Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Keylogger


  • This topic is locked This topic is locked
23 replies to this topic

#1 Victor43

Victor43

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 01 December 2009 - 08:16 PM

Hey everyone. I would like to say that this is one really helpful site. I would like to say Mark from the Am I Infected forum was very helpful. Referred from here: http://www.bleepingcomputer.com/forums/t/274434/keylogger/ ~ OB

I am posting the following logs:

RootRepeal scan results
====================================
ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/12/01 11:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB51BE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79BB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5156000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\fab572e2-49de-488a-a1aa-12007160fc60.tmp
Status: Allocation size mismatch (API: 74711040, Raw: 0)

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4976b94

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4976586

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb49765da

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fd788

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb497672e

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb49767ba

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fcfc2

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4976980

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fd5aa

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fd47c

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb49769d4

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fcdf8

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fcb9a

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fd9d8

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fd776

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fd0e4

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fd24a

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fd194

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "" at address 0x894b9038

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fd072

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "" at address 0x8942d260

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4976c58

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4976cb6

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fdb06

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fcb2c

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fcf54

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fd676

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xba550990

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4976dde

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xb4976e30

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "" at address 0x89591a68

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fca34

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "" at address 0x892dacf0

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fc4de

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fc546

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "" at address 0x893de198

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fc8c8

#: 343 Function Name: NtUserCreateWindowEx
Status: Hooked by "" at address 0x89593988

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "" at address 0x8948b198

#: 387 Function Name: NtUserGetClassInfo
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fc976

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "" at address 0x8948e198

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "" at address 0x89495198

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "" at address 0x89381198

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "" at address 0x892ec198

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "" at address 0x89493198

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fc80c

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fc75e

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fc48a

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fc592

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fc6a4

#: 515 Function Name: NtUserSetFocus
Status: Hooked by "" at address 0x89732038

#: 520 Function Name: NtUserSetInformationThread
Status: Hooked by "" at address 0x895b5718

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "" at address 0x893d1cf0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\Program Files\AntiLogger\AntiLog32.sys" at address 0xb51fc33c

#: 558 Function Name: NtUserSwitchDesktop
Status: Hooked by "" at address 0x89737820

#: 570 Function Name: NtUserUnhookWindowsHookEx
Status: Hooked by "" at address 0x893b4198

==EOF==
====================================

WIN32kDIAG.exe scan results:
====================================
Starting up...
Running from: C:\Documents and Settings\AUSER\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\AUSER\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...


Finished! Press any key to exit...

====================================

Results of the command line execution
====================================
Volume in drive C has no label.
Volume Serial Number is DCCF-0047

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 07:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 07:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 07:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 05:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 05:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 05:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/14/2008 05:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/14/2008 05:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/14/2008 05:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 28,724,731,904 bytes free

====================================

Attached File  hijackthis.log   6.19KB   13 downloads
Attached File  DDS.txt   18.6KB   13 downloads
Attached File  Attach.txt   10.19KB   11 downloads

Edited by Orange Blossom, 01 December 2009 - 10:08 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:11 AM

Posted 15 December 2009 - 06:23 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Victor43

Victor43
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 15 December 2009 - 12:04 PM

Hi Elise.

Thank you for the reply. I was beginning to wonder if I was going to be helped. I will post with DDS.scr and Gmer log soon. Please be patient with me as I will post the logs that you have asked about. Cheers. Victor.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:11 AM

Posted 15 December 2009 - 12:08 PM

I'll wait for your logs :(

If you have any problems while creating them, just let me know!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Victor43

Victor43
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 15 December 2009 - 05:24 PM

Elise the problem that I've noticed is that my keystrokes have a lag to them. For example you'll finish your sentence that your typing but the visible characteres show/catch up afterwords perhaps a 1/2 seconds delay. This delay wasn't there before and also I've noticed my AVG Free Edition the text on the buttons are no longer visible so you don't know what the button stands for especially if there is more then one button. Here is the three logs that you wanted. I've attached two of them your review and copied and pasted the GMER log.

Appreciate your help.

GMER
================================
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-12-15 17:17:32
Windows 5.1.2600 Service Pack 3
Running: eh4xb8tr.exe; Driver: C:\DOCUME~1\AUSER\LOCALS~1\Temp\ufxorkod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwAllocateVirtualMemory [0xB499FB94]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0x8CB9B1CC]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwConnectPort [0xB499F5DA]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwCreateFile [0xB499F640]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwCreateProcess [0xB499F72E]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwCreateProcessEx [0xB499F7BA]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0x8CB9B206]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwDebugActiveProcess [0xB499F980]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwDuplicateObject [0xB499F9D4]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwLoadDriver [0xB499FA3A]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xBA5AD470]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwOpenKey [0xB499FA8C]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0x8CB9B51A]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwOpenSection [0xB499FAE4]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0x8CB9B3F6]
SSDT 8974A818 ZwProtectVirtualMemory
SSDT 89436540 ZwRequestWaitReplyPort
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwRestoreKey [0xB499FC58]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwResumeThread [0xB499FCB6]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSecureConnectPort [0xB499FD74]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0x8CB9B18E]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSetValueKey [0xB499FD08]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xBA5AD990]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSuspendProcess [0xB499FDDE]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSystemDebugControl [0xB499FE30]
SSDT 89473140 ZwTerminateProcess
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0x8CB9B316]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0x8CB9B34E]

Code 893C6E8C ZwCreateKey
Code 89397784 ZwOpenKey
Code 893CDE8B ExAcquireResourceExclusiveLite
Code 893DD033 MmMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + E0 804E273C 1 Byte [40]
.text ntoskrnl.exe!ExAcquireResourceExclusiveLite 804E35D4 5 Bytes JMP 893CDE90
PAGE ntoskrnl.exe!ZwOpenKey 80568EE9 5 Bytes JMP 89397788
PAGE ntoskrnl.exe!ZwCreateKey 80572E9D 5 Bytes JMP 893C6E90
PAGE ntoskrnl.exe!MmMapViewOfSection 8057897E 5 Bytes JMP 893DD038
.text tcpip.sys!IPTransmit + 10FC B5544D3A 6 Bytes CALL F740FE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 B5546690 6 Bytes CALL F740FE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 B555C454 6 Bytes CALL F740FE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys BA5A03FD 7 Bytes CALL F740FFA0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text win32k.sys!EngMultiByteToWideChar + 2AA2 BF8527B7 5 Bytes JMP 894C8150

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00392798
.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00392848
.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003922C8
.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00392168
.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00392008
.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003920B8
.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00392428
.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00392638
.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00392588
.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00392218
.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00392378
.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00391F58
.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003926E8
.text C:\Program Files\PC Tools Firewall Plus\FWService.exe[264] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003924D8
.text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00402798
.text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00402848
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 004022C8
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00402168
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00402008
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 004020B8
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00402428
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00402638
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00402588
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00402218
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00402378
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00401F58
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!keybd_event 7E466783 5 Bytes JMP 004026E8
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 004024D8
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00382798
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00382848
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003822C8
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00382168
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00382008
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003820B8
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00382428
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00382638
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00382588
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00382218
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00382378
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00381F58
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003826E8
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003824D8
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00382798
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00382848
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003822C8
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00382168
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00382008
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003820B8
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00382428
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00382638
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00382588
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00382218
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00382378
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00381F58
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003826E8
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[708] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003824D8
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00372798
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00372848
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003722C8
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00372168
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00372008
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003720B8
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00372428
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00372638
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00372588
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00372218
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00372378
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00371F58
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003726E8
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe[1032] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003724D8
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00372798
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00372848
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003722C8
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00372168
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00372008
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003720B8
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00372428
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00372638
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00372588
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00372218
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00372378
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00371F58
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003726E8
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1136] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003724D8
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00402798
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00402848
.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 004022C8
.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00402168
.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00402008
.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 004020B8
.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00402428
.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00402638
.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00402588
.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00402218
.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00402378
.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00401F58
.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!keybd_event 7E466783 5 Bytes JMP 004026E8
.text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 004024D8
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00402798
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00402848
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 004022C8
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00402168
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00402008
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 004020B8
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00402428
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00402638
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00402588
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00402218
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00402378
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00401F58
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!keybd_event 7E466783 5 Bytes JMP 004026E8
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 004024D8
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00402798
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00402848
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 004022C8
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00402168
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00402008
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 004020B8
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00402428
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00402638
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00402588
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00402218
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00402378
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00401F58
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!keybd_event 7E466783 5 Bytes JMP 004026E8
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 004024D8
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00402798
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00402848
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 004022C8
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00402168
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00402008
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 004020B8
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00402428
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00402638
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00402588
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00402218
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00402378
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00401F58
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!keybd_event 7E466783 5 Bytes JMP 004026E8
.text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 004024D8
.text C:\WINDOWS\system32\wuauclt.exe[1416] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 002D2798
.text C:\WINDOWS\system32\wuauclt.exe[1416] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 002D2848
.text C:\WINDOWS\system32\wuauclt.exe[1416] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 002D22C8
.text C:\WINDOWS\system32\wuauclt.exe[1416] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 002D2168
.text C:\WINDOWS\system32\wuauclt.exe[1416] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 002D2008
.text C:\WINDOWS\system32\wuauclt.exe[1416] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 002D20B8
.text C:\WINDOWS\system32\wuauclt.exe[1416] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 002D2428
.text C:\WINDOWS\system32\wuauclt.exe[1416] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 002D2638
.text C:\WINDOWS\system32\wuauclt.exe[1416] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 002D2588
.text C:\WINDOWS\system32\wuauclt.exe[1416] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 002D2218
.text C:\WINDOWS\system32\wuauclt.exe[1416] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 002D2378
.text C:\WINDOWS\system32\wuauclt.exe[1416] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 002D1F58
.text C:\WINDOWS\system32\wuauclt.exe[1416] USER32.dll!keybd_event 7E466783 5 Bytes JMP 002D26E8
.text C:\WINDOWS\system32\wuauclt.exe[1416] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 002D24D8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00372798
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00372848
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003722C8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00372168
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00372008
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003720B8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00372428
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00372638
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00372588
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00372218
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00372378
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351FF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00371F58
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351FBC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F3E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352032 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003726E8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003724D8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1424] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3521F4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00402798
.text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00402848
.text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 004022C8
.text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00402168
.text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00402008
.text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 004020B8
.text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00402428
.text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00402638
.text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00402588
.text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00402218
.text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00402378
.text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00401F58
.text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!keybd_event 7E466783 5 Bytes JMP 004026E8
.text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 004024D8
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00382798
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00382848
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003822C8
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00382168
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00382008
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003820B8
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00382428
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00382638
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00382588
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00382218
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00382378
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00381F58
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003826E8
.text C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003824D8
.text C:\Program Files\Sygate\SPF\smc.exe[1680] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00382798
.text C:\Program Files\Sygate\SPF\smc.exe[1680] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00382848
.text C:\Program Files\Sygate\SPF\smc.exe[1680] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003822C8
.text C:\Program Files\Sygate\SPF\smc.exe[1680] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00382168
.text C:\Program Files\Sygate\SPF\smc.exe[1680] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00382008
.text C:\Program Files\Sygate\SPF\smc.exe[1680] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003820B8
.text C:\Program Files\Sygate\SPF\smc.exe[1680] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00382428
.text C:\Program Files\Sygate\SPF\smc.exe[1680] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00382638
.text C:\Program Files\Sygate\SPF\smc.exe[1680] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00382588
.text C:\Program Files\Sygate\SPF\smc.exe[1680] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00382218
.text C:\Program Files\Sygate\SPF\smc.exe[1680] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00382378
.text C:\Program Files\Sygate\SPF\smc.exe[1680] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00381F58
.text C:\Program Files\Sygate\SPF\smc.exe[1680] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003826E8
.text C:\Program Files\Sygate\SPF\smc.exe[1680] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003824D8
.text C:\WINDOWS\system32\spoolsv.exe[1720] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 002C2798
.text C:\WINDOWS\system32\spoolsv.exe[1720] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 002C2848
.text C:\WINDOWS\system32\spoolsv.exe[1720] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 002C22C8
.text C:\WINDOWS\system32\spoolsv.exe[1720] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 002C2168
.text C:\WINDOWS\system32\spoolsv.exe[1720] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 002C2008
.text C:\WINDOWS\system32\spoolsv.exe[1720] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 002C20B8
.text C:\WINDOWS\system32\spoolsv.exe[1720] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 002C2428
.text C:\WINDOWS\system32\spoolsv.exe[1720] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 002C2638
.text C:\WINDOWS\system32\spoolsv.exe[1720] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 002C2588
.text C:\WINDOWS\system32\spoolsv.exe[1720] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 002C2218
.text C:\WINDOWS\system32\spoolsv.exe[1720] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 002C2378
.text C:\WINDOWS\system32\spoolsv.exe[1720] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 002C1F58
.text C:\WINDOWS\system32\spoolsv.exe[1720] USER32.dll!keybd_event 7E466783 5 Bytes JMP 002C26E8
.text C:\WINDOWS\system32\spoolsv.exe[1720] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 002C24D8
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00372798
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00372848
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003722C8
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00372168
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00372008
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003720B8
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00372428
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00372638
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00372588
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00372218
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00372378
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00371F58
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003726E8
.text C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe[1868] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003724D8
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00382798
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00382848
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003822C8
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00382168
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00382008
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003820B8
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00382428
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00382638
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00382588
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00382218
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00382378
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00381F58
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003826E8
.text C:\Program Files\AVG\AVG9\avgtray.exe[1896] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003824D8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00382798
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00382848
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003822C8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00382168
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00382008
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003820B8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00382428
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00382638
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00382588
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00382218
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00382378
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00381F58
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003826E8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003824D8
.text C:\WINDOWS\Explorer.EXE[1932] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 002C2798
.text C:\WINDOWS\Explorer.EXE[1932] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 002C2848
.text C:\WINDOWS\Explorer.EXE[1932] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 002C22C8
.text C:\WINDOWS\Explorer.EXE[1932] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 002C2168
.text C:\WINDOWS\Explorer.EXE[1932] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 002C2008
.text C:\WINDOWS\Explorer.EXE[1932] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 002C20B8
.text C:\WINDOWS\Explorer.EXE[1932] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 002C2428
.text C:\WINDOWS\Explorer.EXE[1932] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 002C2638
.text C:\WINDOWS\Explorer.EXE[1932] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 002C2588
.text C:\WINDOWS\Explorer.EXE[1932] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 002C2218
.text C:\WINDOWS\Explorer.EXE[1932] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 002C2378
.text C:\WINDOWS\Explorer.EXE[1932] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 002C1F58
.text C:\WINDOWS\Explorer.EXE[1932] USER32.dll!keybd_event 7E466783 5 Bytes JMP 002C26E8
.text C:\WINDOWS\Explorer.EXE[1932] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 002C24D8
.text C:\WINDOWS\system32\ctfmon.exe[2104] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 002D2798
.text C:\WINDOWS\system32\ctfmon.exe[2104] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 002D2848
.text C:\WINDOWS\system32\ctfmon.exe[2104] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 002D22C8
.text C:\WINDOWS\system32\ctfmon.exe[2104] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 002D2168
.text C:\WINDOWS\system32\ctfmon.exe[2104] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 002D2008
.text C:\WINDOWS\system32\ctfmon.exe[2104] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 002D20B8
.text C:\WINDOWS\system32\ctfmon.exe[2104] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 002D2428
.text C:\WINDOWS\system32\ctfmon.exe[2104] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 002D2638
.text C:\WINDOWS\system32\ctfmon.exe[2104] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 002D2588
.text C:\WINDOWS\system32\ctfmon.exe[2104] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 002D2218
.text C:\WINDOWS\system32\ctfmon.exe[2104] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 002D2378
.text C:\WINDOWS\system32\ctfmon.exe[2104] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 002D1F58
.text C:\WINDOWS\system32\ctfmon.exe[2104] USER32.dll!keybd_event 7E466783 5 Bytes JMP 002D26E8
.text C:\WINDOWS\system32\ctfmon.exe[2104] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 002D24D8
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00912798
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00912848
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 009122C8
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00912168
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00912008
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 009120B8
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00912428
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00912638
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00912588
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00912218
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00912378
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00911F58
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] USER32.dll!keybd_event 7E466783 5 Bytes JMP 009126E8
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[2176] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 009124D8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 002C2798
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 002C2848
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 002C22C8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 002C2168
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 002C2008
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 002C20B8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 002C2428
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 002C2638
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 002C2588
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 002C2218
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 002C2378
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 002C1F58
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] USER32.dll!keybd_event 7E466783 5 Bytes JMP 002C26E8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2676] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 002C24D8
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009A2798
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009A2848
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 009A22C8
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 009A2168
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 009A2008
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 009A20B8
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 009A2428
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 009A2638
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 009A2588
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 009A2218
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 009A2378
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 009A1F58
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] USER32.dll!keybd_event 7E466783 5 Bytes JMP 009A26E8
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2920] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 009A24D8
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00382798
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00382848
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003822C8
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00382168
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00382008
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003820B8
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00382428
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00382638
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00382588
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00382218
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00382378
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00381F58
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003826E8
.text C:\Program Files\AVG\AVG9\avgemc.exe[3152] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003824D8
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00382798
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00382848
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003822C8
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00382168
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00382008
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003820B8
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00382428
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00382638
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00382588
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00382218
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00382378
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00381F58
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003826E8
.text C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe[3488] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003824D8
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00382798
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00382848
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003822C8
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00382168
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00382008
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003820B8
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00382428
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00382638
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00382588
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00382218
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00382378
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00381F58
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003826E8
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[3560] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003824D8
.text C:\WINDOWS\System32\svchost.exe[3704] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00402798
.text C:\WINDOWS\System32\svchost.exe[3704] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00402848
.text C:\WINDOWS\System32\svchost.exe[3704] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 004022C8
.text C:\WINDOWS\System32\svchost.exe[3704] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00402168
.text C:\WINDOWS\System32\svchost.exe[3704] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 00402008
.text C:\WINDOWS\System32\svchost.exe[3704] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 004020B8
.text C:\WINDOWS\System32\svchost.exe[3704] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 00402428
.text C:\WINDOWS\System32\svchost.exe[3704] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 00402638
.text C:\WINDOWS\System32\svchost.exe[3704] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 00402588
.text C:\WINDOWS\System32\svchost.exe[3704] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 00402218
.text C:\WINDOWS\System32\svchost.exe[3704] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 00402378
.text C:\WINDOWS\System32\svchost.exe[3704] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 00401F58
.text C:\WINDOWS\System32\svchost.exe[3704] USER32.dll!keybd_event 7E466783 5 Bytes JMP 004026E8
.text C:\WINDOWS\System32\svchost.exe[3704] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 004024D8
.text C:\WINDOWS\System32\alg.exe[4036] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 002C2798
.text C:\WINDOWS\System32\alg.exe[4036] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 002C2848
.text C:\WINDOWS\System32\alg.exe[4036] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 002C22C8
.text C:\WINDOWS\System32\alg.exe[4036] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 002C2168
.text C:\WINDOWS\System32\alg.exe[4036] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 002C2008
.text C:\WINDOWS\System32\alg.exe[4036] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 002C20B8
.text C:\WINDOWS\System32\alg.exe[4036] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 002C2428
.text C:\WINDOWS\System32\alg.exe[4036] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 002C2638
.text C:\WINDOWS\System32\alg.exe[4036] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 002C2588
.text C:\WINDOWS\System32\alg.exe[4036] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 002C2218
.text C:\WINDOWS\System32\alg.exe[4036] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 002C2378
.text C:\WINDOWS\System32\alg.exe[4036] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 002C1F58
.text C:\WINDOWS\System32\alg.exe[4036] USER32.dll!keybd_event 7E466783 5 Bytes JMP 002C26E8
.text C:\WINDOWS\System32\alg.exe[4036] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 002C24D8
.text D:\eh4xb8tr.exe[7644] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003C2798
.text D:\eh4xb8tr.exe[7644] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 003C2848
.text D:\eh4xb8tr.exe[7644] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 003C22C8
.text D:\eh4xb8tr.exe[7644] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 003C2168
.text D:\eh4xb8tr.exe[7644] USER32.dll!GetWindowTextW 7E42A5CD 7 Bytes JMP 003C2008
.text D:\eh4xb8tr.exe[7644] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 003C20B8
.text D:\eh4xb8tr.exe[7644] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 003C2428
.text D:\eh4xb8tr.exe[7644] USER32.dll!GetKeyboardState 7E42D226 5 Bytes JMP 003C2638
.text D:\eh4xb8tr.exe[7644] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 003C2588
.text D:\eh4xb8tr.exe[7644] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 003C2218
.text D:\eh4xb8tr.exe[7644] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 003C2378
.text D:\eh4xb8tr.exe[7644] USER32.dll!GetWindowTextA 7E43216B 7 Bytes JMP 003C1F58
.text D:\eh4xb8tr.exe[7644] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003C26E8
.text D:\eh4xb8tr.exe[7644] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 003C24D8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7410C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7410BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7410B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F74108E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F74108E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7410BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7410C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7410B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7410B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F74108E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7410BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7410C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F74108E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7410B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7410C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7410BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7410C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7410BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F74108E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7410B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F74108E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7410BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7410C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F74108E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7410B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F7410C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F7410BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe[1580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] [00436940] C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Victor43, 15 December 2009 - 05:26 PM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:11 AM

Posted 16 December 2009 - 03:53 AM

Hello Victor43,

TWO FIREWALLS
-----------------------
I do not recommend that you have more than one firewall installed and running on your computer at a time. Running multiple software firewalls is unnecessary. Using two firewalls on the same connection could cause issues with connectivity to the Internet or other unexpected behavior.
Therefore please go to add/remove in the control panel and remove either PCTools Firewall or Sygate Personal Firewall.


Also, please let me know if you want to keep Antilogger on your computer. This may be the cause for some keyboard lags. You can try to uninstall it and see if the problem still occurs.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Victor43

Victor43
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 16 December 2009 - 11:01 AM

Hi Elise.

The AntiLogger application was a trial copy and its now expired. I was going to ask you if its alright to uninstall this application. I will uninstall Sygate firewall also.

Please let me know what I should do next.

Thanks again

Victor

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:11 AM

Posted 16 December 2009 - 12:17 PM

Please uninstall both applications and tell me if you see any difference in your problems.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Victor43

Victor43
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 16 December 2009 - 02:37 PM

Yes Elise the keystrokes issue is still there. Please advise.

Edited by Victor43, 16 December 2009 - 02:51 PM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:11 AM

Posted 16 December 2009 - 02:41 PM

Hello Victor43,

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on kittyfix.exe and follow the prompts.
    You will get a big disclaimer about Combofix still being in beta version, just continue there.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Victor43

Victor43
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 17 December 2009 - 11:36 AM

Here is the ComboFix log. Thanks again for the help. Victor.

Attached Files



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:11 AM

Posted 17 December 2009 - 01:07 PM

No signs of active malware here. I would recommend also to uninstall PrivacyKeyboard. It has quite a few running components I see in your logs and may be responsible for your issues.

If you insist on keeping this program, I would ask you to temporary disable it and see if your keystroke delay still occurs. Let me know what you want to do with this software and if uninstalling/disabling it did change anything.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Victor43

Victor43
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 17 December 2009 - 05:37 PM

Hi Elise.

Thanks for your help.

I went ahead and uninstalled Privacy Keyboard and find the keystrokes a bit more normal. However I was wondering if there are any other test or scans we can run that ensures that we don't have a keylogger on my system ? I also had a question for you....what kind of third party process can run on Windows bootup in Safemode ?

Victor

Edited by Victor43, 17 December 2009 - 07:32 PM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:11 AM

Posted 18 December 2009 - 02:22 AM

Hello Victor43,

However I was wondering if there are any other test or scans we can run that ensures that we don't have a keylogger on my system ?

Of course we will be doing that. Only when I am sure your system is clean I will say so and give you some tips on how to stay clean :(

what kind of third party process can run on Windows bootup in Safemode ?

Without knowing what you are referring to here, I can tell you that Safe Mode starts with a minimum of services. Which means quite some applications can't be run from there. However, if needed, I believe there are ways to include certain services or applications in safe mode boot.

I see your version of Adobe reader is outdated. Recently a vulnerability was discovered, so I would recommend you to upgrade to the latest version.


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



SUPERANTISPYWARE
-----------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
In your next reply, please include the following:
  • SUPERAntiSpyware scan log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Victor43

Victor43
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 18 December 2009 - 12:49 PM

Thanks again for your help. Elise what I was meaning to say was how can an application be configured to run on startup under Safemode ? I booted up in Safemode awhile back and did not have any of my security software running including the ones you asked me to uninstall i.e. Sygate and Privacy Keyboard but the keystrokes lags were still there when I went to my email webpage under Safemode. Right now the keystrokes seem to be working fine. Please let me know what you would like for me to do next.

Victor

Here is the SuperAntiSpyware scan log file:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/18/2009 at 12:34 PM

Application Version : 4.31.1000

Core Rules Database Version : 4386
Trace Rules Database Version: 2223

Scan type : Complete Scan
Total Scan Time : 01:02:49

Memory items scanned : 225
Memory threats detected : 0
Registry items scanned : 4544
Registry threats detected : 0
File items scanned : 28480
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\AUSER\Cookies\auser@doubleclick[1].txt
C:\Documents and Settings\AUSER\Cookies\auser@ads.bleepingcomputer[1].txt
C:\Documents and Settings\AUSER\Cookies\auser@atdmt[1].txt
C:\Documents and Settings\AUSER\Cookies\auser@msnportal.112.2o7[1].txt
C:\Documents and Settings\AUSER\Cookies\auser@serving-sys[2].txt
C:\Documents and Settings\AUSER\Cookies\auser@ad.wsod[2].txt
C:\Documents and Settings\AUSER\Cookies\auser@bs.serving-sys[2].txt
C:\Documents and Settings\AUSER\Cookies\auser@collective-media[1].txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users