3C
.text C:\WINDOWS\system32\winlogon.exe[716] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00070EC8
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\services.exe[760] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\services.exe[760] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\lsass.exe[772] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\lsass.exe[772] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[772] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\lsass.exe[772] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\lsass.exe[772] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\Ati2evxx.exe[944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\Ati2evxx.exe[944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\Ati2evxx.exe[944] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\Ati2evxx.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\Ati2evxx.exe[944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\Ati2evxx.exe[944] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\Ati2evxx.exe[944] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\Ati2evxx.exe[944] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\Ati2evxx.exe[944] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\Ati2evxx.exe[944] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\Ati2evxx.exe[944] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\Ati2evxx.exe[944] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\Ati2evxx.exe[944] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\Ati2evxx.exe[944] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\Ati2evxx.exe[944] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[956] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[956] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[956] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[956] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\00THotkey.exe[968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\00THotkey.exe[968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\00THotkey.exe[968] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\00THotkey.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\00THotkey.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\00THotkey.exe[968] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\00THotkey.exe[968] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\00THotkey.exe[968] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\00THotkey.exe[968] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\00THotkey.exe[968] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\00THotkey.exe[968] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\00THotkey.exe[968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\00THotkey.exe[968] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\00THotkey.exe[968] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\00THotkey.exe[968] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\DLA\DLACTRLW.EXE[1024] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[1084] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[1084] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[1084] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[1084] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[1084] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 00080F54
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetConnectW 3D94F862 5 Bytes JMP 00080FE0
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00080D24
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00080DB0
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00080E3C
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00080EC8
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Documents and Settings\Matthew\Desktop\pl7plz52.exe[1108] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] KERNEL32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] KERNEL32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] KERNEL32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] KERNEL32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] KERNEL32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] KERNEL32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] KERNEL32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] KERNEL32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] KERNEL32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] KERNEL32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] KERNEL32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] ws2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] ws2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 00130F54
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] WININET.dll!InternetConnectW 3D94F862 5 Bytes JMP 00130FE0
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00130D24
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00130DB0
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00130E3C
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1112] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00130EC8
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1152] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1152] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1176] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1308] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1308] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 00130F54
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] WININET.dll!InternetConnectW 3D94F862 5 Bytes JMP 00130FE0
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00130D24
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00130DB0
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00130E3C
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00130EC8
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] ws2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] ws2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\Java\jre6\bin\jusched.exe[1336] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\TPSBattM.exe[1364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\TPSBattM.exe[1364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\TPSBattM.exe[1364] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\TPSBattM.exe[1364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\TPSBattM.exe[1364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\TPSBattM.exe[1364] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\TPSBattM.exe[1364] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\TPSBattM.exe[1364] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\TPSBattM.exe[1364] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\TPSBattM.exe[1364] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\TPSBattM.exe[1364] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\TPSBattM.exe[1364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\TPSBattM.exe[1364] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\TPSBattM.exe[1364] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\TPSBattM.exe[1364] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1428] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1428] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1428] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1428] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1428] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[1472] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\ctfmon.exe[1508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\ctfmon.exe[1508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\ctfmon.exe[1508] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\ctfmon.exe[1508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\ctfmon.exe[1508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\ctfmon.exe[1508] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\ctfmon.exe[1508] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\ctfmon.exe[1508] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\ctfmon.exe[1508] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\ctfmon.exe[1508] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\ctfmon.exe[1508] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\ctfmon.exe[1508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\ctfmon.exe[1508] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\ctfmon.exe[1508] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\ctfmon.exe[1508] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\Program Files\a-squared Free\a2service.exe[1540] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\a-squared Free\a2service.exe[1540] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\a-squared Free\a2service.exe[1540] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\a-squared Free\a2service.exe[1540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\a-squared Free\a2service.exe[1540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\a-squared Free\a2service.exe[1540] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\a-squared Free\a2service.exe[1540] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\a-squared Free\a2service.exe[1540] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\a-squared Free\a2service.exe[1540] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\a-squared Free\a2service.exe[1540] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\a-squared Free\a2service.exe[1540] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\a-squared Free\a2service.exe[1540] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\a-squared Free\a2service.exe[1540] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\a-squared Free\a2service.exe[1540] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\a-squared Free\a2service.exe[1540] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\a-squared Free\a2service.exe[1540] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\a-squared Free\a2service.exe[1540] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\a-squared Free\a2service.exe[1540] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\spoolsv.exe[1588] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\spoolsv.exe[1588] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\spoolsv.exe[1588] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\spoolsv.exe[1588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\spoolsv.exe[1588] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\spoolsv.exe[1588] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1644] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\NETGEAR\WPN111\wpn111.exe[1696] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1808] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Java\jre6\bin\jqs.exe[1844] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\CTsvcCDA.exe[1872] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\Ati2evxx.exe[1876] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 00130F54
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] WININET.dll!InternetConnectW 3D94F862 5 Bytes JMP 00130FE0
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00130D24
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00130DB0
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00130E3C
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00130EC8
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[1888] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1940] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1940] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1940] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[1940] WININET.dll!InternetConnectW 3D94F862 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[1940] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[1940] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[1940] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[1940] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\svchost.exe[1940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1940] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1940] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1976] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\Explorer.EXE[2016] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\Explorer.EXE[2016] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 00080F54
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetConnectW 3D94F862 5 Bytes JMP 00080FE0
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00080D24
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00080DB0
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00080E3C
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00080EC8
.text C:\WINDOWS\Explorer.EXE[2016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\Explorer.EXE[2016] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\Explorer.EXE[2016] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2368] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\alg.exe[2472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\alg.exe[2472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\alg.exe[2472] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\alg.exe[2472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\alg.exe[2472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\alg.exe[2472] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\alg.exe[2472] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\alg.exe[2472] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\alg.exe[2472] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\alg.exe[2472] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\alg.exe[2472] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\alg.exe[2472] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\alg.exe[2472] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\alg.exe[2472] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\alg.exe[2472] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\alg.exe[2472] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\alg.exe[2472] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\alg.exe[2472] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[2956] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] KERNEL32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] KERNEL32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] KERNEL32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] KERNEL32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] KERNEL32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] KERNEL32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] KERNEL32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] KERNEL32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] KERNEL32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] KERNEL32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] KERNEL32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] ws2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] ws2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3224] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] KERNEL32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] KERNEL32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] KERNEL32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] KERNEL32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] KERNEL32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] KERNEL32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] KERNEL32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] KERNEL32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] KERNEL32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] KERNEL32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] KERNEL32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] ws2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] ws2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3232] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\wuauclt.exe[3544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\wuauclt.exe[3544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\wuauclt.exe[3544] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\wuauclt.exe[3544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\wuauclt.exe[3544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\wuauclt.exe[3544] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\wuauclt.exe[3544] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\wuauclt.exe[3544] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\wuauclt.exe[3544] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\wuauclt.exe[3544] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\wuauclt.exe[3544] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\wuauclt.exe[3544] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\wuauclt.exe[3544] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\wuauclt.exe[3544] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\wuauclt.exe[3544] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\wuauclt.exe[3544] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\wuauclt.exe[3544] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\wuauclt.exe[3544] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EDF8DCE0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EDF8DD00] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EDF8DD90] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisRegisterProtocol] [EDF8DD90] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisDeregisterProtocol] [EDF8DDC0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisCloseAdapter] [EDF8DCE0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisOpenAdapter] [EDF8DD00] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EDF8DDC0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EDF8DD90] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EDF8DD00] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EDF8DCE0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [EDF8DDC0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [EDF8DCE0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [EDF8DD00] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [EDF8DD90] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EDF8DD90] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EDF8DDC0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EDF8DCE0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EDF8DD00] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\a-squared Free\a2service.exe[1540] @ C:\WINDOWS\system32\advapi32.dll [KERNEL32.dll!CreateThread] [00454890] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[1540] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [00454890] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[1540] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateThread] [00454890] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[1540] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateThread] [00454890] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[1540] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateThread] [00454890] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[1540] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [00454890] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[1540] @ C:\WINDOWS\system32\crypt32.dll [KERNEL32.dll!CreateThread] [00454890] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[1540] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [00454890] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[1540] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread] [00454890] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[1540] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread] [00454890] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@DownloadExpirationTime 2009-08-30 17:32:59

---- EOF - GMER 1.0.15 ----

Cheers for looking into this, Matt

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:26 AM

Posted 30 August 2009 - 06:17 PM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 johnomally

johnomally
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 01 September 2009 - 04:56 PM

Hi

I have downloaded combofix to my desktop and disabled Avira AntiVir. However, when I run combofix it says that ThreatFire is still running. I have doublechecked and it has definitely been deinstalled from the computer. I removed it via Add/Remove Programs on the Control Panel. I don't want to risk any damage to the computer. Is it safe to run combofix?

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:26 AM

Posted 01 September 2009 - 05:47 PM

Probably just reading it out of WMI where it gets it's info. Go ahead and run it, shouldn't be a problem.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 johnomally

johnomally
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 01 September 2009 - 06:24 PM

ComboFix 09-09-01.04 - Matthew 02/09/2009 0:08.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.571 [GMT 1:00]
Running from: c:\documents and settings\Matthew\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Sunbelt Kerio Personal Firewall *enabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\6bd4c.msp
c:\windows\Installer\6bd52.msp
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000009_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-08-12 20:12 . 2009-08-12 20:12 -------- d-----w- c:\documents and settings\Matthew\Pavark
2009-08-12 19:23 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 16:46 . 2009-08-11 17:05 -------- d-----w- c:\documents and settings\Emma\DoctorWeb
2009-08-11 16:28 . 2009-08-11 16:28 -------- d-----w- c:\documents and settings\Emma\Application Data\Malwarebytes
2009-08-11 16:25 . 2009-08-11 16:25 -------- d-sh--w- c:\documents and settings\Emma\IETldCache
2009-08-11 15:59 . 2009-08-11 15:59 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-11 15:55 . 2009-08-11 15:56 -------- d-----w- c:\windows\ERUNT
2009-08-11 15:49 . 2009-08-11 16:14 -------- d-----w- C:\SDFix
2009-08-10 20:49 . 2009-08-10 20:49 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-10 20:49 . 2009-08-10 20:49 -------- d-----w- c:\documents and settings\Matthew\log
2009-08-10 06:38 . 2009-08-12 20:04 -------- d-----w- c:\documents and settings\Matthew\DoctorWeb
2009-08-10 02:06 . 2009-08-11 21:40 117760 ----a-w- c:\documents and settings\Matthew\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-10 02:05 . 2009-08-11 20:57 -------- d-----w- c:\program files\NotHarmful
2009-08-10 01:19 . 2009-08-10 01:19 -------- d-----w- c:\documents and settings\Matthew\Application Data\DivX
2009-08-10 01:03 . 2009-08-10 01:01 1482 ----a-w- C:\installer.reg
2009-08-09 23:01 . 2009-08-09 23:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-09 21:29 . 2009-08-09 21:29 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-09 21:25 . 2009-08-09 21:25 390664 ----a-w- c:\documents and settings\Matthew\Application Data\Real\RealPlayer\setup\AU_setup.exe
2009-08-09 21:19 . 2009-08-09 21:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-09 21:15 . 2008-04-14 00:11 200704 ----a-w- c:\documents and settings\Emma\Application Data\Creative\Media Database\JetFileBackup\msadox.dll
2009-08-09 21:12 . 2009-08-09 21:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-09 21:11 . 2009-08-09 21:11 -------- d-----w- c:\program files\Java
2009-08-09 21:10 . 2009-08-09 21:10 152576 ----a-w- c:\documents and settings\Matthew\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-09 21:03 . 2009-08-09 21:03 -------- d-----w- c:\documents and settings\Matthew\Application Data\vlc
2009-08-09 20:48 . 2009-08-09 20:48 -------- d-----w- c:\documents and settings\Matthew\Local Settings\Application Data\Last.fm
2009-08-09 20:24 . 2009-08-09 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-09 20:24 . 2009-08-09 20:42 -------- d-----w- c:\program files\NOS
2009-08-09 20:17 . 2009-08-09 20:17 -------- d-----w- c:\program files\Secunia
2009-08-09 20:04 . 2009-08-09 20:04 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-09 19:58 . 2009-08-09 19:58 -------- d-sh--w- c:\documents and settings\Matthew\IECompatCache
2009-08-09 19:57 . 2009-08-09 19:57 -------- d-sh--w- c:\documents and settings\Matthew\PrivacIE
2009-08-09 19:54 . 2009-08-09 19:54 -------- d-sh--w- c:\documents and settings\Matthew\IETldCache
2009-08-09 19:43 . 2009-08-09 19:43 -------- d-----w- c:\windows\ie8updates
2009-08-09 19:39 . 2009-08-09 19:42 -------- dc-h--w- c:\windows\ie8
2009-08-09 19:35 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-09 19:35 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-09 19:33 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-09 11:16 . 2009-08-09 11:16 -------- d-----w- c:\documents and settings\Matthew\Application Data\Uniblue
2009-08-08 22:28 . 2009-08-08 22:28 -------- d-----w- c:\documents and settings\Matthew\Application Data\Malwarebytes
2009-08-08 22:27 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 22:27 . 2009-08-08 22:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 22:27 . 2009-08-08 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-08 22:27 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 19:48 . 2009-09-01 21:24 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-08-08 19:48 . 2009-08-08 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2009-08-08 19:48 . 2009-08-08 19:48 -------- d-----w- c:\program files\Hitman Pro 3.5
2009-08-08 06:05 . 2009-08-08 06:26 -------- d-----w- c:\documents and settings\Emma\Pavark
2009-08-07 21:30 . 2009-08-07 21:31 117760 ----a-w- c:\documents and settings\Administrator.BARNEY.000\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-07 21:29 . 2009-08-07 21:29 -------- d-----w- c:\documents and settings\Administrator.BARNEY.000\Application Data\SUPERAntiSpyware.com
2009-08-07 20:55 . 2009-08-11 20:58 117760 ----a-w- c:\documents and settings\Emma\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-07 20:22 . 2009-08-09 18:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-07 20:22 . 2009-08-10 02:05 -------- d-----w- c:\documents and settings\Matthew\Application Data\SUPERAntiSpyware.com
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 02:56 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-05 02:56 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-05 02:56 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-05 02:56 . 2009-08-05 02:56 -------- d-----w- c:\program files\Avira
2009-08-05 02:43 . 2009-08-05 02:43 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-05 01:49 . 2009-08-05 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira(3)
2009-08-05 01:20 . 2009-08-05 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-04 17:52 . 2009-08-05 19:26 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 17:25 . 2007-10-18 22:34 -------- d-----w- c:\program files\ThreatFire
2009-08-30 17:22 . 2007-10-18 22:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-12 19:40 . 2009-08-06 22:53 -------- d-----w- c:\program files\a-squared Free
2009-08-11 21:00 . 2007-07-06 19:26 1408694 ----a-w- c:\windows\system32\drivers\fwdrv.err
2009-08-09 22:54 . 2008-01-20 15:09 -------- d-----w- c:\program files\CCleaner
2009-08-09 21:48 . 2007-10-18 21:45 -------- d-----w- c:\program files\SpywareBlaster
2009-08-09 21:29 . 2006-08-28 16:25 -------- d-----w- c:\program files\Common Files\Real
2009-08-09 21:20 . 2008-09-24 15:35 -------- d-----w- c:\program files\DivX
2009-08-09 21:17 . 2009-08-09 21:16 -------- d-----w- c:\documents and settings\Matthew\Application Data\Creative
2009-08-09 20:55 . 2007-03-28 12:54 -------- d-----w- c:\program files\Winamp
2009-08-09 20:52 . 2008-09-27 10:56 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstWMP\unins000.exe
2009-08-09 20:52 . 2008-09-27 10:56 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstWA\unins000.exe
2009-08-09 09:50 . 2008-03-18 08:50 -------- d-----w- c:\program files\Windows Live Toolbar
2009-08-05 22:24 . 2009-08-05 22:22 76856 ----a-w- c:\documents and settings\Matthew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 22:23 . 2009-08-05 22:22 130 ----a-w- c:\documents and settings\Matthew\Local Settings\Application Data\fusioncache.dat
2009-08-05 20:52 . 2008-08-27 21:46 -------- d-----w- c:\documents and settings\Emma\Application Data\SUPERAntiSpyware.com
2009-08-05 09:01 . 2006-06-22 05:55 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 02:43 . 2008-03-04 17:23 -------- d-----w- c:\program files\Kontiki
2009-08-05 02:40 . 2007-10-02 16:36 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-05 02:20 . 2008-03-04 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-07-17 19:01 . 2006-06-22 05:55 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-06-22 05:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 15:50 . 2008-10-04 19:58 -------- d-----w- c:\documents and settings\Emma\Application Data\dvdcss
2009-07-03 17:09 . 2006-06-22 05:56 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-06-22 05:56 827392 ----a-w- c:\windows\system32\wininet(2)(2).dll
2009-06-29 16:12 . 2006-06-22 05:56 1159680 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2009-06-29 16:12 . 2006-06-22 05:56 105984 ----a-w- c:\windows\system32\url(2)(2).dll
2009-06-29 16:12 . 2006-10-17 11:57 268288 ----a-w- c:\windows\system32\iertutil(2)(2).dll
2009-06-25 08:25 . 2006-06-22 05:56 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2006-06-22 05:55 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2006-06-22 05:55 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2006-06-22 05:55 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2006-06-22 05:55 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2006-06-22 05:55 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2006-06-22 05:55 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-17 12:20 . 2009-06-17 12:20 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2009-06-16 14:36 . 2006-06-22 05:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-06-22 05:55 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2006-06-22 05:56 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-06-22 05:55 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2006-06-22 07:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2006-06-22 05:56 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-08-31 102400]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-04-30 196696]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-05-18 253952]
"DLA"="c:\windows\system32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2009-08-28 4719864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-09 149280]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2006-05-19 299008]
"TPSODDCtl"="TPSODDCtl.exe" - c:\windows\system32\TPSODDCtl.exe [2006-05-19 102400]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2006-04-11 622592]
"TOSDCR"="TOSDCR.EXE" - c:\windows\system32\TOSDCR.exe [2005-12-12 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2006-11-24 884838]
Start Firewall.lnk - c:\windows\system32\net.exe [2006-6-22 42496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\NotHarmful\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\NotHarmful\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Emma^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Emma\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [27/12/2004 23:31 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [22/06/2006 13:07 6144]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [18/07/2006 13:02 284184]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [18/07/2006 13:02 91672]
R1 SASDIFSV;SASDIFSV;c:\program files\NotHarmful\sasdifsv.sys [05/08/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\NotHarmful\SASKUTIL.SYS [05/08/2009 16:06 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [05/08/2009 03:56 108289]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [22/06/2006 06:56 14336]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [24/11/2006 01:19 17149]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [22/06/2006 13:26 35968]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17/06/2009 13:20 12648]
S3 SASENUM;SASENUM;c:\program files\NotHarmful\SASENUM.SYS [05/08/2009 16:06 7408]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [24/11/2006 01:19 362944]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Matthew\Application Data\Mozilla\Firefox\Profiles\ilylf7yu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 00:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\NotHarmful\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-09-01 0:19
ComboFix-quarantined-files.txt 2009-09-01 23:19

Pre-Run: 19,819,921,408 bytes free
Post-Run: 19,858,968,576 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /forceresetreg

238 --- E O F --- 2009-08-31 16:30

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:26 AM

Posted 01 September 2009 - 07:00 PM

We need to get these AVs and FWs off you are not using. I know you said you took off ThreatFire and I don't know if you plan on reinstalling it, but if you do let's take off the Avira. Same with the two firewall we need to get one of the off of your system. These things can cause performance problems along with false positives being generated.


AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Sunbelt Kerio Personal Firewall *enabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}




Next please do this:

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
c:\windows\system32\dllcache\msoe.dll
Click Submit.
Please post the results of this scan to this thread.



Alternate site if Jottis' doesn't work or is too busy

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
c:\windows\system32\dllcache\msoe.dll
Click Send.
Please post the results of this scan to this thread.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 johnomally

johnomally
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 01 September 2009 - 07:17 PM

http://virusscan.jotti.org/en/scanresult/3...2b2ba5cafd669db

I don't plan on reinstalling ThreatFire but I don't really know what the best option is. I can't remember ever having a Norton product on this computer so not sure where that came from.

Edited by johnomally, 01 September 2009 - 07:22 PM.


#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:26 AM

Posted 01 September 2009 - 08:48 PM

The Norton may have came with the computer. Are you seeing any improvement in the running of the machine?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 johnomally

johnomally
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 02 September 2009 - 11:54 AM

Yes, it does seem to be running faster. I haven't tried loading SUPERAntiSpyware again which was causing the crashes.

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:26 AM

Posted 02 September 2009 - 12:41 PM

Good, let's try a Kaspersky scan:


Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 johnomally

johnomally
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 02 September 2009 - 03:48 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, September 2, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, September 02, 2009 20:15:03
Records in database: 2740564
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 88487
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 02:00:12

No threats found. Scanned area is clean.

Selected area has been scanned.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users