Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Antispyware 2010, most anti-virus programs not working.


  • This topic is locked This topic is locked
32 replies to this topic

#1 JoshMac

JoshMac

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 27 August 2009 - 08:29 PM

I got the PC Antispyware virus a few days ago, as stated, no programs work, etc... I've tried Malwarebytes, DDS, HijackThis, and RSIT, all of which close out during the scanning processes. These are the logs I've gotten from my few successful attempts. Also, here's the link to the original topic: http://www.bleepingcomputer.com/forums/t/251767/infected-cant-fix/

Oh, also, after running an antivirus program, it dies during the scan, and then each subsequent time I try to open it, I get an error message saying Windows can't open the specified file. I can get around this by downloading the file again, though. Also, several completely unrelated programs were unable to open after I got the virus.

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/25 19:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: Volume D:\
Status: MBR Rootkit Detected!

Path: Volume D:\, Sector 1
Status: Sector mismatch

Path: Volume D:\, Sector 8
Status: Sector mismatch

Path: Volume D:\, Sector 53
Status: Sector mismatch

Path: Volume D:\, Sector 61
Status: Sector mismatch

Path: Volume D:\, Sector 62
Status: Sector mismatch


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/26 07:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Stealth Objects
-------------------
Object: Hidden Module [Name: UAConwlmbjauc.dll]
Process: svchost.exe (PID: 456) Address: 0x00720000 Size: 77824

Object: Hidden Module [Name: UACelsixxcibt.dll]
Process: svchost.exe (PID: 456) Address: 0x00ad0000 Size: 73728

Object: Hidden Module [Name: UACelbksoaold.dll]
Process: svchost.exe (PID: 456) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAConwlmbjauc.dll]
Process: Explorer.exe (PID: 1232) Address: 0x10000000 Size: 77824

Object: Hidden Module [Name: UACelbksoaold.dll]
Process: Iexplore.exe (PID: 1260) Address: 0x10000000 Size: 217088

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8636b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x85fd41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x85fd41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x85fd41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x85fd41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85fd41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85fd41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85fd41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85fd41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x85fd41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85fd41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x85fd41f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8636d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8636d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8636d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8636d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8636d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8636d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8636d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8636d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8636d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8636d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8636d1f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x85ff91f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x85ff91f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85ff91f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85ff91f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x85ff91f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85ff91f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x85ff91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x863d81f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x85ff71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x85ff71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85ff71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85ff71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x85ff71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85ff71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x85ff71f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ瑎獆, IRP_MJ_CREATE]
Process: System Address: 0x85f31500 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ瑎獆, IRP_MJ_CLOSE]
Process: System Address: 0x85f31500 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ瑎獆, IRP_MJ_READ]
Process: System Address: 0x85f31500 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ瑎獆, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85f31500 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ瑎獆, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85f31500 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ瑎獆, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85f31500 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ瑎獆, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85f31500 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ瑎獆, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85f31500 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ瑎獆, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85f31500 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ瑎獆, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85f31500 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ瑎獆, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85f31500 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ瑎獆, IRP_MJ_CLEANUP]
Process: System Address: 0x85f31500 Size: 121

Object: Hidden Code [Driver: CdfsЅఐ瑎獆, IRP_MJ_PNP]
Process: System Address: 0x85f31500 Size: 121

Edited by JoshMac, 27 August 2009 - 08:31 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:47 PM

Posted 10 September 2009 - 05:56 PM

Hello JoshMac,

Please tell me the antivirus you have on this computer.
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check only the box beside Drivers
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
Post those logs back in your next reply.

Edited by SifuMike, 10 September 2009 - 06:02 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 JoshMac

JoshMac
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 10 September 2009 - 10:16 PM

For currently installed Antivirus, I have Avira and Bitdefender. I downloaded Avira after I got the virus. I also relied on Malwarebytes, which, as I said, is currently inoperable.

I clicked the "Reports" tab in RootRepeal and scanned. I selected drivers, but didn't get the second box after that with the different drives. Instead, it simply scanned. I got this report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/10 21:09
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF12DD000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A6A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP4848
Image Path: \Driver\PCI_PNP4848
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE13D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spkm.sys
Image Path: spkm.sys
Address: 0xF72EF000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF78B0000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF146A000 Size: 61440 File Visible: No Signed: -
Status: -

==EOF==

Also, when I try to open RootRepeal, it gives me an error saying "Could not read the boot sector. Try adjusting Disk Access Level in Options Dialog." Disk Access is already at its maximum. However, after closing that error message a few times, RootRepeal runs. However, when I try to scan in the "Files" tab, I get the message again.

This is the report from selecting "Files" after saying "scan" in "reports."

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/10 21:11
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Don't know if that helps any. Thanks for your time.

#4 JoshMac

JoshMac
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 10 September 2009 - 10:19 PM

I also just got this error message when attempting to simply scan everything.

21:17:21: Could not enumerate files in dir \'\\?\D:\*\' with the Windows API! Error code - 0x00000002
21:17:33: Could not read system registry! Please contact the author!

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:47 PM

Posted 10 September 2009 - 10:23 PM

Hi JoshMac,

You have a nasty rootkit on this computer. :(


I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove one of these.
Avira Antivirus or Bitdefender Antivirus

Let me know which one you uninstalled.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 JoshMac

JoshMac
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 10 September 2009 - 10:29 PM

Hmm.... I went to "Add or Remove Programs" in my control panel to remove Avira, but it didn't show up. I'd really rather keep Bitdefender as I had to pay for it, and it's been more reliable. What's another way to get rid of Avira? I went to its Start menu folder, but didn't have an uninstall option. In the meantime, both are disabled by the virus anyways, so I don't think I need to worry about them at the moment. Of course, you would know much better than I would.

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:47 PM

Posted 10 September 2009 - 10:40 PM

What's another way to get rid of Avira?


Only way is to uninstall it. If it is not on the uninstall list, try reinstalling it and then uninstall it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 JoshMac

JoshMac
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 10 September 2009 - 10:52 PM

Alright, it's gone. What next?

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:47 PM

Posted 10 September 2009 - 11:08 PM

Hi JoshMac,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your BITDEFENDER Antivirus and before running ComboFix, as it will prevent it from running.

To disable BITDEFENDER:
Double click on the system icon for BitDefender.
When the Bit Defender window appears, click on the button at the top of the screen labeled Switch to advanced view .
Click on the Shield tab switch to the Virus shield screen.
Uncheck the checkbox labeled Real-time protection is enabled.
When it asks how long you want to disable it, select Permanently .
BitDefender is now inactive.

To enable BitDefender, do the same steps except you should put a checkmark in the checkbox labeled Real-time protection is enabled.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 JoshMac

JoshMac
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 11 September 2009 - 08:08 AM

Alright, sounds scary. Two questions though. One, when I clicked on BitDefender's icon, it brought up a window saying it's already unresponsive. It's been like this since I got infected; will that count as disabled? Because I don't even get the option to switch to advanced view. Also, in order for the virus to look like it's detecting something, invisible Internet Explorer processes pop up and play the audio for an advertisement. I can get rid of them only by ending the process. Will this interrupt ComboFix?

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:47 PM

Posted 11 September 2009 - 10:18 AM

Hi JoshMac,

it brought up a window saying it's already unresponsive. It's been like this since I got infected; will that count as disabled?


No, that is not disabled.
If you cant disable BitDefender then unisntall it.
Just dont go surfing the internet with it disabled. Only go to the sites I tell you to.
You can reinstall BitDefender when we are done using ComboFix.

Also, in order for the virus to look like it's detecting something, invisible Internet Explorer processes pop up and play the audio for an advertisement. I can get rid of them only by ending the process. Will this interrupt ComboFix?

No.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 JoshMac

JoshMac
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 11 September 2009 - 05:57 PM

... I'm starting to think I may need to reformat my hard drive.... I downloaded ComboFix, saved it to my desktop and ran it. Nothing. I got the hourglass icon saying that something was happening, but the program never opened. However, it did open a process, but that was it.

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:47 PM

Posted 11 September 2009 - 06:32 PM

Hi,

Be patient when running ComboFix! You have many viruses and a rootkits on your computer.

Give it at least 25 minutes to run to completion.

Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.


It may be you did not disable your BitDefender antivirus program and it is stopping ComboFix from running.

Edited by SifuMike, 11 September 2009 - 08:52 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 JoshMac

JoshMac
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 16 September 2009 - 06:57 PM

Hello, been a while since I updated my saga.... Combofix didn't work, even with disabling Bitdefender. The program I had the most success with was Avast, as it did a boot-time scan, or something, I forget the terminology. Anyways, it found several infected files, including the beep.sys file, amongst others. I repaired what it found, but still have a Rootkit. I got a couple other Rootkit programs after each one failed midscan and subsequently nullified its .exe file. This is one of two logs. Sorry, the second one's really long, but I didn't know what was significant. I won't blame you if this is way too much to even go through, it makes my eyes hurt just looking for it. Can you recommend any Rootkit programs besides RootRepeal?

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit quick scan 2009-09-16 17:38:38
Windows 5.1.2600 Service Pack 3
Running: nw040khd.exe; Driver: C:\DOCUME~1\Joshua\LOCALS~1\Temp\uxldypob.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- System - GMER 1.0.15 ----

Code 85AB31B0 ZwEnumerateKey
Code 85AB3348 ZwFlushInstructionCache
Code 85AB30B6 IofCallDriver
Code 85AB2DD6 IofCompleteRequest
Code 85AB3545 ZwSaveKey
Code 85AB383D ZwSaveKeyEx

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 863D81F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----



GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-16 17:46:17
Windows 5.1.2600 Service Pack 3
Running: nw040khd.exe; Driver: C:\DOCUME~1\Joshua\LOCALS~1\Temp\uxldypob.sys


---- System - GMER 1.0.15 ----

INT 0x62 ? 8636CBF8
INT 0x73 ? 8636CBF8
INT 0xB4 ? 85D28BF8
INT 0xB4 ? 85D28BF8
INT 0xB4 ? 85D28BF8
INT 0xB4 ? 85D28BF8

Code 85AB31B0 ZwEnumerateKey
Code 85AB3348 ZwFlushInstructionCache
Code 85AB30B6 IofCallDriver
Code 85AB2DD6 IofCompleteRequest
Code 85AB3545 ZwSaveKey
Code 85AB383D ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 85AB30BB
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 85AB2DDB
.text ntkrnlpa.exe!ZwSaveKey 804FEDD4 5 Bytes JMP 85AB354A
.text ntkrnlpa.exe!ZwSaveKeyEx 804FEDE8 5 Bytes JMP 85AB3842
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC4 5 Bytes JMP 85AB334C
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB70 5 Bytes JMP 85AB31B4
? spgm.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F5ECF8AC 5 Bytes JMP 85D281D8
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. !
? C:\DOCUME~1\Joshua\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\Ati2evxx.exe[248] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01DF0001
.text C:\WINDOWS\system32\Ati2evxx.exe[248] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[248] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[248] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[248] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[248] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[248] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[248] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\Explorer.exe[416] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01200001
.text C:\WINDOWS\Explorer.exe[416] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\Explorer.exe[416] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\Explorer.exe[416] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.exe[416] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\Explorer.exe[416] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[552] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C80001
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[552] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[552] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[552] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[552] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[552] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\csrss.exe[756] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01310001
.text C:\WINDOWS\system32\csrss.exe[756] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[756] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[784] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01460001
.text C:\WINDOWS\system32\winlogon.exe[784] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[784] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01A90001
.text C:\WINDOWS\system32\services.exe[844] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[844] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EF0001
.text C:\WINDOWS\system32\lsass.exe[856] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[856] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1036] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 015D0001
.text C:\WINDOWS\system32\Ati2evxx.exe[1036] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1036] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02DD0001
.text C:\WINDOWS\system32\svchost.exe[1060] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1060] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1060] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01B70001
.text C:\WINDOWS\system32\svchost.exe[1152] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1152] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1152] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1152] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1152] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 031F0001
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010729A0 \\?\globalroot\systemroot\system32\UACelbksoaold.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 010727E0 \\?\globalroot\systemroot\system32\UACelbksoaold.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010727C0 \\?\globalroot\systemroot\system32\UACelbksoaold.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1160] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1240] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01160001
.text C:\Program Files\Java\jre6\bin\jusched.exe[1240] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1240] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1240] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1240] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1240] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1240] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1240] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\RTHDCPL.EXE[1268] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02A50001
.text C:\WINDOWS\RTHDCPL.EXE[1268] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\RTHDCPL.EXE[1268] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\RTHDCPL.EXE[1268] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\RTHDCPL.EXE[1268] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\RTHDCPL.EXE[1268] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\RTHDCPL.EXE[1268] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\RTHDCPL.EXE[1268] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\HP\HP Software Update\HPwuSchd2.exe[1296] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01190001
.text C:\Program Files\HP\HP Software Update\HPwuSchd2.exe[1296] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\HP\HP Software Update\HPwuSchd2.exe[1296] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\HP\HP Software Update\HPwuSchd2.exe[1296] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\HP\HP Software Update\HPwuSchd2.exe[1296] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\HPwuSchd2.exe[1296] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\HP\HP Software Update\HPwuSchd2.exe[1296] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\HP\HP Software Update\HPwuSchd2.exe[1296] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe[1308] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01020001
.text C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe[1308] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe[1308] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe[1308] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe[1308] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe[1308] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01CF0001
.text C:\WINDOWS\System32\svchost.exe[1328] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1328] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1328] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1328] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1328] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CA0001
.text C:\WINDOWS\system32\svchost.exe[1364] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1364] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\ehome\ehtray.exe[1456] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01CD0001
.text C:\WINDOWS\ehome\ehtray.exe[1456] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\ehome\ehtray.exe[1456] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\ehome\ehtray.exe[1456] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\ehome\ehtray.exe[1456] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\ehome\ehtray.exe[1456] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\ehome\ehtray.exe[1456] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\ehome\ehtray.exe[1456] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe[1472] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02080001
.text C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe[1472] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe[1472] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe[1472] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe[1472] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe[1472] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe[1472] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe[1472] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E70001
.text C:\WINDOWS\system32\svchost.exe[1544] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1544] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1544] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1544] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1544] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[1560] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 016C0001
.text C:\Program Files\iTunes\iTunesHelper.exe[1560] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[1560] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[1560] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[1560] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[1560] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[1560] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[1560] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[1560] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[1560] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[1560] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[1596] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01BA0001
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[1596] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[1596] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[1596] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[1596] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[1596] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[1596] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[1596] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe[1652] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01CD0001
.text C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe[1652] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe[1652] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe[1652] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe[1652] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe[1652] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FE0001
.text C:\WINDOWS\system32\svchost.exe[1688] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1688] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1772] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02790001
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1772] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1772] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1772] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F1B0F5A
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1772] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1772] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1772] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1772] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [19, 5F]
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1772] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1772] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1772] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F1E0F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1800] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01FF0001
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1800] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1800] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1800] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1800] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1800] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1800] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1800] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[1832] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FF0001
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[1832] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[1832] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[1832] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[1832] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[1832] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[1832] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[1832] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1936] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010E0001
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1936] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1936] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1988] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 03D10001
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1988] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1988] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1988] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1988] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1988] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[2240] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01970001
.text C:\WINDOWS\system32\spoolsv.exe[2240] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[2240] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[2240] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[2240] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[2240] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2436] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F50001
.text C:\Program Files\iPod\bin\iPodService.exe[2436] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2436] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[2628] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F70001
.text C:\WINDOWS\system32\svchost.exe[2628] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[2628] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\SearchIndexer.exe[2760] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 0BF40001
.text C:\WINDOWS\system32\SearchIndexer.exe[2760] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[2760] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\SearchIndexer.exe[2760] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01A00001
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2932] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2932] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2932] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2932] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2932] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\arservice.exe[2952] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FC0001
.text C:\WINDOWS\arservice.exe[2952] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\arservice.exe[2952] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E70001
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] WININET.dll!HttpAddRequestHeadersA 3D93FB4D 5 Bytes JMP 0117000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] WININET.dll!HttpAddRequestHeadersW 3D9AD155 3 Bytes JMP 0126000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3024] WININET.dll!HttpAddRequestHeadersW + 4 3D9AD159 1 Byte [C3]
.text C:\WINDOWS\ehome\mcrdsvc.exe[3040] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01360001
.text C:\WINDOWS\ehome\mcrdsvc.exe[3040] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\ehome\mcrdsvc.exe[3040] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\ehome\mcrdsvc.exe[3040] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\ehome\mcrdsvc.exe[3040] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\ehome\mcrdsvc.exe[3040] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\AskBarDis\bar\bin\AskService.exe[3120] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EA0001
.text C:\Program Files\AskBarDis\bar\bin\AskService.exe[3120] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\AskBarDis\bar\bin\AskService.exe[3120] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\AskBarDis\bar\bin\AskService.exe[3120] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\AskBarDis\bar\bin\AskService.exe[3120] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\AskBarDis\bar\bin\AskService.exe[3120] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text c:\windows\system\hpsysdrv.exe[3148] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01060001
.text c:\windows\system\hpsysdrv.exe[3148] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text c:\windows\system\hpsysdrv.exe[3148] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text c:\windows\system\hpsysdrv.exe[3148] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text c:\windows\system\hpsysdrv.exe[3148] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text c:\windows\system\hpsysdrv.exe[3148] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text c:\windows\system\hpsysdrv.exe[3148] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text c:\windows\system\hpsysdrv.exe[3148] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[3152] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DE0001
.text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[3152] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[3152] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[3152] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[3152] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[3152] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[3172] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02DB0001
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[3172] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[3172] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[3172] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[3172] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[3172] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe[3176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01130001
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe[3176] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe[3176] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe[3196] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 023F0001
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe[3196] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe[3196] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[3204] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01C30001
.text C:\Program Files\Bonjour\mDNSResponder.exe[3204] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[3204] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[3204] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[3204] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[3204] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3212] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 014F0001
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3212] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3212] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3212] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3212] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3212] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3212] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[3212] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[3316] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02020001
.text C:\Program Files\Java\jre6\bin\jqs.exe[3316] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[3316] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[3316] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[3316] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[3316] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3408] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01390001
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3408] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3408] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3408] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3408] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3408] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3408] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3408] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3408] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3408] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3408] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe[3444] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02F70001
.text C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe[3444] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe[3444] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe[3444] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe[3444] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe[3444] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe[3444] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe[3444] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe[3444] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe[3444] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe[3444] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3556] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 017E0001
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3556] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3556] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3556] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3556] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3556] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3588] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F90001
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3588] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3588] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[3672] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 016F0001
.text C:\WINDOWS\system32\svchost.exe[3672] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[3672] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[3672] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[3672] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\WINDOWS\system32\svchost.exe[3672] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3716] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 018D0001
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3716] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3716] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3716] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3716] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3716] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4344] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 03ED0001
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4344] kernel32.dll!CreateThread + 1B 7C8106F2 3 Bytes CALL 0044ACCE C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4344] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4344] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[4376] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EF0001
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[4376] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[4376] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[4520] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044AD11 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[4520] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[4520] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[4520] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] WININET.dll!HttpAddRequestHeadersA 3D93FB4D 5 Bytes JMP 0117000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] WININET.dll!HttpAddRequestHeadersW 3D9AD155 3 Bytes JMP 0126000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[4620] WININET.dll!HttpAddRequestHeadersW + 4 3D9AD159 1 Byte [C3]
.text C:\Program Files\Windows Live\Toolbar\wltuser.exe[4820] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01120001
.text C:\Program Files\Windows Live\Toolbar\wltuser.exe[4820] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Windows Live\Toolbar\wltuser.exe[4820] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Windows Live\Toolbar\wltuser.exe[4820] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Live\Toolbar\wltuser.exe[4820] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Live\Toolbar\wltuser.exe[4820] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Windows Live\Toolbar\wltuser.exe[4820] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Windows Live\Toolbar\wltuser.exe[4820] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Live\Toolbar\wltuser.exe[4820] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\Windows Live\Toolbar\wltuser.exe[4820] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Windows Live\Toolbar\wltuser.exe[4820] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\B13115A6.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] WININET.dll!HttpAddRequestHeadersA 3D93FB4D 5 Bytes JMP 0117000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] WININET.dll!HttpAddRequestHeadersW 3D9AD155 3 Bytes JMP 0126000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[5264] WININET.dll!HttpAddRequestHeadersW + 4 3D9AD159 1 Byte [C3]
.text C:\HP\KBD\KBD.EXE[5888] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01D30001
.text C:\HP\KBD\KBD.EXE[5888] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\HP\KBD\KBD.EXE[5888] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\HP\KBD\KBD.EXE[5888] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\HP\KBD\KBD.EXE[5888] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\HP\KBD\KBD.EXE[5888] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\HP\KBD\KBD.EXE[5888] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\HP\KBD\KBD.EXE[5888] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72F1040] spgm.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72F113C] spgm.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72F10BE] spgm.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72F17FC] spgm.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72F16D2] spgm.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7301048] spgm.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.exe[416] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\Explorer.exe[416] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1152] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1152] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1160] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1160] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe[1308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe[1308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1328] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1328] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1544] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1544] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[1560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[1560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1772] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1772] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Alwil Software\Avast4\ashServ.exe[1988] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Alwil Software\Avast4\ashServ.exe[1988] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[2240] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[2240] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2932] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2932] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Internet Explorer\Iexplore.exe[3024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Internet Explorer\Iexplore.exe[3024] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\ehome\mcrdsvc.exe[3040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\ehome\mcrdsvc.exe[3040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\AskBarDis\bar\bin\AskService.exe[3120] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\AskBarDis\bar\bin\AskService.exe[3120] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[3152] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[3152] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[3172] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[3172] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[3204] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[3204] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Java\jre6\bin\jqs.exe[3316] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Java\jre6\bin\jqs.exe[3316] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Java\jre6\bin\jucheck.exe[3408] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Java\jre6\bin\jucheck.exe[3408] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe[3444] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe[3444] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3556] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3556] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[3672] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[3672] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3716] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3716] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Spyware Doctor\pctsSvc.exe[4520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Spyware Doctor\pctsSvc.exe[4520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Internet Explorer\Iexplore.exe[4620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Internet Explorer\Iexplore.exe[4620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Windows Live\Toolbar\wltuser.exe[4820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Windows Live\Toolbar\wltuser.exe[4820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Internet Explorer\Iexplore.exe[5264] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\B13115A6.x86.dll
IAT C:\Program Files\Internet Explorer\Iexplore.exe[5264] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\B13115A6.x86.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 863D81F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device \FileSystem\Fastfat \FatCdrom 858AE500

AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Driver\usbohci \Device\USBPDO-0 85D271F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 863DA1F8
Device \Driver\dmio \Device\DmControl\DmConfig 863DA1F8
Device \Driver\dmio \Device\DmControl\DmPnP 863DA1F8
Device \Driver\dmio \Device\DmControl\DmInfo 863DA1F8
Device \Driver\usbohci \Device\USBPDO-1 85D271F8
Device \Driver\usbehci \Device\USBPDO-2 85D101F8

AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\NetBT \Device\NetBT_Tcpip_{387D1B3D-800C-4547-B88D-2411659F9558} 85AE01F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8636D1F8
Device \Driver\Cdrom \Device\CdRom0 85D041F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 85AE01F8
Device \Driver\NetBT \Device\NetbiosSmb 85AE01F8

AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBFDO-0 85D271F8
Device \Driver\usbohci \Device\USBFDO-1 85D271F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{20E041F7-1124-44EB-8CB8-E2065E09B55A} 85AE01F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 856301F8
Device \Driver\usbehci \Device\USBFDO-2 85D101F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 856301F8
Device \Driver\Ftdisk \Device\FtControl 8636D1F8
Device \FileSystem\Fastfat \Fat 858AE500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device \FileSystem\Cdfs \Cdfs 85A78500
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACkdaxeoqgub.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [416] 0x00CF0000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [416] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [552] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1060] 0x35670000
Library \\?\globalroot\systemroot\system32\UACelbksoaold.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1060] 0x00FA0000
Library \\?\globalroot\systemroot\system32\UAConwlmbjauc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1060] 0x02AC0000
Library \\?\globalroot\systemroot\system32\UACelbksoaold.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1152] 0x10000000
Library \\?\globalroot\systemroot\system32\UAConwlmbjauc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1152] 0x00720000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1152] 0x35670000
Library \\?\globalroot\systemroot\system32\UACelbksoaold.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1160] 0x01060000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1160] 0x35670000
Library \\?\globalroot\systemroot\system32\UACelbksoaold.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1328] 0x10000000
Library \\?\globalroot\systemroot\system32\UAConwlmbjauc.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1328] 0x00720000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1328] 0x35670000
Library \\?\globalroot\systemroot\system32\UACelbksoaold.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1364] 0x10000000
Library \\?\globalroot\systemroot\system32\UAConwlmbjauc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1364] 0x00720000
Library \\?\globalroot\systemroot\system32\UACelbksoaold.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1544] 0x10000000
Library \\?\globalroot\systemroot\system32\UAConwlmbjauc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1544] 0x00720000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1544] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [1560] 0x35670000
Library \\?\globalroot\systemroot\system32\UACelbksoaold.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1688] 0x10000000
Library \\?\globalroot\systemroot\system32\UAConwlmbjauc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1688] 0x00720000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [1772] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashServ.exe [1988] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [2240] 0x35670000
Library \\?\globalroot\systemroot\system32\UACelbksoaold.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2628] 0x10000000
Library \\?\globalroot\systemroot\system32\UAConwlmbjauc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2628] 0x00720000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2932] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [3024] 0x35670000
Library \\?\globalroot\systemroot\system32\UACkdaxeoqgub.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [3024] 0x00B20000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\WINDOWS\ehome\mcrdsvc.exe [3040] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\AskBarDis\bar\bin\AskService.exe [3120] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe [3152] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [3172] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [3204] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [3316] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jucheck.exe [3408] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [3556] 0x35670000
Library \\?\globalroot\systemroot\system32\UACelbksoaold.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3672] 0x10000000
Library \\?\globalroot\systemroot\system32\UAConwlmbjauc.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3672] 0x00720000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3672] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [3716] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Spyware Doctor\pctsSvc.exe [4520] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [4620] 0x35670000
Library \\?\globalroot\systemroot\system32\UACkdaxeoqgub.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [4620] 0x00B20000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Windows Live\Toolbar\wltuser.exe [4820] 0x35670000
Library \\?\globalroot\Device\__max++>\B13115A6.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [5264] 0x35670000
Library \\?\globalroot\systemroot\system32\UACkdaxeoqgub.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [5264] 0x00B20000
---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACwylhvkvevy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACwylhvkvevy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACelsixxcibt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACelbksoaold.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACcyckcjmvag.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACtpvvuyngdo.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UAConwlmbjauc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACkdaxeoqgub.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACerrors \\?\globalroot\systemroot\system32\UAChexgbfjwbe.log
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACwylhvkvevy.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACwylhvkvevy.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACelsixxcibt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACelbksoaold.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACcyckcjmvag.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACtpvvuyngdo.db
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UAConwlmbjauc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACkdaxeoqgub.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACerrors \\?\globalroot\systemroot\system32\UAChexgbfjwbe.log

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\Installer Cache 0 bytes
File C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\Installer Cache\iTunes 8.2.1.6 0 bytes
File C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\Installer Cache\iTunes 8.2.1.6\iTunes.msi 44716544 bytes
File C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe 75040 bytes executable
File C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\Installer Cache\QuickTime 7.62.14.0 0 bytes
File C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\Installer Cache\QuickTime 7.62.14.0\QuickTime.msi 28016128 bytes
File C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes\iPodDevices.xml 3425 bytes
File C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes\SC Info 0 bytes
File C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes\SC Info\SC Info.sidb 4382 bytes
File C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes\SC Info\SC Info.sidd 705268 bytes
File C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes\SC Info\SC Info.txt 24 bytes
File C:\Program Files\Alwil Software\Avast4\ashShA64.dll (size mismatch) 138680/81072 bytes executable

---- EOF - GMER 1.0.15 ----

Edited by SifuMike, 16 September 2009 - 08:38 PM.
edit for clarity


#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:47 PM

Posted 16 September 2009 - 08:42 PM

Hi JoshMac,

Why are you posting a GMER log? :( Please dont post logs I do not aks for!

Please refrain from making any changes to your system (updating, installing, removing, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.


Download and run Win32kDiag:Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
Please post back with:
  • Win32kDiag.txt
  • Content of the log.txt

Edited by SifuMike, 16 September 2009 - 08:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users