Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Want to remove Rootkit infection on laptop


  • This topic is locked This topic is locked
20 replies to this topic

#1 congokid

congokid

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:01:13 AM

Posted 15 March 2011 - 06:13 AM

DDS and GMER logs as instructed for rootkit infection on Dell XPS M1210 laptop.

Briefly, the problem with the laptop included Google redirect and more recently Alureon-FZ infection.

With the latter, on switching the machine on there was a Windows blue screen with this message:

The volume is dirty
CKDSK is verifying files

On completion and boot up, after a few minutes Avast found a rootkit infection, which I removed and Avast then ran a boot-time scan, during which it would restarts the computer and then scan all my data before Windows started.

On the Avast blue screen on restarting, I saw this report file:
c:\documents and settings\all users\application data\Alwil software\Avast5\report\aswBoot\.txt

and this infection:
c:\documents and settings\all users\application data\Alwil software\Avast5\arpot\82d33-744-0.dat
is infected by Win32:Alureon-FZ

I pressed 2 to delete all. One infection was found and the computer restarted. A few minutes after restarting, Avast detected rootkit again and invited me to go through the same process all over again. I did this quite a few times but the infection never cleared.

Most recently, Avast indicated that 'a suspicious hidden object (rootkit) has been detected on your system. This may be a sign of a malware infection. It is recommended to remove this object immediately'.

ROOTKIT INFORMATION:
File name
C:\WINDOWS\system32\drivers\kbdclass.sys


Apologies if you didn't need all that again!

One odd thing that happened as I was running the log programs just now - my laptop's internet connectivity via the home wifi network somehow became enabled. Not sure what I did to cause this. It's still working, though connectivity has proved to be only sporadic in the past.


DDS log:


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by colm at 10:17:21.64 on 15/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.487 [GMT 0:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\xampp\apache\bin\httpd.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
svchost.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\xampp\FileZillaFTP\FileZilla server.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\xampp\xampp_service_mercury.exe
C:\xampp\MercuryMail\mercury.exe
C:\xampp\mysql\bin\mysqld.exe
C:\xampp\apache\bin\httpd.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe
C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\colm\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = htt;
uSearch Page =
uSearch Bar =
uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061012
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061012
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: iFinger plugin / Browser helper object: {a114d52b-870c-4f15-8021-b6d7f91a054b} - c:\progra~1\ifinger\plugins\IE.ifp
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
EB: iFinger: {0cbd5120-990b-11d3-8abd-00c04fa95ee0} - c:\windows\system32\SHDOCVW.DLL
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Intense Registry Service] IntEdReg.exe /CHECK
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\sitecom\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ifinge~1.lnk - c:\program files\ifinger\iFinger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lexiba~1.lnk - c:\program files\softissimo\collins internet-linked dictionary\exe\L-Express.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\sitecom\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\sitecom\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {936E5D60-596C-11D3-BB96-00600816DF55} - {0CBD5120-990B-11D3-8ABD-00C04FA95EE0} - c:\windows\system32\SHDOCVW.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161195427851
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\colm\applic~1\mozilla\firefox\profiles\h1g56uof.default\
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en|http://www.facebook.com/colm.devlin#/home.php?ref=home
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\colm\application data\mozilla\firefox\profiles\h1g56uof.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-3-30 294608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2009-9-29 24640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-3-30 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-21 40384]
R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2010-6-7 1737464]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [2006-1-12 13696]
R2 Mercury;Mercury;c:\xampp\xampp_service_mercury.exe [2009-9-29 73728]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [2006-1-12 13568]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-6-7 100736]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2009-4-14 103168]
.
=============== Created Last 30 ================
.
2011-03-14 13:10:52 -------- d-----w- c:\docume~1\colm\applic~1\SUPERAntiSpyware.com
.
==================== Find3M ====================
.
2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8034GSX rev.AH301D -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B69CEC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x50; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8569b846; SUB DWORD [EBP-0x4], 0x8569b12e; PUSH EDI; CALL 0xffffffffffffe10c; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86D16AB8]
3 CLASSPNP[0xF763EFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000074[0x86DCB510]
5 ACPI[0xF74D5620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86DCA940]
[0x86AF67D8] -> IRP_MJ_CREATE -> 0x86B69CEC
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x100; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSW ; JMP FAR 0x0:0x62c; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8034GSX_______________________AH301D__#5&2ad6debd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86B69AEA
user & kernel MBR OK
sectors 153356488 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:19:46.36 ===============




Previous GMER log as requested

Include the GMER log you posted earlier.



GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-14 21:28:45
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK8034GSX rev.AH301D
Running: jkxjkmbw.exe; Driver: C:\DOCUME~1\colm\LOCALS~1\Temp\pwdorkod.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\DRIVERS\kbdclass.sys entry point in ".rsrc" section [0xF79A0E14]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[596] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 04AA000A
.text C:\WINDOWS\system32\svchost.exe[596] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0094000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86A0DAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86A0DAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 86A0DAEA
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8034GSX_______________________AH301D__#5&2ad6debd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060afb515
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060afb515@001620ae3e8c 0xE9 0x01 0x9D 0x25 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060afb515@0021fbd67330 0xAC 0xAD 0x77 0xBE ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060afb515 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060afb515@001620ae3e8c 0xE9 0x01 0x9D 0x25 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060afb515@0021fbd67330 0xAC 0xAD 0x77 0xBE ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 153356234 (+255): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\colm\My Documents\work\CLIENTS\EMOTIONALBUZZ\OLDS\17-11 02 OLD AAMET Buzz site\RESOURCES - NOT FOR UPLOAD\TEMPLATES & CODE SAMPLES\SAMPLE SITES\tapping\Tapping.com - Free EFT Videos - Emotional Freedom Technique_files\5958460266411651546_data\Tappingcom.jpg 15071 bytes
File C:\WINDOWS\system32\DRIVERS\kbdclass.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 PM

Posted 18 March 2011 - 11:31 PM

Hello and welcome. I apologize for the delay. If you no longer need help with this issue, we would appreciate you letting us know. Otherwise, please perform the following steps so I can have a look at the current condition of your machine. I realize that you have already posted logs, but because of the time that has passed I'd like a fresh set.

Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • DDS.txt and Attach.txt logs
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 congokid

congokid
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:01:13 AM

Posted 20 March 2011 - 07:08 AM

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by colm at 11:41:58.76 on 20/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.347 [GMT 0:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\xampp\apache\bin\httpd.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
svchost.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\xampp\FileZillaFTP\FileZilla server.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\xampp\xampp_service_mercury.exe
C:\xampp\MercuryMail\mercury.exe
C:\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\xampp\apache\bin\httpd.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe
C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\colm\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = htt;
uSearch Page =
uSearch Bar =
uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061012
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061012
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: iFinger plugin / Browser helper object: {a114d52b-870c-4f15-8021-b6d7f91a054b} - c:\progra~1\ifinger\plugins\IE.ifp
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
EB: iFinger: {0cbd5120-990b-11d3-8abd-00c04fa95ee0} - c:\windows\system32\SHDOCVW.DLL
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Intense Registry Service] IntEdReg.exe /CHECK
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\sitecom\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ifinge~1.lnk - c:\program files\ifinger\iFinger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lexiba~1.lnk - c:\program files\softissimo\collins internet-linked dictionary\exe\L-Express.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\sitecom\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\sitecom\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {936E5D60-596C-11D3-BB96-00600816DF55} - {0CBD5120-990B-11D3-8ABD-00C04FA95EE0} - c:\windows\system32\SHDOCVW.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161195427851
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\colm\applic~1\mozilla\firefox\profiles\h1g56uof.default\
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en|http://www.facebook.com/colm.devlin#/home.php?ref=home
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\colm\application data\mozilla\firefox\profiles\h1g56uof.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-15 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-3-30 301528]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2009-9-29 24640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-3-30 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-21 42184]
R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2010-6-7 1737464]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [2006-1-12 13696]
R2 Mercury;Mercury;c:\xampp\xampp_service_mercury.exe [2009-9-29 73728]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [2006-1-12 13568]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-6-7 100736]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2009-4-14 103168]
.
=============== Created Last 30 ================
.
2011-03-15 11:13:46 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-14 13:10:52 -------- d-----w- c:\docume~1\colm\applic~1\SUPERAntiSpyware.com
.
==================== Find3M ====================
.
2011-02-23 15:04:21 40648 ----a-w- c:\windows\avastSS.scr
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8034GSX rev.AH301D -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B60CEC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x50; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8569b846; SUB DWORD [EBP-0x4], 0x8569b12e; PUSH EDI; CALL 0xffffffffffffe10c; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86D73AB8]
3 CLASSPNP[0xF763EFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000074[0x86DCA258]
5 ACPI[0xF74D5620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86D1CD98]
[0x86C69B10] -> IRP_MJ_CREATE -> 0x86B60CEC
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x100; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSW ; JMP FAR 0x0:0x62c; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8034GSX_______________________AH301D__#5&2ad6debd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86B60AEA
user & kernel MBR OK
sectors 153356488 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:44:25.21 ===============




I copied the GMER.txt here, but got an error message saying the GMER file makes the message too long.

I tried to attach it instead, and got this message:

Error This file was too big to upload


Any suggestions?

Attached Files



#4 congokid

congokid
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:01:13 AM

Posted 20 March 2011 - 07:12 AM

First half of GMER.txt file:


GMER 1.0.15.15565 - http://www.gmer.net
Rootkit scan 2011-03-20 11:59:18
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK8034GSX rev.AH301D
Running: puex5lup.exe; Driver: C:\DOCUME~1\colm\LOCALS~1\Temp\pwdorkod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA94A89CA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA94FDA68]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA94C8AF5]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA94AAEAC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA94AAF04]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA94AB01A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA94C84A9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA94AAE02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA94AAF54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA94AAE56]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA94AAFC8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA94A89EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA94C91BB]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA94C9471]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA94AB29E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA94C9026]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA94C8E91]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA94FDB18]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA94A87B8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA94A8A12]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA94AB412]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA94A94AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA94AAEDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA94AAF2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA94AB044]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA94C8805]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA94AAE2E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA94AB0D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA94AAF94]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA94AAE84]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA94AB1BA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA94AAFF2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA94FDBB0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA94C8D0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA94A9370]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA94C8B5E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA9505E26]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA94C7B1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA94A8A36]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA94A8A5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA94A8812]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA94A894E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA94C92C2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA94A892A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA94A8972]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA94A8A7E]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA95128DE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A646E 4 Bytes CALL A94A9E25 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC502 5 Bytes JMP A950E29E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2F86 5 Bytes JMP A950FD38 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP A95128E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.rsrc C:\WINDOWS\system32\DRIVERS\kbdclass.sys entry point in ".rsrc" section [0xF79AAE14]
? C:\DOCUME~1\colm\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[156] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[156] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[156] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[156] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[156] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[156] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[156] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[156] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[156] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[156] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[156] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[156] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[156] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[156] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[156] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\xampp\apache\bin\httpd.exe[216] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\xampp\apache\bin\httpd.exe[216] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\xampp\apache\bin\httpd.exe[216] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
.text C:\xampp\apache\bin\httpd.exe[216] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
.text C:\xampp\apache\bin\httpd.exe[216] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
.text C:\xampp\apache\bin\httpd.exe[216] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
.text C:\xampp\apache\bin\httpd.exe[216] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
.text C:\xampp\apache\bin\httpd.exe[216] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
.text C:\xampp\apache\bin\httpd.exe[216] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
.text C:\xampp\apache\bin\httpd.exe[216] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
.text C:\xampp\apache\bin\httpd.exe[216] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
.text C:\xampp\apache\bin\httpd.exe[216] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
.text C:\xampp\apache\bin\httpd.exe[216] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
.text C:\xampp\apache\bin\httpd.exe[216] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
.text C:\xampp\apache\bin\httpd.exe[216] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003E01D4
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003E00E4
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003E0120
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003E015C
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003E0198
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003E0030
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003E006C
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003E00A8
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003F00E4
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003F0120
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003F00A8
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003F0030
.text C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe[252] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003F006C
.text C:\WINDOWS\system32\svchost.exe[344] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[344] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[344] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[344] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[344] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[344] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[344] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[344] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[344] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[344] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[344] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[344] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[344] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[344] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[344] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\svchost.exe[368] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[368] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[368] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[368] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[368] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[368] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[368] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[368] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[368] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[368] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[368] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[368] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[368] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[368] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[368] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe[392] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\xampp\FileZillaFTP\FileZilla server.exe[436] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\WINDOWS\system32\svchost.exe[476] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[476] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[476] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[476] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[476] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[476] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[476] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\Program Files\Kontiki\KService.exe[584] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Kontiki\KService.exe[584] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Kontiki\KService.exe[584] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\Kontiki\KService.exe[584] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Kontiki\KService.exe[584] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\Kontiki\KService.exe[584] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\Kontiki\KService.exe[584] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\Kontiki\KService.exe[584] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\Kontiki\KService.exe[584] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\Kontiki\KService.exe[584] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\Kontiki\KService.exe[584] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\Kontiki\KService.exe[584] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Program Files\Kontiki\KService.exe[584] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Program Files\Kontiki\KService.exe[584] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Program Files\Kontiki\KService.exe[584] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Program Files\Kontiki\KService.exe[584] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\xampp\xampp_service_mercury.exe[656] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\xampp\xampp_service_mercury.exe[656] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\xampp\xampp_service_mercury.exe[656] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\xampp\xampp_service_mercury.exe[656] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\xampp\xampp_service_mercury.exe[656] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\xampp\xampp_service_mercury.exe[656] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\xampp\xampp_service_mercury.exe[656] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\xampp\xampp_service_mercury.exe[656] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\xampp\xampp_service_mercury.exe[656] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\xampp\xampp_service_mercury.exe[656] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\xampp\xampp_service_mercury.exe[656] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\xampp\xampp_service_mercury.exe[656] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\xampp\xampp_service_mercury.exe[656] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\xampp\xampp_service_mercury.exe[656] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\xampp\xampp_service_mercury.exe[656] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\xampp\xampp_service_mercury.exe[656] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\xampp\MercuryMail\mercury.exe[708] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\xampp\MercuryMail\mercury.exe[708] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\xampp\MercuryMail\mercury.exe[708] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\xampp\MercuryMail\mercury.exe[708] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\xampp\MercuryMail\mercury.exe[708] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\xampp\MercuryMail\mercury.exe[708] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\xampp\MercuryMail\mercury.exe[708] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\xampp\MercuryMail\mercury.exe[708] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\xampp\MercuryMail\mercury.exe[708] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\xampp\MercuryMail\mercury.exe[708] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\xampp\MercuryMail\mercury.exe[708] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\xampp\MercuryMail\mercury.exe[708] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\xampp\MercuryMail\mercury.exe[708] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\xampp\MercuryMail\mercury.exe[708] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\xampp\MercuryMail\mercury.exe[708] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\xampp\MercuryMail\mercury.exe[708] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\WINDOWS\system32\winlogon.exe[728] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00070030
.text C:\WINDOWS\system32\winlogon.exe[728] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\winlogon.exe[728] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\winlogon.exe[728] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\winlogon.exe[728] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\winlogon.exe[728] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\winlogon.exe[728] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\winlogon.exe[728] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\winlogon.exe[728] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\winlogon.exe[728] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\winlogon.exe[728] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\winlogon.exe[728] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\winlogon.exe[728] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\winlogon.exe[728] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\winlogon.exe[728] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\services.exe[776] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\services.exe[776] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\services.exe[776] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\services.exe[776] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\services.exe[776] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\services.exe[776] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\services.exe[776] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[844] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\xampp\mysql\bin\mysqld.exe[856] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\xampp\mysql\bin\mysqld.exe[856] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\xampp\mysql\bin\mysqld.exe[856] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\xampp\mysql\bin\mysqld.exe[856] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\xampp\mysql\bin\mysqld.exe[856] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\xampp\mysql\bin\mysqld.exe[856] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\xampp\mysql\bin\mysqld.exe[856] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\xampp\mysql\bin\mysqld.exe[856] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
.text C:\xampp\mysql\bin\mysqld.exe[856] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
.text C:\xampp\mysql\bin\mysqld.exe[856] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
.text C:\xampp\mysql\bin\mysqld.exe[856] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
.text C:\xampp\mysql\bin\mysqld.exe[856] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
.text C:\xampp\mysql\bin\mysqld.exe[856] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
.text C:\xampp\mysql\bin\mysqld.exe[856] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
.text C:\xampp\mysql\bin\mysqld.exe[856] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
.text C:\WINDOWS\system32\svchost.exe[972] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[972] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[972] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[972] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[972] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[972] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[972] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[992] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\WINDOWS\System32\svchost.exe[1008] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\svchost.exe[1008] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\System32\svchost.exe[1008] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\System32\svchost.exe[1008] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\System32\svchost.exe[1008] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\System32\svchost.exe[1008] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\System32\svchost.exe[1008] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[1088] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\xampp\apache\bin\httpd.exe[1112] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\xampp\apache\bin\httpd.exe[1112] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\xampp\apache\bin\httpd.exe[1112] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
.text C:\xampp\apache\bin\httpd.exe[1112] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
.text C:\xampp\apache\bin\httpd.exe[1112] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
.text C:\xampp\apache\bin\httpd.exe[1112] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
.text C:\xampp\apache\bin\httpd.exe[1112] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
.text C:\xampp\apache\bin\httpd.exe[1112] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
.text C:\xampp\apache\bin\httpd.exe[1112] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
.text C:\xampp\apache\bin\httpd.exe[1112] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
.text C:\xampp\apache\bin\httpd.exe[1112] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
.text C:\xampp\apache\bin\httpd.exe[1112] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
.text C:\xampp\apache\bin\httpd.exe[1112] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
.text C:\xampp\apache\bin\httpd.exe[1112] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
.text C:\xampp\apache\bin\httpd.exe[1112] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
.text C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1172] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1224] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1252] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] ADVAPI32.dll!ChangeServiceConfig2A

#5 congokid

congokid
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:01:13 AM

Posted 20 March 2011 - 07:16 AM

Next bit of GMER.txt file



77E37101 5 Bytes JMP 003B015C
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[1288] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\WINDOWS\system32\svchost.exe[1424] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1424] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[1424] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[1424] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[1424] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[1424] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[1424] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[1452] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[1452] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[1452] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[1452] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[1452] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1508] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1576] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00E701D4
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00E700E4
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00E70120
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00E7015C
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00E70198
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00E70030
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 00E7006C
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[1620] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00E700A8
.text C:\WINDOWS\System32\svchost.exe[1916] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\svchost.exe[1916] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\System32\svchost.exe[1916] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\System32\svchost.exe[1916] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\System32\svchost.exe[1916] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[1916] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\System32\svchost.exe[1916] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\System32\svchost.exe[1916] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\System32\svchost.exe[1916] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\System32\svchost.exe[1916] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\spoolsv.exe[1988] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\spoolsv.exe[1988] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\spoolsv.exe[1988] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\spoolsv.exe[1988] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\spoolsv.exe[1988] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\spoolsv.exe[1988] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\spoolsv.exe[1988] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\spoolsv.exe[1988] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\spoolsv.exe[1988] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\spoolsv.exe[1988] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\spoolsv.exe[1988] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\spoolsv.exe[1988] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\spoolsv.exe[1988] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\spoolsv.exe[1988] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\spoolsv.exe[1988] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\stacsv.exe[2084] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\WINDOWS\system32\stacsv.exe[2084] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\WINDOWS\system32\stacsv.exe[2084] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
.text C:\WINDOWS\system32\stacsv.exe[2084] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
.text C:\WINDOWS\system32\stacsv.exe[2084] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
.text C:\WINDOWS\system32\stacsv.exe[2084] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
.text C:\WINDOWS\system32\stacsv.exe[2084] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
.text C:\WINDOWS\system32\stacsv.exe[2084] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
.text C:\WINDOWS\system32\stacsv.exe[2084] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
.text C:\WINDOWS\system32\stacsv.exe[2084] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
.text C:\WINDOWS\system32\stacsv.exe[2084] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\WINDOWS\system32\stacsv.exe[2084] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\WINDOWS\system32\stacsv.exe[2084] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\WINDOWS\system32\stacsv.exe[2084] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\WINDOWS\system32\stacsv.exe[2084] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\WINDOWS\system32\svchost.exe[2216] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[2216] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[2216] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[2216] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[2216] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[2216] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[2216] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[2216] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B00E4
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0120
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B00A8
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B0030
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B006C
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2276] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\WINDOWS\system32\rundll32.exe[2288] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\rundll32.exe[2288] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\rundll32.exe[2288] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\rundll32.exe[2288] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\rundll32.exe[2288] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\rundll32.exe[2288] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\rundll32.exe[2288] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\rundll32.exe[2288] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F01D4
.text C:\WINDOWS\system32\rundll32.exe[2288] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\rundll32.exe[2288] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\rundll32.exe[2288] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F015C
.text C:\WINDOWS\system32\rundll32.exe[2288] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0198
.text C:\WINDOWS\system32\rundll32.exe[2288] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\rundll32.exe[2288] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\rundll32.exe[2288] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F00A8
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B00E4
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0120
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B00A8
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B0030
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B006C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2356] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003E00E4
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003E0120
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003E00A8
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003E0030
.text C:\Program Files\Dell\QuickSet\quickset.exe[2416] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003E006C
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B00E4
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0120
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B00A8
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B0030
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B006C
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2436] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\WINDOWS\stsystra.exe[3392] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\WINDOWS\stsystra.exe[3392] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\WINDOWS\stsystra.exe[3392] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B00E4
.text C:\WINDOWS\stsystra.exe[3392] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0120
.text C:\WINDOWS\stsystra.exe[3392] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B00A8
.text C:\WINDOWS\stsystra.exe[3392] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B0030
.text C:\WINDOWS\stsystra.exe[3392] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B006C
.text C:\WINDOWS\stsystra.exe[3392] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\WINDOWS\stsystra.exe[3392] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\WINDOWS\stsystra.exe[3392] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\WINDOWS\stsystra.exe[3392] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\WINDOWS\stsystra.exe[3392] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\WINDOWS\stsystra.exe[3392] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\WINDOWS\stsystra.exe[3392] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\WINDOWS\stsystra.exe[3392] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\WINDOWS\stsystra.exe[3392] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3576] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] ADVAPI32.DLL!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003F01D4
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] ADVAPI32.DLL!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003F00E4
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] ADVAPI32.DLL!ChangeServiceConfigW 77E37001 5 Bytes JMP 003F0120
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] ADVAPI32.DLL!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003F015C
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] ADVAPI32.DLL!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003F0198
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] ADVAPI32.DLL!CreateServiceA 77E37211 5 Bytes JMP 003F0030
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] ADVAPI32.DLL!CreateServiceW 77E373A9 5 Bytes JMP 003F006C
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] ADVAPI32.DLL!DeleteService 77E374B1 5 Bytes JMP 003F00A8
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] USER32.DLL!SetWindowsHookExW 7E42820F 5 Bytes JMP 004100E4
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] USER32.DLL!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00410120
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] USER32.DLL!SetWindowsHookExA 7E431211 5 Bytes JMP 004100A8
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] USER32.DLL!SetWinEventHook 7E4317F7 5 Bytes JMP 00410030
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe[3668] USER32.DLL!UnhookWinEvent 7E4318AC 5 Bytes JMP 0041006C
.text C:\WINDOWS\Explorer.EXE[3748] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\Explorer.EXE[3748] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\Explorer.EXE[3748] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003601D4
.text C:\WINDOWS\Explorer.EXE[3748] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003600E4
.text C:\WINDOWS\Explorer.EXE[3748] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360120
.text C:\WINDOWS\Explorer.EXE[3748] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0036015C
.text C:\WINDOWS\Explorer.EXE[3748] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360198
.text C:\WINDOWS\Explorer.EXE[3748] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00360030
.text C:\WINDOWS\Explorer.EXE[3748] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0036006C
.text C:\WINDOWS\Explorer.EXE[3748] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003600A8
.text C:\WINDOWS\Explorer.EXE[3748] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003700E4
.text C:\WINDOWS\Explorer.EXE[3748] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370120
.text C:\WINDOWS\Explorer.EXE[3748] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003700A8
.text C:\WINDOWS\Explorer.EXE[3748] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00370030
.text C:\WINDOWS\Explorer.EXE[3748] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0037006C
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Program Files\Dell Support\DSAgnt.exe[3848] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 004201D4
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 004200E4
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00420120
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0042015C
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00420198
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00420030
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0042006C
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 004200A8
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 004300E4
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] USER32.dll!UnhookWindowsHookEx 7E42D5F3 3 Bytes JMP 00430120
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] USER32.dll!UnhookWindowsHookEx + 4 7E42D5F7 1 Byte [82]
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 004300A8
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00430030
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[3900] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0043006C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3940] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Program Files\Skype\Phone\Skype.exe[4048] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\Program Files\Skype\Phone\Skype.exe[4048] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\Program Files\Skype\Phone\Skype.exe[4048] user32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Program Files\Skype\Phone\Skype.exe[4048] user32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Program Files\Skype\Phone\Skype.exe[4048] user32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Program Files\Skype\Phone\Skype.exe[4048] user32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Program Files\Skype\Phone\Skype.exe[4048] user32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\Program Files\Skype\Phone\Skype.exe[4048] advapi32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003E01D4
.text C:\Program Files\Skype\Phone\Skype.exe[4048] advapi32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003E00E4
.text C:\Program Files\Skype\Phone\Skype.exe[4048] advapi32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003E0120
.text C:\Program Files\Skype\Phone\Skype.exe[4048] advapi32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003E015C
.text C:\Program Files\Skype\Phone\Skype.exe[4048] advapi32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003E0198
.text C:\Program Files\Skype\Phone\Skype.exe[4048] advapi32.dll!CreateServiceA 77E37211 5 Bytes JMP 003E0030
.text C:\Program Files\Skype\Phone\Skype.exe[4048] advapi32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003E006C
.text C:\Program Files\Skype\Phone\Skype.exe[4048] advapi32.dll!DeleteService 77E374B1 5 Bytes JMP 003E00A8
.text C:\WINDOWS\System32\alg.exe[4092] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\alg.exe[4092] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\alg.exe[4092] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002E00E4
.text C:\WINDOWS\System32\alg.exe[4092] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002E0120
.text C:\WINDOWS\System32\alg.exe[4092] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002E00A8
.text C:\WINDOWS\System32\alg.exe[4092] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002E0030
.text C:\WINDOWS\System32\alg.exe[4092] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002E006C
.text C:\WINDOWS\System32\alg.exe[4092] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F01D4
.text C:\WINDOWS\System32\alg.exe[4092] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F00E4
.text C:\WINDOWS\System32\alg.exe[4092] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0120
.text C:\WINDOWS\System32\alg.exe[4092] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F015C
.text C:\WINDOWS\System32\alg.exe[4092] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0198
.text C:\WINDOWS\System32\alg.exe[4092] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F0030
.text C:\WINDOWS\System32\alg.exe[4092] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F006C
.text C:\WINDOWS\System32\alg.exe[4092] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\ctfmon.exe[4248] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000A0030
.text C:\WINDOWS\system32\ctfmon.exe[4248] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000A006C
.text C:\WINDOWS\system32\ctfmon.exe[4248] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003601D4
.text C:\WINDOWS\system32\ctfmon.exe[4248] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003600E4
.text C:\WINDOWS\system32\ctfmon.exe[4248] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360120
.text C:\WINDOWS\system32\ctfmon.exe[4248] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0036015C
.text C:\WINDOWS\system32\ctfmon.exe[4248] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360198
.text C:\WINDOWS\system32\ctfmon.exe[4248] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00360030
.text C:\WINDOWS\system32\ctfmon.exe[4248] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0036006C
.text C:\WINDOWS\system32\ctfmon.exe[4248] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003600A8
.text C:\WINDOWS\system32\ctfmon.exe[4248] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003700E4
.text C:\WINDOWS\system32\ctfmon.exe[4248] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370120
.text C:\WINDOWS\system32\ctfmon.exe[4248] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003700A8
.text C:\WINDOWS\system32\ctfmon.exe[4248] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00370030
.text C:\WINDOWS\system32\ctfmon.exe[4248] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0037006C
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B00E4
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0120
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B00A8
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B0030
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B006C
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\Intense Language Office\COMMON\Offman.exe[4336] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003F01D4
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003F00E4
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003F0120
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003F015C
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003F0198
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003F0030
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003F006C
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003F00A8
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 004D00E4
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 004D0120
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 004D00A8
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 004D0030
.text C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe[4452] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 004D006C
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[4512] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\Program Files\Kontiki\KHost.exe[4556] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\Program Files\Kontiki\KHost.exe[4556] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\Program Files\Kontiki\KHost.exe[4556] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
.text C:\Program Files\Kontiki\KHost.exe[4556] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
.text C:\Program Files\Kontiki\KHost.exe[4556] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
.text C:\Program Files\Kontiki\KHost.exe[4556] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
.text C:\Program Files\Kontiki\KHost.exe[4556] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
.text C:\Program Files\Kontiki\KHost.exe[4556] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
.text C:\Program Files\Kontiki\KHost.exe[4556] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
.text C:\Program Files\Kontiki\KHost.exe[4556] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
.text C:\Program Files\Kontiki\KHost.exe[4556] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003E00E4
.text C:\Program Files\Kontiki\KHost.exe[4556] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003E0120
.text C:\Program Files\Kontiki\KHost.exe[4556] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003E00A8
.text C:\Program Files\Kontiki\KHost.exe[4556] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003E0030
.text C:\Program Files\Kontiki\KHost.exe[4556] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003E006C
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5096] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
.text C:\WINDOWS\system32\hkcmd.exe[5108] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\WINDOWS\system32\hkcmd.exe[5108] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\WINDOWS\system32\hkcmd.exe[5108] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\WINDOWS\system32\hkcmd.exe[5108] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\WINDOWS\system32\hkcmd.exe[5108] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\WINDOWS\system32\hkcmd.exe[5108] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\WINDOWS\system32\hkcmd.exe[5108] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\WINDOWS\system32\hkcmd.exe[5108] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003E01D4
.text C:\WINDOWS\system32\hkcmd.exe[5108] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003E00E4
.text C:\WINDOWS\system32\hkcmd.exe[5108] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003E0120
.text C:\WINDOWS\system32\hkcmd.exe[5108] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003E015C
.text C:\WINDOWS\system32\hkcmd.exe[5108] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003E0198
.text C:\WINDOWS\system32\hkcmd.exe[5108] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003E0030
.text C:\WINDOWS\system32\hkcmd.exe[5108] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003E006C
.text C:\WINDOWS\system32\hkcmd.exe[5108] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003E00A8
.text C:\WINDOWS\system32\igfxpers.exe[5132] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\WINDOWS\system32\igfxpers.exe[5132] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\WINDOWS\system32\igfxpers.exe[5132] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\WINDOWS\system32\igfxpers.exe[5132] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\WINDOWS\system32\igfxpers.exe[5132] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\WINDOWS\system32\igfxpers.exe[5132] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\WINDOWS\system32\igfxpers.exe[5132] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\WINDOWS\system32\igfxpers.exe[5132] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
.text C:\WINDOWS\system32\igfxpers.exe[5132] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
.text C:\WINDOWS\system32\igfxpers.exe[5132] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
.text C:\WINDOWS\system32\igfxpers.exe[5132] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
.text C:\WINDOWS\system32\igfxpers.exe[5132] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
.text C:\WINDOWS\system32\igfxpers.exe[5132] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
.text C:\WINDOWS\system32\igfxpers.exe[5132] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
.text C:\WINDOWS\system32\igfxpers.exe[5132] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
.text C:\WINDOWS\system32\igfxsrvc.exe[5164] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[5200] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[5860] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[5924] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[5924] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[5924] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[5924] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[5924] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[5924] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[5924] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\Program Files\iFinger\iFinger.exe[5948] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\iFinger\iFinger.exe[5948] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\iFinger\iFinger.exe[5948] user32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 005B00E4
.text C:\Program Files\iFinger\iFinger.exe[5948] user32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 005B0120
.text C:\Program Files\iFinger\iFinger.exe[5948] user32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 005B00A8
.text C:\Program Files\iFinger\iFinger.exe[5948] user32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 005B0030
.text C:\Program Files\iFinger\iFinger.exe[5948] user32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 005B006C
.text C:\Program Files\iFinger\iFinger.exe[5948] advapi32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 005C01D4
.text C:\Program Files\iFinger\iFinger.exe[5948] advapi32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 005C00E4
.text C:\Program Files\iFinger\iFinger.exe[5948] advapi32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 005C0120
.text C:\Program Files\iFinger\iFinger.exe[5948] advapi32.dll!ChangeServiceConfig2A 77E37101 3 Bytes JMP 005C015C
.text C:\Program Files\iFinger\iFinger.exe[5948] advapi32.dll!ChangeServiceConfig2A + 4 77E37105 1 Byte [88]
.text C:\Program Files\iFinger\iFinger.exe[5948] advapi32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 005C0198
.text C:\Program Files\iFinger\iFinger.exe[5948] advapi32.dll!CreateServiceA 77E37211 5 Bytes JMP 005C0030
.text C:\Program Files\iFinger\iFinger.exe[5948] advapi32.dll!CreateServiceW 77E373A9 5 Bytes JMP 005C006C
.text C:\Program Files\iFinger\iFinger.exe[5948] advapi32.dll!DeleteService 77E374B1 5 Bytes JMP 005C00A8
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] ADVAPI32.DLL!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003F01D4
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] ADVAPI32.DLL!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003F00E4
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] ADVAPI32.DLL!ChangeServiceConfigW 77E37001 5 Bytes JMP 003F0120
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] ADVAPI32.DLL!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003F015C
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] ADVAPI32.DLL!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003F0198
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] ADVAPI32.DLL!CreateServiceA 77E37211 5 Bytes JMP 003F0030
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] ADVAPI32.DLL!CreateServiceW 77E373A9 5 Bytes JMP 003F006C
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] ADVAPI32.DLL!DeleteService 77E374B1 5 Bytes JMP 003F00A8
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] USER32.DLL!SetWindowsHookExW 7E42820F 5 Bytes JMP 004E00E4
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] USER32.DLL!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 004E0120
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] USER32.DLL!SetWindowsHookExA 7E431211 5 Bytes JMP 004E00A8
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] USER32.DLL!SetWinEventHook 7E4317F7 5 Bytes JMP 004E0030
.text C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\lexibase.exe[6140] USER32.DLL!UnhookWinEvent 7E4318AC 5 Bytes JMP 004E006C

Last bit of GMER.txt file



---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86B60AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86B60AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 86B60AEA

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8034GSX_______________________AH301D__#5&2ad6debd&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060afb515
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060afb515@001620ae3e8c 0xE9 0x01 0x9D 0x25 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060afb515@0021fbd67330 0xAC 0xAD 0x77 0xBE ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060afb515 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060afb515@001620ae3e8c 0xE9 0x01 0x9D 0x25 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060afb515@0021fbd67330 0xAC 0xAD 0x77 0xBE ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C6B56403F35B1A94E9AB3A1F78DA05E2\Usage@SoleFeature 1047830515

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\colm\My Documents\work\CLIENTS\EMOTIONALBUZZ\OLDS\17-11 02 OLD AAMET Buzz site\RESOURCES - NOT FOR UPLOAD\TEMPLATES & CODE SAMPLES\SAMPLE SITES\tapping\Tapping.com - Free EFT Videos - Emotional Freedom Technique_files\5958460266411651546_data\Tappingcom.jpg 15071 bytes
File C:\WINDOWS\system32\DRIVERS\kbdclass.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 PM

Posted 20 March 2011 - 10:22 AM

congokid:

Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Any underlined text in my posts indicates a clickable link.
  • If you have any questions at all, please stop and ask before proceeding.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 congokid

congokid
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:01:13 AM

Posted 20 March 2011 - 11:39 AM

As you mentioned ComboFix checked to see if the Microsoft Windows Recovery Console is installed on my laptop, and it doesn't appear to be.

Unfortunately, I can't download and install the Microsoft Windows Recovery Console as my laptop has no internet connectivity (one of the original problems I described).

I've taken a look at the Microsoft guide to install and use the recovery console at this link:
http://support.microsoft.com/kb/307654

Microsoft suggests loading it from the Windows XP CD. I've put the original disk I got with the laptop and used this path:
e:\i386\winnt32.exe /cmdcons

However, this just brings up a Windows help dialog box listing all the various things I can do, such as install the recovery console, but I can't get any further.

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 PM

Posted 20 March 2011 - 12:15 PM

Go ahead and ignore that warning and let ComboFix proceed without the Recovery Console install.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 congokid

congokid
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:01:13 AM

Posted 20 March 2011 - 12:40 PM

OK - I clicked 'no' when it asked to download and install the recovery console.

A few minutes later, a little box opened that said something like 'Rootkit infection detected', with an option to click OK.

I clicked OK, and now there's another box with
'Combofix has detected the presence of rootkit activity and needs to reboot the machine'

and there's a button to click 'OK'.

Shall I go ahead with this?

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 PM

Posted 20 March 2011 - 12:47 PM

Yes, please do.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 congokid

congokid
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:01:13 AM

Posted 20 March 2011 - 01:49 PM

ComboFix 11-03-19.04 - colm 20/03/2011 17:54:04.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.515 [GMT 0:00]
Running from: c:\documents and settings\colm\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\notepad.exe.orig
c:\windows\system32\notepad.exe.orig
.
Infected copy of c:\windows\system32\drivers\kbdclass.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-02-20 to 2011-03-20 )))))))))))))))))))))))))))))))
.
.
2011-03-15 11:13 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-14 13:23 . 2011-03-14 13:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-03-14 13:10 . 2011-03-14 13:10 -------- d-----w- c:\documents and settings\colm\Application Data\SUPERAntiSpyware.com
2011-03-14 10:38 . 2011-03-14 10:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-14 10:36 . 2011-03-14 10:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-23 15:04 . 2010-08-04 18:13 40648 ----a-w- c:\windows\avastSS.scr
2011-02-23 15:04 . 2007-02-13 16:05 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-23 14:56 . 2008-03-30 15:29 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2007-02-13 16:05 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2007-02-13 16:05 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2007-02-13 16:05 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2007-02-13 16:05 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2007-02-13 16:05 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2008-03-30 15:29 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ILO_Office_Manager"="IntEdReg.exe" [2002-10-15 53760]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Intense Registry Service"="IntEdReg.exe" [2002-10-15 53760]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2010-03-17 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\Sitecom\Bluetooth Software\BTTray.exe [2004-10-1 565309]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-10-12 7168]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
iFinger 2.0.lnk - c:\program files\iFinger\iFinger.exe [2006-10-17 1597440]
Lexibase Express.lnk - c:\program files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe [2006-10-19 61440]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Free FTP\\FreeFTP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [15/03/2011 11:13 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [30/03/2008 15:29 301528]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [29/09/2009 20:00 24640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [30/03/2008 15:29 19544]
R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [07/06/2010 20:05 1737464]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [12/01/2006 21:27 13696]
R2 Mercury;Mercury;c:\xampp\xampp_service_mercury.exe [29/09/2009 20:00 73728]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [12/01/2006 21:29 13568]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [07/06/2010 14:55 100736]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [14/04/2009 10:30 103168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = htt;
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061012
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\colm\Application Data\Mozilla\Firefox\Profiles\h1g56uof.default\
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en|http://www.facebook.com/colm.devlin#/home.php?ref=home
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-News Scroller Wizard - e:\emotionalbuzz\RESOURCES - NOT FOR UPLOAD\TEMPLATES & CODE SAMPLES\GIZMOS\DYNAMIC NEWS SCROLLER\News Scroller Wizard\uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-20 18:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\`* ∆]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\Ť*x* ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-03-20 18:22:36
ComboFix-quarantined-files.txt 2011-03-20 18:22
.
Pre-Run: 16,713,273,344 bytes free
Post-Run: 17,028,812,800 bytes free
.
- - End Of File - - 1B202A90947230380243469A47BA228B

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 PM

Posted 20 March 2011 - 02:14 PM

congokid:

Are you able to connect to the internet now? Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 congokid

congokid
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:01:13 AM

Posted 20 March 2011 - 02:28 PM

I use Notepad2 on the laptop - I take it this won't work?

Internet connectivity has returned, by the way.

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 PM

Posted 20 March 2011 - 02:38 PM

You can give it a try. Just make sure to save the file exactly as shown.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 congokid

congokid
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:01:13 AM

Posted 20 March 2011 - 05:17 PM

ComboFix 11-03-19.04 - colm 20/03/2011 19:49:59.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.476 [GMT 0:00]
Running from: c:\documents and settings\colm\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\colm\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-20 to 2011-03-20 )))))))))))))))))))))))))))))))
.
.
2011-03-20 19:32 . 2011-03-20 19:32 -------- d-----w- c:\windows\LastGood
2011-03-15 11:13 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-14 13:23 . 2011-03-14 13:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-03-14 13:10 . 2011-03-14 13:10 -------- d-----w- c:\documents and settings\colm\Application Data\SUPERAntiSpyware.com
2011-03-14 10:38 . 2011-03-14 10:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-14 10:36 . 2011-03-14 10:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-23 15:04 . 2010-08-04 18:13 40648 ----a-w- c:\windows\avastSS.scr
2011-02-23 15:04 . 2007-02-13 16:05 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-23 14:56 . 2008-03-30 15:29 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2007-02-13 16:05 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2007-02-13 16:05 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2007-02-13 16:05 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2007-02-13 16:05 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2007-02-13 16:05 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2008-03-30 15:29 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-20_18.15.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-20 19:19 . 2011-03-20 19:19 16384 c:\windows\Temp\Perflib_Perfdata_248.dat
+ 2011-03-20 19:19 . 2011-03-20 19:19 16384 c:\windows\Temp\Perflib_Perfdata_228.dat
+ 2004-08-10 11:51 . 2011-03-20 19:24 72134 c:\windows\system32\perfc009.dat
- 2004-08-10 11:51 . 2011-03-20 17:55 72134 c:\windows\system32\perfc009.dat
+ 2004-08-10 11:51 . 2011-03-20 19:24 443034 c:\windows\system32\perfh009.dat
- 2004-08-10 11:51 . 2011-03-20 17:55 443034 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ILO_Office_Manager"="IntEdReg.exe" [2002-10-15 53760]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Intense Registry Service"="IntEdReg.exe" [2002-10-15 53760]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2010-03-17 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\Sitecom\Bluetooth Software\BTTray.exe [2004-10-1 565309]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-10-12 7168]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
iFinger 2.0.lnk - c:\program files\iFinger\iFinger.exe [2006-10-17 1597440]
Lexibase Express.lnk - c:\program files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe [2006-10-19 61440]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Free FTP\\FreeFTP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [15/03/2011 11:13 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [30/03/2008 15:29 301528]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [29/09/2009 20:00 24640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [30/03/2008 15:29 19544]
R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [07/06/2010 20:05 1737464]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [12/01/2006 21:27 13696]
R2 Mercury;Mercury;c:\xampp\xampp_service_mercury.exe [29/09/2009 20:00 73728]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [12/01/2006 21:29 13568]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [07/06/2010 14:55 100736]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [14/04/2009 10:30 103168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = htt;
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061012
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\colm\Application Data\Mozilla\Firefox\Profiles\h1g56uof.default\
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en|http://www.facebook.com/colm.devlin#/home.php?ref=home
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-20 19:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\`* ∆]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\Ť*x* ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1816)
c:\windows\system32\WININET.dll
c:\program files\Softissimo\Collins Internet-Linked Dictionary\exe\hkey.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Sitecom\Bluetooth Software\btkeyind.dll
c:\windows\system32\hccutils.DLL
c:\program files\Dell\QuickSet\dadkeyb.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\progra~1\MICROS~3\Office10\MCPS.DLL
.
Completion time: 2011-03-20 20:02:18
ComboFix-quarantined-files.txt 2011-03-20 20:02
ComboFix2.txt 2011-03-20 18:22
.
Pre-Run: 16,687,329,280 bytes free
Post-Run: 16,679,727,104 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 69AEBACD6EF2850A3BBD91955A808526





MBAM log


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6113

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/03/2011 22:16:14
mbam-log-2011-03-20 (22-16-14).txt

Scan type: Quick scan
Objects scanned: 166705
Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users