Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with rootkit, Rustock Spambot


  • This topic is locked This topic is locked
2 replies to this topic

#1 eleventhsun

eleventhsun

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 11 August 2010 - 10:58 PM

Hey, topic describes what I know. My internet provider has suspended me 3 times this week for having spam email from my computer. Ive been screwing with this all day, and someone sent me to this forum..Hopefully its not too late. If I don't have this solved they will suspend again in the morning and tell me to reformat...

I have used Malwarebytes,Super antispyware. Avira etc... Some find it some don't, but none remove it, even on safe mode...

File that keeps popping up as either rootkit agent or trojan gen is : C:\Windows\System32\drivers\qviqpsjc.sys

Anyways I followed instructions the best I could and here are my logs.


The GMER Log... I had to redo it over and over because I kept getting COM Surrogate has stopped working repeatedly and kept freezing and having to restart. I got what I could, and I found instances of the file in question. Sorry its not complete its the most I could get before freezing.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-11 23:55:48
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Home\AppData\Local\Temp\pxldipow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys

ZwCreateThread [0x9418FE8C]
SSDT \??\C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys

ZwLoadDriver [0x941901BC]
SSDT \??\C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys

ZwMapViewOfSection [0x9418FBCC]
SSDT \??\C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys

ZwOpenSection [0x941905EE]
SSDT \??\C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys

ZwRenameKey [0x9419188C]
SSDT \??\C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys

ZwSetSystemInformation [0x9419043E]
SSDT \??\C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys

ZwSuspendProcess [0x9418FA4C]
SSDT \??\C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys

ZwSuspendThread [0x9418FEC0]
SSDT \??\C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys

ZwSystemDebugControl [0x94190042]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

ZwTerminateProcess [0x9410A620]
SSDT \??\C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys

ZwTerminateThread [0x9418FB06]
SSDT \??\C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys

ZwWriteVirtualMemory [0x9418FF86]
SSDT \??\C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys

ZwCreateThreadEx [0x9418FEA6]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 221

80CAC984 4 Bytes [8C, FE, 18, 94]
.text ntkrnlpa.exe!KeSetEvent + 37D

80CACAE0 4 Bytes [BC, 01, 19, 94]
.text ntkrnlpa.exe!KeSetEvent + 3AD

80CACB10 4 Bytes CALL 99C69795
.text ntkrnlpa.exe!KeSetEvent + 3FD

80CACB60 4 Bytes [EE, 05, 19, 94]
.text ntkrnlpa.exe!KeSetEvent + 515

80CACC78 4 Bytes [8C, 18, 19, 94]
.text ...


? System32\Drivers\qviqpsjc.sys

A device attached to the system is not functioning. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\nvvsvc.exe[212] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 003C000C
.text C:\Windows\system32\nvvsvc.exe[212] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 003C100C
.text C:\Windows\system32\nvvsvc.exe[212] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 003C200C
.text C:\Windows\system32\nvvsvc.exe[212] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 003C300C
.text C:\Windows\system32\nvvsvc.exe[212] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 003C400C
.text C:\Windows\system32\nvvsvc.exe[212] USER32.dll!SetWindowsHookExW

76DF87AD 5 Bytes JMP 003C500C
.text C:\Windows\system32\nvvsvc.exe[212] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 003CB00C
.text C:\Windows\system32\nvvsvc.exe[212] ADVAPI32.dll!CloseServiceHandle

76AD82A5 5 Bytes JMP 003C800C
.text C:\Windows\system32\nvvsvc.exe[212] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 003C600C
.text C:\Windows\system32\nvvsvc.exe[212] ADVAPI32.dll!CreateServiceW

76AF9EB4 5 Bytes JMP 003C900C
.text C:\Windows\system32\nvvsvc.exe[212] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 003C700C
.text C:\Windows\system32\nvvsvc.exe[212] ole32.dll!CoCreateInstanceEx

76EE9EE9 5 Bytes JMP 003CA00C
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0017000C
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0017100C
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0017200C
.text C:\Windows\system32\wininit.exe[592] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 0017300C
.text C:\Windows\system32\wininit.exe[592] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 0017400C
.text C:\Windows\system32\wininit.exe[592] ADVAPI32.dll!CloseServiceHandle

76AD82A5 5 Bytes JMP 0017800C
.text C:\Windows\system32\wininit.exe[592] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 0017600C
.text C:\Windows\system32\wininit.exe[592] ADVAPI32.dll!CreateServiceW

76AF9EB4 5 Bytes JMP 0017900C
.text C:\Windows\system32\wininit.exe[592] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 0017700C
.text C:\Windows\system32\wininit.exe[592] USER32.dll!SetWindowsHookExW

76DF87AD 5 Bytes JMP 0017500C
.text C:\Windows\system32\wininit.exe[592] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 0017A00C
.text C:\Windows\system32\lsass.exe[676] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 001B000C
.text C:\Windows\system32\lsass.exe[676] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 001B100C
.text C:\Windows\system32\lsass.exe[676] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 001B200C
.text C:\Windows\system32\lsass.exe[676] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 001B300C
.text C:\Windows\system32\lsass.exe[676] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 001B400C
.text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!CloseServiceHandle

76AD82A5 5 Bytes JMP 001B800C
.text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 001B600C
.text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!CreateServiceW

76AF9EB4 5 Bytes JMP 001B900C
.text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 001B700C
.text C:\Windows\system32\lsass.exe[676] USER32.dll!SetWindowsHookExW

76DF87AD 5 Bytes JMP 001B500C
.text C:\Windows\system32\lsass.exe[676] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 001BB00C
.text C:\Windows\system32\lsass.exe[676] ole32.dll!CoCreateInstanceEx

76EE9EE9 5 Bytes JMP 001BA00C
.text C:\Windows\system32\lsm.exe[692] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 000E000C
.text C:\Windows\system32\lsm.exe[692] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 000E100C
.text C:\Windows\system32\lsm.exe[692] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 000E200C
.text C:\Windows\system32\lsm.exe[692] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 000E300C
.text C:\Windows\system32\lsm.exe[692] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 000E400C
.text C:\Windows\system32\lsm.exe[692] ADVAPI32.dll!CloseServiceHandle

76AD82A5 5 Bytes JMP 000E800C
.text C:\Windows\system32\lsm.exe[692] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 000E600C
.text C:\Windows\system32\lsm.exe[692] ADVAPI32.dll!CreateServiceW

76AF9EB4 5 Bytes JMP 000E900C
.text C:\Windows\system32\lsm.exe[692] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 000E700C
.text C:\Windows\system32\lsm.exe[692] USER32.dll!SetWindowsHookExW

76DF87AD 5 Bytes JMP 000E500C
.text C:\Windows\system32\lsm.exe[692] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 000EA00C
.text C:\Windows\system32\taskeng.exe[736] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0201000C
.text C:\Windows\system32\taskeng.exe[736] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0201100C
.text C:\Windows\system32\taskeng.exe[736] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0201200C
.text C:\Windows\system32\taskeng.exe[736] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 0201300C
.text C:\Windows\system32\taskeng.exe[736] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 0201400C
.text C:\Windows\system32\taskeng.exe[736] ADVAPI32.dll!CloseServiceHandle

76AD82A5 5 Bytes JMP 0201800C
.text C:\Windows\system32\taskeng.exe[736] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 0201600C
.text C:\Windows\system32\taskeng.exe[736] ADVAPI32.dll!CreateServiceW

76AF9EB4 5 Bytes JMP 0201900C
.text C:\Windows\system32\taskeng.exe[736] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 0201700C
.text C:\Windows\system32\taskeng.exe[736] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP

0201500C
.text C:\Windows\system32\taskeng.exe[736] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 0201B00C
.text C:\Windows\system32\taskeng.exe[736] ole32.dll!CoCreateInstanceEx

76EE9EE9 5 Bytes JMP 0201A00C
.text C:\Windows\explorer.exe[800] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0016000C
.text C:\Windows\explorer.exe[800] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0016100C
.text C:\Windows\explorer.exe[800] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0016200C
.text C:\Windows\explorer.exe[800] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 0016300C
.text C:\Windows\explorer.exe[800] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 0016400C
.text C:\Windows\explorer.exe[800] ADVAPI32.dll!CloseServiceHandle

76AD82A5 5 Bytes JMP 0016800C
.text C:\Windows\explorer.exe[800] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 0016600C
.text C:\Windows\explorer.exe[800] ADVAPI32.dll!CreateServiceW

76AF9EB4 5 Bytes JMP 0016900C
.text C:\Windows\explorer.exe[800] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 0016700C
.text C:\Windows\explorer.exe[800] USER32.dll!SetWindowsHookExW

76DF87AD 5 Bytes JMP 0016500C
.text C:\Windows\explorer.exe[800] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 0016B00C
.text C:\Windows\explorer.exe[800] ole32.dll!CoCreateInstanceEx

76EE9EE9 5 Bytes JMP 0016A00C
.text C:\Windows\system32\svchost.exe[828] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 003D000C
.text C:\Windows\system32\svchost.exe[828] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 003D100C
.text C:\Windows\system32\svchost.exe[828] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 003D200C
.text C:\Windows\system32\nvvsvc.exe[880] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0036000C
.text C:\Windows\system32\nvvsvc.exe[880] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0036100C
.text C:\Windows\system32\nvvsvc.exe[880] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0036200C
.text C:\Windows\system32\nvvsvc.exe[880] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 0036300C
.text C:\Windows\system32\nvvsvc.exe[880] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 0036400C
.text C:\Windows\system32\nvvsvc.exe[880] USER32.dll!SetWindowsHookExW

76DF87AD 5 Bytes JMP 0036500C
.text C:\Windows\system32\nvvsvc.exe[880] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 0036B00C
.text C:\Windows\system32\nvvsvc.exe[880] ADVAPI32.dll!CloseServiceHandle

76AD82A5 5 Bytes JMP 0036800C
.text C:\Windows\system32\nvvsvc.exe[880] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 0036600C
.text C:\Windows\system32\nvvsvc.exe[880] ADVAPI32.dll!CreateServiceW

76AF9EB4 5 Bytes JMP 0036900C
.text C:\Windows\system32\nvvsvc.exe[880] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 0036700C
.text C:\Windows\system32\nvvsvc.exe[880] ole32.dll!CoCreateInstanceEx

76EE9EE9 5 Bytes JMP 0036A00C
.text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 000D000C
.text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 000D100C
.text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 000D200C
.text C:\Windows\System32\svchost.exe[972] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 00D1000C
.text C:\Windows\System32\svchost.exe[972] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 00D1100C
.text C:\Windows\System32\svchost.exe[972] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 00D1200C
.text C:\Windows\System32\svchost.exe[1024] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0028000C
.text C:\Windows\System32\svchost.exe[1024] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0028100C
.text C:\Windows\System32\svchost.exe[1024] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0028200C
.text C:\Windows\System32\svchost.exe[1072] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0011000C
.text C:\Windows\System32\svchost.exe[1072] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0011100C
.text C:\Windows\System32\svchost.exe[1072] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0011200C
.text C:\Windows\system32\Dwm.exe[1084] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0178000C
.text C:\Windows\system32\Dwm.exe[1084] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0178100C
.text C:\Windows\system32\Dwm.exe[1084] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0178200C
.text C:\Windows\system32\Dwm.exe[1084] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 0178300C
.text C:\Windows\system32\Dwm.exe[1084] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 0178400C
.text C:\Windows\system32\Dwm.exe[1084] ADVAPI32.dll!CloseServiceHandle

76AD82A5 5 Bytes JMP 0178800C
.text C:\Windows\system32\Dwm.exe[1084] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 0178600C
.text C:\Windows\system32\Dwm.exe[1084] ADVAPI32.dll!CreateServiceW

76AF9EB4 5 Bytes JMP 0178900C
.text C:\Windows\system32\Dwm.exe[1084] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 0178700C
.text C:\Windows\system32\Dwm.exe[1084] USER32.dll!SetWindowsHookExW

76DF87AD 5 Bytes JMP 0178500C
.text C:\Windows\system32\Dwm.exe[1084] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 0178B00C
.text C:\Windows\system32\Dwm.exe[1084] ole32.dll!CoCreateInstanceEx

76EE9EE9 5 Bytes JMP 0178A00C
.text C:\Windows\system32\svchost.exe[1092] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 010D000C
.text C:\Windows\system32\svchost.exe[1092] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 010D100C
.text C:\Windows\system32\svchost.exe[1092] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 010D200C
.text C:\Windows\system32\winlogon.exe[1208] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 001C000C
.text C:\Windows\system32\winlogon.exe[1208] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 001C100C
.text C:\Windows\system32\winlogon.exe[1208] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 001C200C
.text C:\Windows\system32\winlogon.exe[1208] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 001C300C
.text C:\Windows\system32\winlogon.exe[1208] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 001C400C
.text C:\Windows\system32\winlogon.exe[1208] ADVAPI32.dll!

CloseServiceHandle 76AD82A5 5 Bytes JMP

001C800C
.text C:\Windows\system32\winlogon.exe[1208] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 001C600C
.text C:\Windows\system32\winlogon.exe[1208] ADVAPI32.dll!CreateServiceW

76AF9EB4 5 Bytes JMP 001C900C
.text C:\Windows\system32\winlogon.exe[1208] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 001C700C
.text C:\Windows\system32\winlogon.exe[1208] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP

001C500C
.text C:\Windows\system32\winlogon.exe[1208] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 001CB00C
.text C:\Windows\system32\winlogon.exe[1208] ole32.dll!CoCreateInstanceEx

76EE9EE9 5 Bytes JMP 001CA00C
.text C:\Windows\system32\taskeng.exe[1224] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 001A000C
.text C:\Windows\system32\taskeng.exe[1224] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 001A100C
.text C:\Windows\system32\taskeng.exe[1224] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 001A200C
.text C:\Windows\system32\taskeng.exe[1224] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 001A300C
.text C:\Windows\system32\taskeng.exe[1224] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 001A400C
.text C:\Windows\system32\taskeng.exe[1224] ADVAPI32.dll!

CloseServiceHandle 76AD82A5 5 Bytes JMP

001A800C
.text C:\Windows\system32\taskeng.exe[1224] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 001A600C
.text C:\Windows\system32\taskeng.exe[1224] ADVAPI32.dll!CreateServiceW

76AF9EB4 5 Bytes JMP 001A900C
.text C:\Windows\system32\taskeng.exe[1224] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 001A700C
.text C:\Windows\system32\taskeng.exe[1224] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP

001A500C
.text C:\Windows\system32\taskeng.exe[1224] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 001AB00C
.text C:\Windows\system32\taskeng.exe[1224] ole32.dll!CoCreateInstanceEx

76EE9EE9 5 Bytes JMP 001AA00C
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 000B000C
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 000B100C
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 000B200C
.text C:\Windows\system32\svchost.exe[1364] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 008C000C
.text C:\Windows\system32\svchost.exe[1364] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 008C100C
.text C:\Windows\system32\svchost.exe[1364] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 008C200C
.text C:\Windows\Explorer.EXE[1420] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 03F5000C
.text C:\Windows\Explorer.EXE[1420] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 03F5100C
.text C:\Windows\Explorer.EXE[1420] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 03F5200C
.text C:\Windows\Explorer.EXE[1420] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 03F5300C
.text C:\Windows\Explorer.EXE[1420] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 03F5400C
.text C:\Windows\Explorer.EXE[1420] ADVAPI32.dll!CloseServiceHandle

76AD82A5 5 Bytes JMP 03F5700C
.text C:\Windows\Explorer.EXE[1420] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 03F5600C
.text C:\Windows\Explorer.EXE[1420] ADVAPI32.dll!CreateServiceW

76AF9EB4 5 Bytes JMP 03F5900C
.text C:\Windows\Explorer.EXE[1420] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 03F5800C
.text C:\Windows\Explorer.EXE[1420] USER32.dll!SetWindowsHookExW

76DF87AD 5 Bytes JMP 03F5500C
.text C:\Windows\Explorer.EXE[1420] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 03F5B00C
.text C:\Windows\Explorer.EXE[1420] ole32.dll!CoCreateInstanceEx

76EE9EE9 5 Bytes JMP 03F5A00C
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0108000C
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0108100C
.text C:\Windows\system32\svchost.exe[1464] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0108200C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1544] ntdll.dll!

NtCreateProcess 77204494 5 Bytes JMP 02F3000C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1544] ntdll.dll!

NtCreateProcessEx 772044A4 5 Bytes JMP 02F3100C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1544] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP 02F3200C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1544] kernel32.dll!

LoadLibraryExW 767A9109 5 Bytes JMP 02F3300C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1544] kernel32.dll!

TerminateThread 767C41F7 5 Bytes JMP 02F3400C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1544]

ADVAPI32.dll!CloseServiceHandle 76AD82A5 5 Bytes JMP

02F3800C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1544]

ADVAPI32.dll!OpenServiceW 76AD8354 5 Bytes JMP

02F3600C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1544]

ADVAPI32.dll!CreateServiceW 76AF9EB4 5 Bytes JMP

02F3900C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1544]

ADVAPI32.dll!ControlService 76AF9FB8 5 Bytes JMP

02F3700C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1544] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP 02F3500C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1544] USER32.dll!

DdeConnect 76E39A1F 5 Bytes JMP 02F3B00C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1544] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP 02F3A00C
.text C:\Windows\system32\svchost.exe[1716] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0017000C
.text C:\Windows\system32\svchost.exe[1716] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0017100C
.text C:\Windows\system32\svchost.exe[1716] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0017200C
.text C:\Windows\system32\wbem\unsecapp.exe[2052] ntdll.dll!

NtCreateProcess 77204494 5 Bytes JMP

0006000C
.text C:\Windows\system32\wbem\unsecapp.exe[2052] ntdll.dll!

NtCreateProcessEx 772044A4 5 Bytes JMP

0006100C
.text C:\Windows\system32\wbem\unsecapp.exe[2052] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP

0006200C
.text C:\Windows\system32\wbem\unsecapp.exe[2052] kernel32.dll!

LoadLibraryExW 767A9109 5 Bytes JMP 0006300C
.text C:\Windows\system32\wbem\unsecapp.exe[2052] kernel32.dll!

TerminateThread 767C41F7 5 Bytes JMP 0006400C
.text C:\Windows\system32\wbem\unsecapp.exe[2052] ADVAPI32.dll!

CloseServiceHandle 76AD82A5 5 Bytes JMP

0006800C
.text C:\Windows\system32\wbem\unsecapp.exe[2052] ADVAPI32.dll!

OpenServiceW 76AD8354 5 Bytes JMP 0006600C
.text C:\Windows\system32\wbem\unsecapp.exe[2052] ADVAPI32.dll!

CreateServiceW 76AF9EB4 5 Bytes JMP 0006900C
.text C:\Windows\system32\wbem\unsecapp.exe[2052] ADVAPI32.dll!

ControlService 76AF9FB8 5 Bytes JMP 0006700C
.text C:\Windows\system32\wbem\unsecapp.exe[2052] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP

0006A00C
.text C:\Windows\system32\wbem\unsecapp.exe[2052] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP

0006500C
.text C:\Windows\system32\wbem\unsecapp.exe[2052] USER32.dll!

DdeConnect 76E39A1F 5 Bytes JMP 0006B00C
.text C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe[2184] ntdll.dll!NtCreateProcess 77204494

5 Bytes JMP 0022000C
.text C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe[2184] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0022100C
.text C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe[2184] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0022200C
.text C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe[2184] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 0022300C
.text C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe[2184] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 0022400C
.text C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe[2184] ADVAPI32.dll!CloseServiceHandle

76AD82A5 5 Bytes JMP 0022800C
.text C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe[2184] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 0022600C
.text C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe[2184] ADVAPI32.dll!CreateServiceW

76AF9EB4 5 Bytes JMP 0022900C
.text C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe[2184] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 0022700C
.text C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe[2184] USER32.dll!SetWindowsHookExW

76DF87AD 5 Bytes JMP 0022500C
.text C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe[2184] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 0022B00C
.text C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe[2184] ole32.dll!CoCreateInstanceEx

76EE9EE9 5 Bytes JMP 0022A00C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2200] ntdll.dll!

NtCreateProcess 77204494 5 Bytes JMP 001E000C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2200] ntdll.dll!

NtCreateProcessEx 772044A4 5 Bytes JMP 001E100C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2200] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP

001E200C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2200] kernel32.dll!

LoadLibraryExW 767A9109 5 Bytes JMP 001E300C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2200] kernel32.dll!

TerminateThread 767C41F7 5 Bytes JMP 001E400C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2200] ADVAPI32.dll!

CloseServiceHandle 76AD82A5 5 Bytes JMP 001E800C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2200] ADVAPI32.dll!

OpenServiceW 76AD8354 5 Bytes JMP 001E600C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2200] ADVAPI32.dll!

CreateServiceW 76AF9EB4 5 Bytes JMP 001E900C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2200] ADVAPI32.dll!

ControlService 76AF9FB8 5 Bytes JMP 001E700C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2200] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP

001E500C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2200] USER32.dll!

DdeConnect 76E39A1F 5 Bytes JMP 001EB00C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2200] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP

001EA00C
.text C:\Windows\system32\svchost.exe[2224] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0016000C
.text C:\Windows\system32\svchost.exe[2224] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0016100C
.text C:\Windows\system32\svchost.exe[2224] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0016200C
.text C:\Windows\System32\svchost.exe[2476] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0009000C
.text C:\Windows\System32\svchost.exe[2476] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0009100C
.text C:\Windows\System32\svchost.exe[2476] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0009200C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2560]

ntdll.dll!NtCreateProcess 77204494 5 Bytes JMP 021B000C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2560]

ntdll.dll!NtCreateProcessEx 772044A4 5 Bytes JMP 021B100C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2560]

ntdll.dll!NtCreateUserProcess 77205804 5 Bytes JMP 021B200C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2560]

kernel32.dll!LoadLibraryExW 767A9109 5 Bytes JMP 021B300C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2560]

kernel32.dll!TerminateThread 767C41F7 5 Bytes JMP 021B400C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2560]

ADVAPI32.dll!CloseServiceHandle 76AD82A5 5 Bytes JMP

021B800C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2560]

ADVAPI32.dll!OpenServiceW 76AD8354 5 Bytes JMP

021B600C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2560]

ADVAPI32.dll!CreateServiceW 76AF9EB4 5 Bytes JMP

021B900C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2560]

ADVAPI32.dll!ControlService 76AF9FB8 5 Bytes JMP 021B700C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2560]

USER32.dll!SetWindowsHookExW 76DF87AD 5 Bytes JMP

021B500C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2560]

USER32.dll!DdeConnect 76E39A1F 5 Bytes JMP 021BB00C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[2560]

ole32.dll!CoCreateInstanceEx 76EE9EE9 5 Bytes JMP 021BA00C
.text C:\Program Files\Windows Live\Contacts\wlcomm.exe[2628] ntdll.dll!

NtCreateProcess 77204494 5 Bytes JMP 000C000C
.text C:\Program Files\Windows Live\Contacts\wlcomm.exe[2628] ntdll.dll!

NtCreateProcessEx 772044A4 5 Bytes JMP 000C100C
.text C:\Program Files\Windows Live\Contacts\wlcomm.exe[2628] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP 000C200C
.text C:\Program Files\Windows Live\Contacts\wlcomm.exe[2628] kernel32.dll!

LoadLibraryExW 767A9109 5 Bytes JMP 000C300C
.text C:\Program Files\Windows Live\Contacts\wlcomm.exe[2628] kernel32.dll!

TerminateThread 767C41F7 5 Bytes JMP 000C400C
.text C:\Program Files\Windows Live\Contacts\wlcomm.exe[2628]

ADVAPI32.dll!CloseServiceHandle 76AD82A5 5 Bytes JMP

000C800C
.text C:\Program Files\Windows Live\Contacts\wlcomm.exe[2628]

ADVAPI32.dll!OpenServiceW 76AD8354 5 Bytes JMP

000C600C
.text C:\Program Files\Windows Live\Contacts\wlcomm.exe[2628]

ADVAPI32.dll!CreateServiceW 76AF9EB4 5 Bytes JMP

000C900C
.text C:\Program Files\Windows Live\Contacts\wlcomm.exe[2628]

ADVAPI32.dll!ControlService 76AF9FB8 5 Bytes JMP

000C700C
.text C:\Program Files\Windows Live\Contacts\wlcomm.exe[2628] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP 000CA00C
.text C:\Program Files\Windows Live\Contacts\wlcomm.exe[2628] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP 000C500C
.text C:\Program Files\Windows Live\Contacts\wlcomm.exe[2628]

USER32.dll!DdeConnect 76E39A1F 5 Bytes JMP

000CB00C
.text C:\Windows\System32\svchost.exe[2676] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0026000C
.text C:\Windows\System32\svchost.exe[2676] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0026100C
.text C:\Windows\System32\svchost.exe[2676] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0026200C
.text C:\Windows\system32\svchost.exe[2696] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 006C000C
.text C:\Windows\system32\svchost.exe[2696] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 006C100C
.text C:\Windows\system32\svchost.exe[2696] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 006C200C
.text C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxWatch9.exe[2716] ntdll.dll!NtCreateProcess 77204494

5 Bytes JMP 003F000C
.text C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxWatch9.exe[2716] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 003F100C
.text C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxWatch9.exe[2716] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 003F200C
.text C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxWatch9.exe[2716] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 003F300C
.text C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxWatch9.exe[2716] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 003F400C
.text C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxWatch9.exe[2716] ADVAPI32.dll!CloseServiceHandle

76AD82A5 5 Bytes JMP 003F800C
.text C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxWatch9.exe[2716] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 003F600C
.text C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxWatch9.exe[2716] ADVAPI32.dll!CreateServiceW

76AF9EB4 5 Bytes JMP 003F900C
.text C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxWatch9.exe[2716] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 003F700C
.text C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxWatch9.exe[2716] USER32.dll!SetWindowsHookExW

76DF87AD 5 Bytes JMP 003F500C
.text C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxWatch9.exe[2716] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 003FB00C
.text C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxWatch9.exe[2716] ole32.dll!CoCreateInstanceEx

76EE9EE9 5 Bytes JMP 003FA00C
.text C:\Windows\system32\svchost.exe[2876] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0013000C
.text C:\Windows\system32\svchost.exe[2876] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0013100C
.text C:\Windows\system32\svchost.exe[2876] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0013200C
.text C:\Windows\System32\svchost.exe[2912] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 0015000C
.text C:\Windows\System32\svchost.exe[2912] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 0015100C
.text C:\Windows\System32\svchost.exe[2912] ntdll.dll!NtCreateUserProcess

77205804 5 Bytes JMP 0015200C
.text C:\Windows\system32\SearchIndexer.exe[2952] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 01F5000C
.text C:\Windows\system32\SearchIndexer.exe[2952] ntdll.dll!

NtCreateProcessEx 772044A4 5 Bytes JMP

01F5100C
.text C:\Windows\system32\SearchIndexer.exe[2952] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP

01F5200C
.text C:\Windows\system32\SearchIndexer.exe[2952] kernel32.dll!

LoadLibraryExW 767A9109 5 Bytes JMP 01F5300C
.text C:\Windows\system32\SearchIndexer.exe[2952] kernel32.dll!

TerminateThread 767C41F7 5 Bytes JMP 01F5400C
.text C:\Windows\system32\SearchIndexer.exe[2952] ADVAPI32.dll!

CloseServiceHandle 76AD82A5 5 Bytes JMP

01F5800C
.text C:\Windows\system32\SearchIndexer.exe[2952] ADVAPI32.dll!

OpenServiceW 76AD8354 5 Bytes JMP 01F5600C
.text C:\Windows\system32\SearchIndexer.exe[2952] ADVAPI32.dll!

CreateServiceW 76AF9EB4 5 Bytes JMP 01F5900C
.text C:\Windows\system32\SearchIndexer.exe[2952] ADVAPI32.dll!

ControlService 76AF9FB8 5 Bytes JMP 01F5700C
.text C:\Windows\system32\SearchIndexer.exe[2952] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP

01F5500C
.text C:\Windows\system32\SearchIndexer.exe[2952] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 01F5B00C
.text C:\Windows\system32\SearchIndexer.exe[2952] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP

01F5A00C
.text C:\Windows\system32\WUDFHost.exe[3244] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 001A000C
.text C:\Windows\system32\WUDFHost.exe[3244] ntdll.dll!NtCreateProcessEx

772044A4 5 Bytes JMP 001A100C
.text C:\Windows\system32\WUDFHost.exe[3244] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP

001A200C
.text C:\Windows\system32\WUDFHost.exe[3244] kernel32.dll!LoadLibraryExW

767A9109 5 Bytes JMP 001A300C
.text C:\Windows\system32\WUDFHost.exe[3244] kernel32.dll!TerminateThread

767C41F7 5 Bytes JMP 001A400C
.text C:\Windows\system32\WUDFHost.exe[3244] ADVAPI32.dll!

CloseServiceHandle 76AD82A5 5 Bytes JMP

001A800C
.text C:\Windows\system32\WUDFHost.exe[3244] ADVAPI32.dll!OpenServiceW

76AD8354 5 Bytes JMP 001A600C
.text C:\Windows\system32\WUDFHost.exe[3244] ADVAPI32.dll!

CreateServiceW 76AF9EB4 5 Bytes JMP

001A900C
.text C:\Windows\system32\WUDFHost.exe[3244] ADVAPI32.dll!ControlService

76AF9FB8 5 Bytes JMP 001A700C
.text C:\Windows\system32\WUDFHost.exe[3244] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP

001AA00C
.text C:\Windows\system32\WUDFHost.exe[3244] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP

001A500C
.text C:\Windows\system32\WUDFHost.exe[3244] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 001AB00C
.text C:\Windows\system32\wbem\unsecapp.exe[3392] ntdll.dll!

NtCreateProcess 77204494 5 Bytes JMP

0014000C
.text C:\Windows\system32\wbem\unsecapp.exe[3392] ntdll.dll!

NtCreateProcessEx 772044A4 5 Bytes JMP

0014100C
.text C:\Windows\system32\wbem\unsecapp.exe[3392] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP

0014200C
.text C:\Windows\system32\wbem\unsecapp.exe[3392] kernel32.dll!

LoadLibraryExW 767A9109 5 Bytes JMP 0014300C
.text C:\Windows\system32\wbem\unsecapp.exe[3392] kernel32.dll!

TerminateThread 767C41F7 5 Bytes JMP 0014400C
.text C:\Windows\system32\wbem\unsecapp.exe[3392] ADVAPI32.dll!

CloseServiceHandle 76AD82A5 5 Bytes JMP

0014800C
.text C:\Windows\system32\wbem\unsecapp.exe[3392] ADVAPI32.dll!

OpenServiceW 76AD8354 5 Bytes JMP 0014600C
.text C:\Windows\system32\wbem\unsecapp.exe[3392] ADVAPI32.dll!

CreateServiceW 76AF9EB4 5 Bytes JMP 0014900C
.text C:\Windows\system32\wbem\unsecapp.exe[3392] ADVAPI32.dll!

ControlService 76AF9FB8 5 Bytes JMP 0014700C
.text C:\Windows\system32\wbem\unsecapp.exe[3392] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP

0014A00C
.text C:\Windows\system32\wbem\unsecapp.exe[3392] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP

0014500C
.text C:\Windows\system32\wbem\unsecapp.exe[3392] USER32.dll!

DdeConnect 76E39A1F 5 Bytes JMP 0014B00C
.text C:\Windows\system32\wbem\wmiprvse.exe[3624] ntdll.dll!

NtCreateProcess 77204494 5 Bytes JMP

0058000C
.text C:\Windows\system32\wbem\wmiprvse.exe[3624] ntdll.dll!

NtCreateProcessEx 772044A4 5 Bytes JMP

0058100C
.text C:\Windows\system32\wbem\wmiprvse.exe[3624] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP

0058200C
.text C:\Windows\system32\wbem\wmiprvse.exe[3624] kernel32.dll!

LoadLibraryExW 767A9109 5 Bytes JMP 0058300C
.text C:\Windows\system32\wbem\wmiprvse.exe[3624] kernel32.dll!

TerminateThread 767C41F7 5 Bytes JMP 0058400C
.text C:\Windows\system32\wbem\wmiprvse.exe[3624] ADVAPI32.dll!

CloseServiceHandle 76AD82A5 5 Bytes JMP

0058800C
.text C:\Windows\system32\wbem\wmiprvse.exe[3624] ADVAPI32.dll!

OpenServiceW 76AD8354 5 Bytes JMP 0058600C
.text C:\Windows\system32\wbem\wmiprvse.exe[3624] ADVAPI32.dll!

CreateServiceW 76AF9EB4 5 Bytes JMP 0058900C
.text C:\Windows\system32\wbem\wmiprvse.exe[3624] ADVAPI32.dll!

ControlService 76AF9FB8 5 Bytes JMP 0058700C
.text C:\Windows\system32\wbem\wmiprvse.exe[3624] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP

0058500C
.text C:\Windows\system32\wbem\wmiprvse.exe[3624] USER32.dll!

DdeConnect 76E39A1F 5 Bytes JMP 0058B00C
.text C:\Windows\system32\wbem\wmiprvse.exe[3624] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP

0058A00C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3972]

ntdll.dll!NtCreateProcess 77204494 5 Bytes JMP 01BC000C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3972]

ntdll.dll!NtCreateProcessEx 772044A4 5 Bytes JMP 01BC100C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3972]

ntdll.dll!NtCreateUserProcess 77205804 5 Bytes JMP

01BC200C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3972]

kernel32.dll!LoadLibraryExW 767A9109 5 Bytes JMP

01BC300C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3972]

kernel32.dll!TerminateThread 767C41F7 5 Bytes JMP

01BC400C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3972]

ADVAPI32.dll!CloseServiceHandle 76AD82A5 5 Bytes JMP

01BC800C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3972]

ADVAPI32.dll!OpenServiceW 76AD8354 5 Bytes JMP

01BC600C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3972]

ADVAPI32.dll!CreateServiceW 76AF9EB4 5 Bytes JMP

01BC900C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3972]

ADVAPI32.dll!ControlService 76AF9FB8 5 Bytes JMP

01BC700C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3972]

USER32.dll!SetWindowsHookExW 76DF87AD 5 Bytes JMP

01BC500C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3972]

USER32.dll!DdeConnect 76E39A1F 5 Bytes JMP

01BCB00C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3972]

ole32.dll!CoCreateInstanceEx 76EE9EE9 5 Bytes JMP

01BCA00C
.text C:\Program Files\Windows Defender\MSASCui.exe[4024] ntdll.dll!

NtCreateProcess 77204494 5 Bytes JMP 015F000C
.text C:\Program Files\Windows Defender\MSASCui.exe[4024] ntdll.dll!

NtCreateProcessEx 772044A4 5 Bytes JMP 015F100C
.text C:\Program Files\Windows Defender\MSASCui.exe[4024] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP 015F200C
.text C:\Program Files\Windows Defender\MSASCui.exe[4024] kernel32.dll!

LoadLibraryExW 767A9109 5 Bytes JMP 015F300C
.text C:\Program Files\Windows Defender\MSASCui.exe[4024] kernel32.dll!

TerminateThread 767C41F7 5 Bytes JMP 015F400C
.text C:\Program Files\Windows Defender\MSASCui.exe[4024] ADVAPI32.dll!

CloseServiceHandle 76AD82A5 5 Bytes JMP 015F800C
.text C:\Program Files\Windows Defender\MSASCui.exe[4024] ADVAPI32.dll!

OpenServiceW 76AD8354 5 Bytes JMP 015F600C
.text C:\Program Files\Windows Defender\MSASCui.exe[4024] ADVAPI32.dll!

CreateServiceW 76AF9EB4 5 Bytes JMP 015F900C
.text C:\Program Files\Windows Defender\MSASCui.exe[4024] ADVAPI32.dll!

ControlService 76AF9FB8 5 Bytes JMP 015F700C
.text C:\Program Files\Windows Defender\MSASCui.exe[4024] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP

015F500C
.text C:\Program Files\Windows Defender\MSASCui.exe[4024] USER32.dll!

DdeConnect 76E39A1F 5 Bytes JMP 015FB00C
.text C:\Program Files\Windows Defender\MSASCui.exe[4024] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP 015FA00C
.text C:\Program Files\Windows Media Player\wmplayer.exe[4088] ntdll.dll!

NtCreateProcess 77204494 5 Bytes JMP 0304000C
.text C:\Program Files\Windows Media Player\wmplayer.exe[4088] ntdll.dll!

NtCreateProcessEx 772044A4 5 Bytes JMP 0304100C
.text C:\Program Files\Windows Media Player\wmplayer.exe[4088] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP 0304200C
.text C:\Program Files\Windows Media Player\wmplayer.exe[4088] kernel32.dll!

LoadLibraryExW 767A9109 5 Bytes JMP 0304300C
.text C:\Program Files\Windows Media Player\wmplayer.exe[4088] kernel32.dll!

TerminateThread 767C41F7 5 Bytes JMP 0304400C
.text C:\Program Files\Windows Media Player\wmplayer.exe[4088]

ADVAPI32.dll!CloseServiceHandle 76AD82A5 5 Bytes JMP

0304800C
.text C:\Program Files\Windows Media Player\wmplayer.exe[4088]

ADVAPI32.dll!OpenServiceW 76AD8354 5 Bytes JMP

0304600C
.text C:\Program Files\Windows Media Player\wmplayer.exe[4088]

ADVAPI32.dll!CreateServiceW 76AF9EB4 5 Bytes JMP

0304900C
.text C:\Program Files\Windows Media Player\wmplayer.exe[4088]

ADVAPI32.dll!ControlService 76AF9FB8 5 Bytes JMP

0304700C
.text C:\Program Files\Windows Media Player\wmplayer.exe[4088]

USER32.dll!SetWindowsHookExW 76DF87AD 5 Bytes JMP

0304500C
.text C:\Program Files\Windows Media Player\wmplayer.exe[4088]

USER32.dll!DdeConnect 76E39A1F 5 Bytes JMP

0304B00C
.text C:\Program Files\Windows Media Player\wmplayer.exe[4088] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP 0304A00C
.text C:\Windows\system32\wbem\wmiprvse.exe[4504] ntdll.dll!

NtCreateProcess 77204494 5 Bytes JMP

0020000C
.text C:\Windows\system32\wbem\wmiprvse.exe[4504] ntdll.dll!

NtCreateProcessEx 772044A4 5 Bytes JMP

0020100C
.text C:\Windows\system32\wbem\wmiprvse.exe[4504] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP

0020200C
.text C:\Windows\system32\wbem\wmiprvse.exe[4504] kernel32.dll!

LoadLibraryExW 767A9109 5 Bytes JMP 0020300C
.text C:\Windows\system32\wbem\wmiprvse.exe[4504] kernel32.dll!

TerminateThread 767C41F7 5 Bytes JMP 0020400C
.text C:\Windows\system32\wbem\wmiprvse.exe[4504] ADVAPI32.dll!

CloseServiceHandle 76AD82A5 5 Bytes JMP

0020800C
.text C:\Windows\system32\wbem\wmiprvse.exe[4504] ADVAPI32.dll!

OpenServiceW 76AD8354 5 Bytes JMP 0020600C
.text C:\Windows\system32\wbem\wmiprvse.exe[4504] ADVAPI32.dll!

CreateServiceW 76AF9EB4 5 Bytes JMP 0020900C
.text C:\Windows\system32\wbem\wmiprvse.exe[4504] ADVAPI32.dll!

ControlService 76AF9FB8 5 Bytes JMP 0020700C
.text C:\Windows\system32\wbem\wmiprvse.exe[4504] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP

0020500C
.text C:\Windows\system32\wbem\wmiprvse.exe[4504] USER32.dll!

DdeConnect 76E39A1F 5 Bytes JMP 0020B00C
.text C:\Windows\system32\wbem\wmiprvse.exe[4504] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP

0020A00C
.text C:\Windows\system32\SearchProtocolHost.exe[4644] ntdll.dll!

NtCreateProcess 77204494 5 Bytes JMP 007B000C
.text C:\Windows\system32\SearchProtocolHost.exe[4644] ntdll.dll!

NtCreateProcessEx 772044A4 5 Bytes JMP 007B100C
.text C:\Windows\system32\SearchProtocolHost.exe[4644] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP

007B200C
.text C:\Windows\system32\SearchProtocolHost.exe[4644] kernel32.dll!

LoadLibraryExW 767A9109 5 Bytes JMP 007B300C
.text C:\Windows\system32\SearchProtocolHost.exe[4644] kernel32.dll!

TerminateThread 767C41F7 5 Bytes JMP 007B400C
.text C:\Windows\system32\SearchProtocolHost.exe[4644] ADVAPI32.dll!

CloseServiceHandle 76AD82A5 5 Bytes JMP 007B800C
.text C:\Windows\system32\SearchProtocolHost.exe[4644] ADVAPI32.dll!

OpenServiceW 76AD8354 5 Bytes JMP 007B600C
.text C:\Windows\system32\SearchProtocolHost.exe[4644] ADVAPI32.dll!

CreateServiceW 76AF9EB4 5 Bytes JMP 007B900C
.text C:\Windows\system32\SearchProtocolHost.exe[4644] ADVAPI32.dll!

ControlService 76AF9FB8 5 Bytes JMP 007B700C
.text C:\Windows\system32\SearchProtocolHost.exe[4644] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP

007B500C
.text C:\Windows\system32\SearchProtocolHost.exe[4644] USER32.dll!

DdeConnect 76E39A1F 5 Bytes JMP 007BB00C
.text C:\Windows\system32\SearchProtocolHost.exe[4644] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP

007BA00C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4748]

ntdll.dll!NtCreateProcess 77204494 5 Bytes JMP 008A000C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4748]

ntdll.dll!NtCreateProcessEx 772044A4 5 Bytes JMP 008A100C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4748]

ntdll.dll!NtCreateUserProcess 77205804 5 Bytes JMP 008A200C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4748]

kernel32.dll!LoadLibraryExW 767A9109 5 Bytes JMP 008A300C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4748]

kernel32.dll!TerminateThread 767C41F7 5 Bytes JMP 008A400C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4748]

ADVAPI32.dll!CloseServiceHandle 76AD82A5 5 Bytes JMP 008A800C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4748]

ADVAPI32.dll!OpenServiceW 76AD8354 5 Bytes JMP 008A600C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4748]

ADVAPI32.dll!CreateServiceW 76AF9EB4 5 Bytes JMP 008A900C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4748]

ADVAPI32.dll!ControlService 76AF9FB8 5 Bytes JMP 008A700C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4748]

USER32.dll!SetWindowsHookExW 76DF87AD 5 Bytes JMP

008A500C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4748]

USER32.dll!DdeConnect 76E39A1F 5 Bytes JMP 008AB00C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4748]

ole32.dll!CoCreateInstanceEx 76EE9EE9 5 Bytes JMP 008AA00C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5436] ntdll.dll!LdrLoadDll

771C9390 5 Bytes JMP 000713F0 C:\Program Files\Mozilla

Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5436] ntdll.dll!NtCreateProcess

77204494 5 Bytes JMP 003C000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5436] ntdll.dll!

NtCreateProcessEx 772044A4 5 Bytes JMP 003C100C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5436] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP 003C200C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5436] kernel32.dll!

LoadLibraryExW 767A9109 5 Bytes JMP 003C300C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5436] kernel32.dll!

TerminateThread 767C41F7 5 Bytes JMP 003C400C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5436] ADVAPI32.dll!

CloseServiceHandle 76AD82A5 5 Bytes JMP 003C800C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5436] ADVAPI32.dll!

OpenServiceW 76AD8354 5 Bytes JMP 003C600C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5436] ADVAPI32.dll!

CreateServiceW 76AF9EB4 5 Bytes JMP 003C900C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5436] ADVAPI32.dll!

ControlService 76AF9FB8 5 Bytes JMP 003C700C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5436] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP

003C500C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5436] USER32.dll!DdeConnect

76E39A1F 5 Bytes JMP 003CB00C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5436] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP 003CA00C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[5552] ntdll.dll!

NtCreateProcess 77204494 5 Bytes JMP 0026000C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[5552] ntdll.dll!

NtCreateProcessEx 772044A4 5 Bytes JMP 0026100C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[5552] ntdll.dll!

NtCreateUserProcess 77205804 5 Bytes JMP 0026200C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[5552] kernel32.dll!

LoadLibraryExW 767A9109 5 Bytes JMP 0026300C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[5552] kernel32.dll!

TerminateThread 767C41F7 5 Bytes JMP 0026400C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[5552] ADVAPI32.dll!

CloseServiceHandle 76AD82A5 5 Bytes JMP 0026800C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[5552] ADVAPI32.dll!

OpenServiceW 76AD8354 5 Bytes JMP 0026600C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[5552] ADVAPI32.dll!

CreateServiceW 76AF9EB4 5 Bytes JMP 0026900C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[5552] ADVAPI32.dll!

ControlService 76AF9FB8 5 Bytes JMP 0026700C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[5552] USER32.dll!

SetWindowsHookExW 76DF87AD 5 Bytes JMP 0026500C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[5552] USER32.dll!

DdeConnect 76E39A1F 5 Bytes JMP 0026B00C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[5552] ole32.dll!

CoCreateInstanceEx 76EE9EE9 5 Bytes JMP 0026A00C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs

88020FE0

AttachedDevice \Driver\tdx \Device\Tcp

Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\BTHUSB \Device\0000007c

bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000007e

bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat

fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** )

[BOOT] qviqpsjc <--

ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg

HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197ee6e

c3f
Reg HKLM\SYSTEM\CurrentControlSet\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\CurrentControlSet\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet002\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet002\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet002\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet003\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet003\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet003\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet004\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet004\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet004\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet005\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet005\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet005\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet005\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet006\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet006\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet006\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet006\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet007\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet007\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet007\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet007\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet008\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet008\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet008\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet008\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet009\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet009\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet009\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet009\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet010\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet010\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet010\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet010\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet011\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet011\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet011\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet011\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet012\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet012\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet012\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet012\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet013\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet013\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet013\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet013\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet014\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet014\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet014\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet014\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet015\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet015\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet015\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet015\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet016\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet016\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet016\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet016\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet017\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet017\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet017\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet017\Services\qviqpsjc@Group

Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet018

\Services\BTHPORT\Parameters\Keys\00197ee6ec3f (not active ControlSet)


Reg HKLM\SYSTEM\ControlSet018\Services\qviqpsjc@Type

1
Reg HKLM\SYSTEM\ControlSet018\Services\qviqpsjc@Start

0
Reg HKLM\SYSTEM\ControlSet018\Services\qviqpsjc@ErrorControl

0
Reg HKLM\SYSTEM\ControlSet018\Services\qviqpsjc@Group

Boot Bus Extender



Here is the DDS LOG :

DDS (Ver_10-03-17.01) - NTFSx86
Run by Home at 23:09:06.03 on Wed 08/11/2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3069.1163

[GMT -4:00]

SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-

FDD3350758C7}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-

98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-

DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-

7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\FSGK32.EXE
C:\Program Files\COGECO Security Services\Common\FSHDLL32.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\COGECO Security Services\ORSP Client\fsorsp.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fssm32.exe
C:\Program Files\COGECO Security Services\FWES\Program\fsdfwd.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\COGECO Security Services\Common\FSM32.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsav32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\msiexec.exe
C:\Windows\system32\MsiExec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Home\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/ig/dell?hl=en&client=dell-

row&channel=ca&ibd=6080324
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -

c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} -

c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} -

c:\program files\cogeco security services\nrs\iescript\baselitmus.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} -

c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} -

c:\program files\java\jre6\bin\jp2ssv.dll
TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} -

c:\program files\cogeco security services\nrs\iescript\baselitmus.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe"

resetprofile
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe"

/background
uRun: [SUPERAntiSpyware] c:\program

files\superantispyware\SUPERAntiSpyware.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Bluetooth HCI Monitor] RunDll32 HCIMNTR.DLL,RunCheckHCIMode
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [ISUSScheduler] "c:\program files\common

files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop

search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0

\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java

update\jusched.exe"
mRun: [F-Secure Manager] "c:\program files\cogeco security

services\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\cogeco security services\fsgui\TNBUtil.exe"

/CHECKALL /WAITFORSW
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-

malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk

- c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth

software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth

software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program

files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program

files\pokerstars.net\PokerStarsUpdate.exe
LSP: c:\program files\cogeco security services\fsps\program\FSLSP.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath -

c:\users\home\appdata\roaming\mozilla\firefox\profiles\wyocjm26.default\
FF - component: c:\program files\cogeco security services\nrs\litmus-ff@f-

secure.com\components\litmus-ff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\tvuplayer\npTVUAx.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin:

c:\users\home\appdata\roaming\mozilla\firefox\profiles\wyocjm26.default\extensions\fir

efox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-

80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla

firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows",

false);
c:\program files\mozilla firefox\greprefs\all.js - pref

("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref

("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref

("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref

("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm",

false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",

false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",

2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",

1);
c:\program files\mozilla firefox\greprefs\all.js - pref

("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref

("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",

25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",

5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref

("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref

("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref

("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-

7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-

7e08-4474-a285-3208198ce6fd}.description",

"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add",

"addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36",

"getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews",

false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser",

false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2010-8-8 41256]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-8-4 64288]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\cogeco security

services\hips\drivers\fshs.sys [2010-8-8 68064]
R1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys

[2010-8-8 35792]
R1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2010-8-8

71040]
R1 fsvista;F-Secure Vista Support Driver;c:\program files\cogeco security

services\anti-virus\minifilter\fsvista.sys [2010-8-8 12384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17

12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-

10 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys

[2010-8-11 18816]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN

v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

[2010-3-18 130384]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\cogeco security

services\anti-virus\fsgk32st.exe [2010-8-8 215648]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad

-aware\AAWService.exe [2010-7-12 1355416]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\cogeco security

services\anti-virus\minifilter\fsgk.sys [2010-8-8 124072]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\cogeco security

services\orsp client\fsorsp.exe [2010-8-8 56992]
S2 gupdate;Google Update Service (gupdate);c:\program

files\google\update\GoogleUpdate.exe [2010-3-24 136176]
S3 BFOHI;BFOHI;c:\users\home\appdata\local\temp\BFOHI.exe [2010-8-11 355200]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k

LocalServiceAndNoImpersonation [2010-1-25 21504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager

5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe

[2008-3-24 30192]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-

aware\kernexplorer.sys [2010-8-11 15008]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11

-6 34064]
S3 OUCR;OUCR;c:\users\home\appdata\local\temp\OUCR.exe [2010-8-11 437120]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache

4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319

\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\cogeco security

services\anti-virus\win2k\fsfilter.sys [2010-8-8 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\cogeco

security services\anti-virus\win2k\fsrec.sys [2010-8-8 25184]

=============== Created Last 30 ================

2010-08-12 02:59:41 0 ----a-w- c:\users\home\defogger_reenable
2010-08-12 00:08:26 18816 ------w- c:\windows\system32

\SAVRKBootTasks.sys
2010-08-11 23:45:20 0 d-----w- c:\program files\iPod
2010-08-11 23:45:02 0 d-----w- c:\programdata\{429CAD59-35B1-

4DBC-BB6D-1DB246563521}
2010-08-11 23:18:29 0 d-----w- c:\program files\Bonjour
2010-08-11 22:40:33 376945886 ----a-w- c:\windows\MEMORY.DMP
2010-08-11 22:19:18 0 d-----w- c:\program files\Sophos
2010-08-11 19:24:29 0 d-----w- c:\users\home\.bh_gui
2010-08-11 19:22:54 0 d-----w- c:\programdata\SRI
2010-08-11 19:22:04 0 d-----w- c:\program files\WinPcap
2010-08-11 19:00:47 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-08-11 19:00:44 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-11 19:00:41 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-11 19:00:37 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-08-11 19:00:34 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-11 19:00:33 144896 ----a-w- c:\windows\system32

\drivers\srv2.sys
2010-08-11 18:58:54 905088 ----a-w- c:\windows\system32

\drivers\tcpip.sys
2010-08-09 16:00:00 0 d-----w- c:\users\home\appdata\roaming\F-

Secure
2010-08-08 20:16:44 41256 ----a-w- c:\windows\system32

\drivers\fsbts.sys
2010-08-08 20:15:41 35792 ----a-w- c:\windows\system32

\drivers\fses.sys
2010-08-08 20:15:38 71040 ----a-w- c:\windows\system32

\drivers\fsdfw.sys
2010-08-08 20:15:37 572512 ----a-w- c:\windows\system32\msvcp50.dll
2010-08-08 20:14:55 0 d-----w- c:\program files\COGECO Security

Services
2010-08-08 20:14:14 0 d-----w- c:\programdata\fssg
2010-08-08 12:41:23 95024 ----a-w- c:\windows\system32

\drivers\SBREDrv.sys
2010-08-08 01:51:53 0 d-----w- c:\programdata\TVU Networks
2010-08-05 19:37:59 0 d-----w-

c:\users\home\appdata\roaming\SUPERAntiSpyware.com
2010-08-05 19:37:59 0 d-----w-

c:\programdata\SUPERAntiSpyware.com
2010-08-05 19:37:54 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-04 20:44:28 64288 ----a-w- c:\windows\system32

\drivers\Lbd.sys
2010-08-04 20:43:24 0 dc-h--w- c:\programdata\{BD986C1B-72EC-

4B82-B47B-6CAC4E6F494E}
2010-08-04 20:40:00 0 d-----w- c:\programdata\F-Secure
2010-07-17 17:07:14 0 d-sh--w- C:\found.000
2010-07-15 01:16:36 186 ----a-w- c:\windows\system32\MRT.INI
2010-07-15 01:16:35 0 d-----w- c:\windows\system32

\MpEngineStore

==================== Find3M ====================

2010-08-12 03:09:04 823808 ----a-w- c:\windows\system32

\drivers\qviqpsjc.sys
2010-08-12 00:12:27 147566 ----a-w- c:\programdata\nvModes.dat
2010-08-11 23:27:57 86016 ----a-w- c:\windows\inf\infstor.dat
2010-08-11 23:27:57 51200 ----a-w- c:\windows\inf\infpub.dat
2010-08-11 23:27:57 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-08-07 19:20:49 184 ----a-w-

c:\users\home\appdata\roaming\wklnhst.dat
2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32

\deployJava1.dll
2010-07-12 08:55:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-26 06:05:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02:15 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02:15 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25:02 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-11 16:16:20 274944 ----a-w- c:\windows\system32\schannel.dll
2010-06-08 17:35:04 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35:03 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14:28 221568 ------w- c:\windows\system32

\MpSigStub.exe
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-01-31 08:19:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-30 20:26:01 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-13 02:49:45 245760 --sha-w-

c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache

\index.dat
2008-03-24 19:29:59 8192 --sha-w-

c:\windows\users\default\NTUSER.DAT

============= FINISH: 23:09:24.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:31 AM

Posted 19 August 2010 - 06:29 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  1. Double click on RSIT.exe to run RSIT.
  2. Click Continue at the disclaimer screen.
  3. Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  1. Reply to this thread; do not start another!
  2. Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  3. Do not run any other tool until instructed to do so!
  4. Let me know if any of the links do not work or if any of the tools do not work.
  5. Tell me about problems or symptoms that occur during the fix.
  6. Do not run any other programs or open any other windows while doing a fix.
  7. Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:31 AM

Posted 31 August 2010 - 02:04 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users