Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJack This Log: Please Help Clean Up!


  • This topic is locked This topic is locked
9 replies to this topic

#1 nmendillo

nmendillo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 21 February 2010 - 12:46 AM

Over the past 2 weeks, something has snuck into my computer to cause it to move at incredibly low speeds. I haven't had to post a HIJACK THIS log in over a year so I'm sure there is some house cleaning to be done. Please help me diagnose the problem.

My log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:03 AM, on 2/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\SafeConnect\scManager.sys
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SafeConnect\scClient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Programs\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: MHURLSearchHook Class - {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - C:\Program Files\Celebrity Toolbar\tbhelper.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - E:\Programs\Adobe Premeire Files\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: MHTBPos00 - {0C37B053-FD68-456a-82E1-D788EE342E6F} - C:\Program Files\Celebrity Toolbar\tbcore3.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - E:\Programs\Adobe Premeire Files\/Adobe Contribute CS4/contributeieplugin.dll
O3 - Toolbar: Celebrity Toolbar - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - C:\Program Files\Celebrity Toolbar\tbcore3.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programs\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM7\aim.exe" /d locale=en-US
O4 - HKUS\S-1-5-19\..\Run: [larepemijo] Rundll32.exe "C:\WINDOWS\system32\petolahu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [larepemijo] Rundll32.exe "C:\WINDOWS\system32\petolahu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SafeConnect.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures05.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\SbPFLnch.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - C:\Program Files\SafeConnect\scManager.sys servicestart (file missing)
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\SbPFSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)

--
End of file - 11824 bytes


Thanks in advance for the help
nick

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 22 February 2010 - 09:04 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 27 February 2010 - 07:15 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 03 March 2010 - 08:18 AM

Reopened at user's request

--------------------------------------

Hi,

Please post the logs.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#5 nmendillo

nmendillo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 04 March 2010 - 11:05 AM

Thanks again for re-opening the post.

I would like to mention that after I ran the GMER program, firefox would not load. I kept getting a system application error. I restarted, and once everything was all set, I got this message: "DATAT EXECUTION PREVENTION - To help protect your computer, Windows has closed this program. Name - Windows Logon UI"

When I tried to close the message, it would pop back up again. And it's a window in the foreground, so I can only drag it to the lower corner of my screen to do work.


DDS (Ver_09-12-01.01) - NTFSx86
Run by NICHOLAS MENDILLO at 8:26:35.70 on Wed 03/03/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.50 [GMT -5:00]

FW: Sunbelt Personal Firewall *disabled* {F61A549E-9C8A-4859-8BFE-2A4A018BBA4A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\SbPFLnch.exe
C:\Program Files\SafeConnect\scManager.sys
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
E:\Programs\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM7\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SafeConnect\scClient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\celebrity toolbar\tbhelper.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - e:\programs\adobe premeire files\/Adobe Contribute CS4/contributeieplugin.dll
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\celebrity toolbar\tbcore3.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - e:\programs\adobe premeire files\/Adobe Contribute CS4/contributeieplugin.dll
TB: Celebrity Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\celebrity toolbar\tbcore3.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Aim] "c:\program files\aim7\aim.exe" /d locale=en-US
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "e:\programs\iTunesHelper.exe"
mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"
mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "e:\programs\adobe premeire files\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "e:\programs\adobe premeire files\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\safeco~1.lnk - c:\program files\safeconnect\scClient.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Save with Download Manager... - file://c:\program files\j river\media center 11\DMDownload.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - hxxp://pictures05.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nichol~1\applic~1\mozilla\firefox\profiles\a0f7pi4s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: e:\programs\emusic download manager\plugin\npemusic.dll
FF - plugin: e:\programs\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2008-8-24 269736]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2008-10-9 99248]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-5-17 103744]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\SbPFLnch.exe [2008-7-30 95528]
R2 SCManager;SafeConnect Manager;c:\program files\safeconnect\scmanager.sys servicestart --> c:\program files\safeconnect\scManager.sys servicestart [?]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2008-8-24 65576]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-26 135664]
S2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
S2 SPF4;Sunbelt Personal Firewall 4;c:\program files\SbPFSvc.exe [2008-7-30 1361192]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-9-24 176208]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080813.003\NAVENG.sys [2008-8-16 89936]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080813.003\NAVEX15.sys [2008-8-16 856336]

=============== Created Last 30 ================

2010-02-03 04:48:46 0 d-----w- c:\program files\Celebrity Toolbar

==================== Find3M ====================

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:21:05 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-22 05:21:03 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-12-22 05:21:00 3071488 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-09 04:39:59 288048 ----a-w- c:\program files\uTorrent.exe
2008-09-29 20:09:55 4584376 ----a-w- c:\program files\Shockwave_Installer_Slim.exe
2008-09-29 18:41:43 7508608 ----a-w- c:\program files\Firefox Setup 3.0.3.exe
2008-09-06 19:52:47 894504 ----a-w- c:\program files\WGAPluginInstall.exe
2008-08-25 04:24:32 5991904 ----a-w- c:\program files\Sunbelt-Personal-Firewall.exe
2008-08-24 17:33:56 2085280 ----a-w- c:\program files\mbam-setup.exe
2008-07-30 14:36:58 62760 ----a-w- c:\program files\SDK_Inst.exe
2008-07-30 14:36:56 79144 ----a-w- c:\program files\SbPFWsc.dll
2008-07-30 14:36:56 1361192 ----a-w- c:\program files\SbPFSvc.exe
2008-07-30 14:36:54 95528 ----a-w- c:\program files\SbPFLnch.exe
2008-07-30 14:36:54 1705256 ----a-w- c:\program files\SbPFCl.exe
2008-07-30 14:36:52 91432 ----a-w- c:\program files\SbFwIm.dll
2008-07-30 14:36:50 95528 ----a-w- c:\program files\SbFw.dll
2008-07-30 14:36:50 275752 ----a-w- c:\program files\SbFwe.dll
2008-07-30 14:36:48 111912 ----a-w- c:\program files\SbErrRpt.exe
2008-07-30 13:58:14 3293 ----a-w- c:\program files\Readme.txt
2008-06-12 23:24:41 1495112 ----a-w- c:\program files\install_flash_player.exe
2008-03-21 15:40:38 122879 -c--a-w- c:\program files\4482-utorrent.8020.dmp
2008-03-19 08:37:16 144665 -c--a-w- c:\program files\4482-utorrent.d009.dmp
2008-03-14 21:38:50 1454656 ----a-w- c:\program files\Silverlight.exe
2008-02-17 03:12:10 132608 ----a-w- c:\program files\VundoFix.exe
2008-02-15 22:29:09 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-02-04 19:04:06 555572 ----a-w- c:\program files\spf4-en.chm
2008-01-29 21:47:19 125164 -c--a-w- c:\program files\4482-utorrent.5094.dmp
2008-01-26 18:36:54 158275 -c--a-w- c:\program files\4482-utorrent.b16a.dmp
2007-12-09 08:36:22 2400784 ----a-w- c:\program files\WLinstaller.exe
2007-10-02 12:34:35 148511 -c--a-w- c:\program files\4482-utorrent.54f2.dmp
2007-08-10 03:11:14 1436096 ----a-w- c:\program files\Silverlight.1.0.RC.exe
2007-08-09 11:32:44 270336 ----a-w- c:\program files\cfgconv.exe
2007-05-18 00:40:10 1066 -c--a-w- c:\program files\SuperDAT.log
2007-05-18 00:36:14 736180 ----a-w- c:\program files\CSA.exe
2007-04-09 21:47:06 5632 -csha-w- c:\program files\Thumbs.db
2007-01-22 15:22:28 470016 ----a-w- c:\program files\PocoXML.dll
2007-01-22 15:22:26 211456 ----a-w- c:\program files\PocoUtil.dll
2007-01-22 15:22:20 467456 ----a-w- c:\program files\PocoNet.dll
2007-01-22 15:22:14 859648 ----a-w- c:\program files\PocoFoundation.dll
2007-01-22 15:22:12 18432 ----a-w- c:\program files\PocoExt.dll
2007-01-08 18:15:17 29424 ----a-w- c:\program files\1942.zip
2006-12-24 01:40:13 680575 ----a-w- c:\program files\TabIt-2.03-full.exe
2006-09-25 16:11:10 263680 ----a-w- c:\program files\FairUse4WM.exe
2006-07-19 20:52:40 466944 ----a-w- c:\program files\boost_regex-vc71-mt-1_33_1.dll
2006-03-09 15:59:18 36465208 ----a-w- c:\program files\iTunesSetup.exe
2006-02-28 19:46:34 290816 ----a-w- c:\program files\curllib.dll
2006-02-14 19:36:26 97280 ----a-w- c:\program files\zlibwapi.dll
2006-02-14 19:36:10 155648 ----a-w- c:\program files\ssleay32.dll
2006-02-14 19:35:54 827392 ----a-w- c:\program files\libeay32.dll
2006-02-14 19:35:52 888832 ----a-w- c:\program files\kticonv.dll
2006-01-21 21:10:41 11817800 ----a-w- c:\program files\GoogleEarth.exe
2006-01-17 23:28:48 8715352 ----a-w- c:\program files\Install_AIM.exe
2005-12-05 23:00:46 74448 -c----w- c:\program files\DSETUP.dll
2005-12-05 23:00:46 484560 ------w- c:\program files\DXSETUP.exe
2005-12-05 23:00:46 2247888 -c----w- c:\program files\dsetup32.dll
2004-11-09 14:21:30 29619712 ----a-w- c:\program files\finaldraft7.exe
2003-08-20 11:05:40 41 -c--a-w- c:\program files\Setup.Ini
2003-03-19 01:20:00 1060864 ----a-w- c:\program files\mfc71.dll
2003-03-19 01:12:12 1047552 ----a-w- c:\program files\mfc71u.dll
2003-03-19 00:14:52 499712 ----a-w- c:\program files\msvcp71.dll
2003-02-21 08:42:22 348160 ----a-w- c:\program files\msvcr71.dll
2001-09-25 20:05:58 1707856 ----a-w- c:\program files\InstMsiA.Exe
2001-09-11 23:04:42 1821008 ----a-w- c:\program files\InstMsiW.Exe

============= FINISH: 8:29:31.95 ===============


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-04 10:20:14
Windows 5.1.2600 Service Pack 3
Running: o55m2zfk.exe; Driver: C:\DOCUME~1\NICHOL~1\LOCALS~1\Temp\pxtiqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwClose [0xA9332FDC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateFile [0xA93326E4]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateKey [0xA932F19C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcess [0xA9331D0C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcessEx [0xA9331C18]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateThread [0xA9332278]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteFile [0xA933308C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteKey [0xA932F602]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteValueKey [0xA932F6C2]
SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwLoadDriver [0xA9CF701C]
SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwMapViewOfSection [0xA9CF7168]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenFile [0xA93329D0]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenKey [0xA932F446]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwResumeThread [0xA9332368]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetInformationFile [0xA9332D08]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetValueKey [0xA932F838]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwWriteFile [0xA9332C5C]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe[148] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[216] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[216] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetConnectA 771C345A 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetConnectW 771CEE40 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\svchost.exe[216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[216] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[216] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[232] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[328] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Bonjour\mDNSResponder.exe[356] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\NavNT\defwatch.exe[400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\NavNT\defwatch.exe[400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\NavNT\defwatch.exe[400] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\NavNT\defwatch.exe[400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\NavNT\defwatch.exe[400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\NavNT\defwatch.exe[400] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\NavNT\defwatch.exe[400] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\NavNT\defwatch.exe[400] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\NavNT\defwatch.exe[400] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\NavNT\defwatch.exe[400] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\NavNT\defwatch.exe[400] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\NavNT\defwatch.exe[400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\NavNT\defwatch.exe[400] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\NavNT\defwatch.exe[400] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\NavNT\defwatch.exe[400] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\SbPFLnch.exe[408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\SbPFLnch.exe[408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\SbPFLnch.exe[408] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\SbPFLnch.exe[408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\SbPFLnch.exe[408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\SbPFLnch.exe[408] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\SbPFLnch.exe[408] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\SbPFLnch.exe[408] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\SbPFLnch.exe[408] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\SbPFLnch.exe[408] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\SbPFLnch.exe[408] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\SbPFLnch.exe[408] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\SbPFLnch.exe[408] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\SbPFLnch.exe[408] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\SbPFLnch.exe[408] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\NOTEPAD.EXE[492] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\igfxpers.exe[512] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\WINDOWS\system32\igfxpers.exe[512] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\WINDOWS\system32\igfxpers.exe[512] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\WINDOWS\system32\igfxpers.exe[512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\WINDOWS\system32\igfxpers.exe[512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\WINDOWS\system32\igfxpers.exe[512] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\WINDOWS\system32\igfxpers.exe[512] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\WINDOWS\system32\igfxpers.exe[512] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\WINDOWS\system32\igfxpers.exe[512] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\WINDOWS\system32\igfxpers.exe[512] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\WINDOWS\system32\igfxpers.exe[512] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\WINDOWS\system32\igfxpers.exe[512] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\WINDOWS\system32\igfxpers.exe[512] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\WINDOWS\system32\igfxpers.exe[512] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\WINDOWS\system32\igfxpers.exe[512] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\Program Files\SafeConnect\scManager.sys[652] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\SafeConnect\scManager.sys[652] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\SafeConnect\scManager.sys[652] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\SafeConnect\scManager.sys[652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\SafeConnect\scManager.sys[652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\SafeConnect\scManager.sys[652] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\SafeConnect\scManager.sys[652] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\SafeConnect\scManager.sys[652] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\SafeConnect\scManager.sys[652] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\SafeConnect\scManager.sys[652] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\SafeConnect\scManager.sys[652] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\SafeConnect\scManager.sys[652] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\SafeConnect\scManager.sys[652] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\SafeConnect\scManager.sys[652] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\SafeConnect\scManager.sys[652] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\SafeConnect\scManager.sys[652] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\SafeConnect\scManager.sys[652] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\SafeConnect\scManager.sys[652] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[656] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\WINDOWS\system32\dla\tfswctrl.exe[676] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\WINDOWS\System32\alg.exe[748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\alg.exe[748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\alg.exe[748] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\alg.exe[748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\alg.exe[748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\alg.exe[748] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\alg.exe[748] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\alg.exe[748] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\alg.exe[748] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\alg.exe[748] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\alg.exe[748] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\alg.exe[748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\alg.exe[748] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\alg.exe[748] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\alg.exe[748] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\alg.exe[748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\alg.exe[748] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\alg.exe[748] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\hkcmd.exe[856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\WINDOWS\system32\hkcmd.exe[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\WINDOWS\system32\hkcmd.exe[856] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\WINDOWS\system32\hkcmd.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\WINDOWS\system32\hkcmd.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\WINDOWS\system32\hkcmd.exe[856] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\WINDOWS\system32\hkcmd.exe[856] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\WINDOWS\system32\hkcmd.exe[856] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\WINDOWS\system32\hkcmd.exe[856] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\WINDOWS\system32\hkcmd.exe[856] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\WINDOWS\system32\hkcmd.exe[856] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\WINDOWS\system32\hkcmd.exe[856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\WINDOWS\system32\hkcmd.exe[856] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\WINDOWS\system32\hkcmd.exe[856] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\WINDOWS\system32\hkcmd.exe[856] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001408C4
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00140838
.text C:\Program Files\Network Associates\Common Framework\UdaterUI.exe[888] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00140950
.text C:\Program Files\NavNT\vptray.exe[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\Program Files\NavNT\vptray.exe[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\Program Files\NavNT\vptray.exe[920] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\Program Files\NavNT\vptray.exe[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\Program Files\NavNT\vptray.exe[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\Program Files\NavNT\vptray.exe[920] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\Program Files\NavNT\vptray.exe[920] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\Program Files\NavNT\vptray.exe[920] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\Program Files\NavNT\vptray.exe[920] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\Program Files\NavNT\vptray.exe[920] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\Program Files\NavNT\vptray.exe[920] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\Program Files\NavNT\vptray.exe[920] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\Program Files\NavNT\vptray.exe[920] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\Program Files\NavNT\vptray.exe[920] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\Program Files\NavNT\vptray.exe[920] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001601A8
.text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00160090
.text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00160694
.text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 001602C0
.text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00160234
.text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00160004
.text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0016011C
.text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001604F0
.text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!CreateThread 7C8106D7 5 Bytes JMP 0016057C
.text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001603D8
.text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0016034C
.text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!WinExec 7C86250D 5 Bytes JMP 00160464
.text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00160608
.text C:\WINDOWS\system32\csrss.exe[924] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001607AC
.text C:\WINDOWS\system32\csrss.exe[924] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00160720
.text C:\WINDOWS\system32\winlogon.exe[956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\winlogon.exe[956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\winlogon.exe[956] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\winlogon.exe[956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\winlogon.exe[956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\winlogon.exe[956] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\winlogon.exe[956] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\winlogon.exe[956] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\winlogon.exe[956] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\winlogon.exe[956] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\winlogon.exe[956] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\winlogon.exe[956] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\winlogon.exe[956] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\winlogon.exe[956] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\winlogon.exe[956] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\winlogon.exe[956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000708C4
.text C:\WINDOWS\system32\winlogon.exe[956] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00070838
.text C:\WINDOWS\system32\winlogon.exe[956] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\services.exe[1000] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\services.exe[1000] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\services.exe[1000] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\WINDOWS\system32\services.exe[1000] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\WINDOWS\system32\services.exe[1000] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\lsass.exe[1020] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\lsass.exe[1020] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[1020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\lsass.exe[1020] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\lsass.exe[1020] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[1104] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\WLTRAY.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\WINDOWS\system32\WLTRAY.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\WINDOWS\system32\WLTRAY.exe[1204] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\WINDOWS\system32\WLTRAY.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\WINDOWS\system32\WLTRAY.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\WINDOWS\system32\WLTRAY.exe[1204] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\WINDOWS\system32\WLTRAY.exe[1204] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\WINDOWS\system32\WLTRAY.exe[1204] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\WINDOWS\system32\WLTRAY.exe[1204] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\WINDOWS\system32\WLTRAY.exe[1204] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\WINDOWS\system32\WLTRAY.exe[1204] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\WINDOWS\system32\WLTRAY.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\WINDOWS\system32\WLTRAY.exe[1204] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\WINDOWS\system32\WLTRAY.exe[1204] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\WINDOWS\system32\WLTRAY.exe[1204] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Java\jre6\bin\jqs.exe[1252] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1292] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1292] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1292] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1292] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1292] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[1328] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[1328] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[1328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[1328] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[1328] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00080DB0
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetConnectA 771C345A 5 Bytes JMP 00080F54
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00080D24
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00080E3C
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetConnectW 771CEE40 5 Bytes JMP 00080FE0
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1440] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1440] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1536] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1536] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1536] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1536] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\igfxsrvc.exe[1548] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1580] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1580] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1580] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1580] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1580] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00130DB0
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] WININET.dll!InternetConnectA 771C345A 5 Bytes JMP 00130F54
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00130D24
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00130E3C
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] WININET.dll!InternetConnectW 771CEE40 5 Bytes JMP 00130FE0
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00130EC8
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe[1636] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\lxdicoms.exe[1660] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\lxdicoms.exe[1660] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\lxdicoms.exe[1660] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\lxdicoms.exe[1660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\lxdicoms.exe[1660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\lxdicoms.exe[1660] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\lxdicoms.exe[1660] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\lxdicoms.exe[1660] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\lxdicoms.exe[1660] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\lxdicoms.exe[1660] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\lxdicoms.exe[1660] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\lxdicoms.exe[1660] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\lxdicoms.exe[1660] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\lxdicoms.exe[1660] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\lxdicoms.exe[1660] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\lxdicoms.exe[1660] ws2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\WINDOWS\system32\lxdicoms.exe[1660] ws2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\WINDOWS\system32\lxdicoms.exe[1660] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001408C4
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00140838
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00140950
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] WININET.DLL!InternetOpenW 771BAF49 5 Bytes JMP 00140DB0
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] WININET.DLL!InternetConnectA 771C345A 5 Bytes JMP 00140F54
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] WININET.DLL!InternetOpenA 771C5796 5 Bytes JMP 00140D24
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] WININET.DLL!InternetOpenUrlA 771C5A62 5 Bytes JMP 00140E3C
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] WININET.DLL!InternetConnectW 771CEE40 5 Bytes JMP 00140FE0
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1748] WININET.DLL!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00140EC8
.text C:\WINDOWS\system32\spoolsv.exe[1840] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\spoolsv.exe[1840] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\spoolsv.exe[1840] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\spoolsv.exe[1840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\spoolsv.exe[1840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\spoolsv.exe[1840] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\spoolsv.exe[1840] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\spoolsv.exe[1840] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\spoolsv.exe[1840] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\spoolsv.exe[1840] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\spoolsv.exe[1840] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\spoolsv.exe[1840] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\spoolsv.exe[1840] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\spoolsv.exe[1840] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\spoolsv.exe[1840] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\spoolsv.exe[1840] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\spoolsv.exe[1840] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\spoolsv.exe[1840] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\WINDOWS\stsystra.exe[1988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\WINDOWS\stsystra.exe[1988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\WINDOWS\stsystra.exe[1988] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\WINDOWS\stsystra.exe[1988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\WINDOWS\stsystra.exe[1988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\WINDOWS\stsystra.exe[1988] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\WINDOWS\stsystra.exe[1988] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\WINDOWS\stsystra.exe[1988] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\WINDOWS\stsystra.exe[1988] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\WINDOWS\stsystra.exe[1988] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\WINDOWS\stsystra.exe[1988] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\WINDOWS\stsystra.exe[1988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\WINDOWS\stsystra.exe[1988] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\WINDOWS\stsystra.exe[1988] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\WINDOWS\stsystra.exe[1988] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\Explorer.EXE[2020] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\Explorer.EXE[2020] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\Explorer.EXE[2020] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00080DB0
.text C:\WINDOWS\Explorer.EXE[2020] WININET.dll!InternetConnectA 771C345A 5 Bytes JMP 00080F54
.text C:\WINDOWS\Explorer.EXE[2020] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00080D24
.text C:\WINDOWS\Explorer.EXE[2020] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00080E3C
.text C:\WINDOWS\Explorer.EXE[2020] WININET.dll!InternetConnectW 771CEE40 5 Bytes JMP 00080FE0
.text C:\WINDOWS\Explorer.EXE[2020] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00080EC8
.text C:\WINDOWS\Explorer.EXE[2020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\Explorer.EXE[2020] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\Explorer.EXE[2020] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text E:\Programs\iTunesHelper.exe[2076] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text E:\Programs\iTunesHelper.exe[2076] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text E:\Programs\iTunesHelper.exe[2076] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text E:\Programs\iTunesHelper.exe[2076] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text E:\Programs\iTunesHelper.exe[2076] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text E:\Programs\iTunesHelper.exe[2076] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text E:\Programs\iTunesHelper.exe[2076] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text E:\Programs\iTunesHelper.exe[2076] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text E:\Programs\iTunesHelper.exe[2076] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text E:\Programs\iTunesHelper.exe[2076] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text E:\Programs\iTunesHelper.exe[2076] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text E:\Programs\iTunesHelper.exe[2076] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text E:\Programs\iTunesHelper.exe[2076] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text E:\Programs\iTunesHelper.exe[2076] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00140DB0
.text E:\Programs\iTunesHelper.exe[2076] WININET.dll!InternetConnectA 771C345A 5 Bytes JMP 00140F54
.text E:\Programs\iTunesHelper.exe[2076] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00140D24
.text E:\Programs\iTunesHelper.exe[2076] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00140E3C
.text E:\Programs\iTunesHelper.exe[2076] WININET.dll!InternetConnectW 771CEE40 5 Bytes JMP 00140FE0
.text E:\Programs\iTunesHelper.exe[2076] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00140EC8
.text E:\Programs\iTunesHelper.exe[2076] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text E:\Programs\iTunesHelper.exe[2076] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text E:\Programs\iTunesHelper.exe[2076] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001408C4
.text E:\Programs\iTunesHelper.exe[2076] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00140838
.text E:\Programs\iTunesHelper.exe[2076] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00140950
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] ws2_32.dll!socket 71AB4211 5 Bytes JMP 001408C4
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] ws2_32.dll!bind 71AB4480 5 Bytes JMP 00140838
.text C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe[2116] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 00140950
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] KERNEL32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] KERNEL32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] KERNEL32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] KERNEL32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] KERNEL32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] KERNEL32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] KERNEL32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] KERNEL32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] KERNEL32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] KERNEL32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] KERNEL32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] ws2_32.dll!socket 71AB4211 5 Bytes JMP 001408C4
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] ws2_32.dll!bind 71AB4480 5 Bytes JMP 00140838
.text C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe[2188] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 00140950
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001308C4
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00130838
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00130950
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] WININET.DLL!InternetOpenW 771BAF49 5 Bytes JMP 00130DB0
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] WININET.DLL!InternetConnectA 771C345A 5 Bytes JMP 00130F54
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] WININET.DLL!InternetOpenA 771C5796 5 Bytes JMP 00130D24
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] WININET.DLL!InternetOpenUrlA 771C5A62 5 Bytes JMP 00130E3C
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] WININET.DLL!InternetConnectW 771CEE40 5 Bytes JMP 00130FE0
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[2408] WININET.DLL!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00130EC8
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text E:\Programs\Adobe Premeire Files\Acrobat 9.0\Acrobat\Acrotray.exe[2452] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\Documents and Settings\NICHOLAS MENDILLO\Desktop\o55m2zfk.exe[2468] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\WINDOWS\system32\svchost.exe[2672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[2672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[2672] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[2672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[2672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[2672] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[2672] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[2672] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[2672] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[2672] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[2672] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[2672] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[2672] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[2672] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[2672] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00140DB0
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] WININET.dll!InternetConnectA 771C345A 5 Bytes JMP 00140F54
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00140D24
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00140E3C
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] WININET.dll!InternetConnectW 771CEE40 5 Bytes JMP 00140FE0
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00140EC8
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001408C4
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00140838
.text C:\Program Files\Java\jre6\bin\jusched.exe[2768] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00140950
.text C:\WINDOWS\system32\fxssvc.exe[3116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\fxssvc.exe[3116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\fxssvc.exe[3116] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\fxssvc.exe[3116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\fxssvc.exe[3116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\fxssvc.exe[3116] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\fxssvc.exe[3116] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\fxssvc.exe[3116] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\fxssvc.exe[3116] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\fxssvc.exe[3116] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\fxssvc.exe[3116] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\fxssvc.exe[3116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\fxssvc.exe[3116] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\fxssvc.exe[3116] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\fxssvc.exe[3116] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00130720
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001408C4
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00140838
.text C:\Program Files\Digital Line Detect\DLG.exe[3516] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00140950
.text C:\WINDOWS\system32\wscntfy.exe[3528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\wscntfy.exe[3528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\wscntfy.exe[3528] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\wscntfy.exe[3528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\wscntfy.exe[3528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\wscntfy.exe[3528] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\wscntfy.exe[3528] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\wscntfy.exe[3528] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\wscntfy.exe[3528] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\wscntfy.exe[3528] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\wscntfy.exe[3528] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\wscntfy.exe[3528] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\wscntfy.exe[3528] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\wscntfy.exe[3528] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\wscntfy.exe[3528] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] WS2_32.dll!socket 71AB4211 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3792] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00080950
.text C:\Program Files\SafeConnect\scClient.exe[3828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001401A8
.text C:\Program Files\SafeConnect\scClient.exe[3828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00140090
.text C:\Program Files\SafeConnect\scClient.exe[3828] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00140694
.text C:\Program Files\SafeConnect\scClient.exe[3828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001402C0
.text C:\Program Files\SafeConnect\scClient.exe[3828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00140234
.text C:\Program Files\SafeConnect\scClient.exe[3828] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00140004
.text C:\Program Files\SafeConnect\scClient.exe[3828] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0014011C
.text C:\Program Files\SafeConnect\scClient.exe[3828] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001404F0
.text C:\Program Files\SafeConnect\scClient.exe[3828] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0014057C
.text C:\Program Files\SafeConnect\scClient.exe[3828] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001403D8
.text C:\Program Files\SafeConnect\scClient.exe[3828] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0014034C
.text C:\Program Files\SafeConnect\scClient.exe[3828] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00140464
.text C:\Program Files\SafeConnect\scClient.exe[3828] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00140608
.text C:\Program Files\SafeConnect\scClient.exe[3828] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 001407AC
.text C:\Program Files\SafeConnect\scClient.exe[3828] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00140720
.text C:\Program Files\SafeConnect\scClient.exe[3828] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001408C4
.text C:\Program Files\SafeConnect\scClient.exe[3828] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00140838
.text C:\Program Files\SafeConnect\scClient.exe[3828] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00140950

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)

Device \FileSystem\Fastfat \Fat A7B46D20
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Programs\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x86 0x04 0xA9 0x7D ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x4B 0xB1 0x06 0xBB ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x21 0xA0 0x84 0x75 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Programs\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x86 0x04 0xA9 0x7D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x4B 0xB1 0x06 0xBB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x21 0xA0 0x84 0x75 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Programs\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x86 0x04 0xA9 0x7D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x4B 0xB1 0x06 0xBB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x21 0xA0 0x84 0x75 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Programs\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x86 0x04 0xA9 0x7D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x4B 0xB1 0x06 0xBB ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x21 0xA0 0x84 0x75 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6273E193-D029-A27B-0287-31BA1142872B}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6273E193-D029-A27B-0287-31BA1142872B}@oafankhlgjgakegdlbjbhfdaiogang 0x64 0x61 0x6B 0x67 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6273E193-D029-A27B-0287-31BA1142872B}@oajfmhnekljkpmojpleijflchoiped 0x69 0x61 0x6A 0x67 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6273E193-D029-A27B-0287-31BA1142872B}@nahgoheiookpdlcehndogpibdbdc 0x6A 0x61 0x66 0x6B ...

---- EOF - GMER 1.0.15 ----

I've attached another log as instructed.


Thank you very much,
Nick thumbup.gif

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 04 March 2010 - 06:00 PM

So far, so clean.

Please run MBAM in safe mode

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then please run RootRepeal (we'll get a rootkit scan yet!)

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open on your desktop.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#7 nmendillo

nmendillo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 05 March 2010 - 06:46 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/5/2010 7:31:57 AM
mbam-log-2010-03-05 (07-31-57).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 357924
Time elapsed: 4 hour(s), 43 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Pornovid (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
E:\Programs\Adobe Premeire Files\Adobe Premeire Stuff\ADOBE_MASTER_COL\Crack\adobe-master-cs4-keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\boost_regex-vc71-mt-1_33_1.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\PocoExt.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\PocoFoundation.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\PocoNet.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\PocoUtil.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\PocoXML.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.


root repeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/05 18:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8F7B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8AFE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: melu.sys
Image Path: melu.sys
Address: 0xF85B2000 Size: 54016 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7E31000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\11\11-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v11-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\12\12-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v12-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\14\14-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v14-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\15\15-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v15-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\16\16-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v16-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\17\17-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v17-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\18\18-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v18-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v18-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\19\19-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v19-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v19-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\20\20-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v20-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v20-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\21\21-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v21-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\22\22-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v22-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\23\23-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v23-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v23-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\24\24-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v24-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v24-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\25\25-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v25-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v25-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\26\26-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v26-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v26-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\27\27-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v27-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v27-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\28\28-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v28-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v28-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\29\29-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v29-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v29-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\30\30-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v30-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v30-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\31\31-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v31-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v31-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\32\32-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v32-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v32-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\33\33-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v33-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v33-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\34\34-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v34-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v34-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\35\35-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v35-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v35-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\36\36-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v36-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v36-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\37\37-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v37-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v37-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NICHOLAS MENDILLO\Local Settings\Application

Data\Microsoft\Messenger\spagett@live.com\SharingMetadata\geek06@live.com\DFSR\Staging\CS{55

B808B4-41E1-D082-7D70-356FC3226AB3}\38\38-{CA7E4841-1025-451D-BBD0-BDF51D096E4E}-v38-{CA7E48

41-1025-451D-BBD0-BDF51D096E4E}-v38-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XP

RESS
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa9117fdc

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa91176e4

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa911419c

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa9116d0c

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa9116c18

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa9117278

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa911808c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa9114602

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa91146c2

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\sbhips.sys" at address 0xa93ab01c

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\drivers\sbhips.sys" at address 0xa93ab168

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa91179d0

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa9114446

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa9117368

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa9117d08

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa9114838

#: 274 Function Name: NtWriteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xa9117c5c

==EOF==

i still get that data execution prevention message for Windows UI... it wont go away. just sayin

thanks for the help, by the way

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 05 March 2010 - 07:10 PM

Safe mode seems the way to go.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 09 March 2010 - 08:44 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 11 March 2010 - 07:16 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users