Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Error: 0xC004D401


  • This topic is locked This topic is locked
10 replies to this topic

#1 c410berry

c410berry

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 04 May 2011 - 10:28 PM

I have a box popping up which says "An unauthorized change was made to Windows" and "Error:0xC004D401". Since this started, I can not print from Internet Explorer. I also can not open the Control Panel. I haven't noticed any other performance issues.

Is this a virus or another problem? What should I do next?

Thank you

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:43 PM

Posted 04 May 2011 - 11:20 PM

Hello,

And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.

Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Instructions:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



#3 c410berry

c410berry
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 04 May 2011 - 11:59 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6509

Windows 6.0.6000
Internet Explorer 7.0.6000.17037

5/5/2011 12:56:50 AM
mbam-log-2011-05-05 (00-56-50).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 291863
Time elapsed: 1 hour(s), 14 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Doing the next step you advised now...

#4 c410berry

c410berry
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 05 May 2011 - 05:13 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/05/2011 at 03:24 AM

Application Version : 4.51.1000

Core Rules Database Version : 6992
Trace Rules Database Version: 4804

Scan type : Complete Scan
Total Scan Time : 01:36:21

Memory items scanned : 268
Memory threats detected : 0
Registry items scanned : 8548
Registry threats detected : 60
File items scanned : 152883
File threats detected : 388

Adware.CouponBar
HKLM\Software\Classes\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}
HKCR\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}
HKCR\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}
HKCR\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}\Implemented Categories
HKCR\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}\InprocServer32
HKCR\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}\InprocServer32#ThreadingModel
HKCR\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}\ProgID
HKCR\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}\Programmable
HKCR\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}\TypeLib
HKCR\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}\VersionIndependentProgID
HKCR\TTB000001.TTB000001.1
HKCR\TTB000001.TTB000001.1\CLSID
HKCR\TTB000001.TTB000001
HKCR\TTB000001.TTB000001\CLSID
HKCR\TTB000001.TTB000001\CurVer
HKCR\TypeLib\{9BA983B1-0C05-2DAF-9D1D-7E160077CAF4}
HKCR\TypeLib\{9BA983B1-0C05-2DAF-9D1D-7E160077CAF4}\1.0
HKCR\TypeLib\{9BA983B1-0C05-2DAF-9D1D-7E160077CAF4}\1.0\0
HKCR\TypeLib\{9BA983B1-0C05-2DAF-9D1D-7E160077CAF4}\1.0\0\win32
HKCR\TypeLib\{9BA983B1-0C05-2DAF-9D1D-7E160077CAF4}\1.0\FLAGS
HKCR\TypeLib\{9BA983B1-0C05-2DAF-9D1D-7E160077CAF4}\1.0\HELPDIR
C:\USERS\BOWMAN\APPDATA\LOCAL\TEMP\LOW\COUPONSBAR.DLL
HKLM\Software\Classes\CLSID\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}
HKCR\CLSID\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}
HKCR\CLSID\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}
HKCR\CLSID\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}\InprocServer32
HKCR\CLSID\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}\InprocServer32#ThreadingModel
HKCR\CLSID\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}\ProgID
HKCR\CLSID\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}\Programmable
HKCR\CLSID\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}\TypeLib
HKCR\CLSID\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}\VersionIndependentProgID
HKCR\ToolBand.TTB000000.1
HKCR\ToolBand.TTB000000.1\CLSID
HKCR\ToolBand.TTB000000
HKCR\ToolBand.TTB000000\CLSID
HKCR\ToolBand.TTB000000\CurVer
C:\USERS\BOWMAN\APPDATA\LOCAL\TEMP\LOW\COUPON~1.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}
HKU\S-1-5-21-1888844923-3973241832-3490648918-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5BED3930-2E9E-76D8-BACC-80DF2188D455}
HKU\S-1-5-21-1888844923-3973241832-3490648918-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}
HKCR\Interface\{0D700D4A-F8C1-8888-C5BA-CB09D464A4E8}
HKCR\Interface\{0D700D4A-F8C1-8888-C5BA-CB09D464A4E8}\ProxyStubClsid
HKCR\Interface\{0D700D4A-F8C1-8888-C5BA-CB09D464A4E8}\ProxyStubClsid32
HKCR\Interface\{0D700D4A-F8C1-8888-C5BA-CB09D464A4E8}\TypeLib
HKCR\Interface\{0D700D4A-F8C1-8888-C5BA-CB09D464A4E8}\TypeLib#Version
HKCR\Interface\{6D69B86A-B94C-59EE-BCB8-5F5DF46B2BE8}
HKCR\Interface\{6D69B86A-B94C-59EE-BCB8-5F5DF46B2BE8}\ProxyStubClsid
HKCR\Interface\{6D69B86A-B94C-59EE-BCB8-5F5DF46B2BE8}\ProxyStubClsid32
HKCR\Interface\{6D69B86A-B94C-59EE-BCB8-5F5DF46B2BE8}\TypeLib
HKCR\Interface\{6D69B86A-B94C-59EE-BCB8-5F5DF46B2BE8}\TypeLib#Version

Adware.Tracking Cookie
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\bowman@msnportal.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\bowman@doubleclick[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\bowman@serving-sys[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\bowman@revsci[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\bowman@mediaplex[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\bowman@collective-media[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\bowman@apmebf[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\bowman@bs.serving-sys[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\bowman@atdmt[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\bowman@imrworldwide[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\bowman@invitemedia[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\bowman@ad.yieldmanager[2].txt
.avgtechnologies.112.2o7.net [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.apmebf.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ehg-nestleusainc.hitbox.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.hitbox.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ehg-nestleusainc.hitbox.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.hitbox.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
va.px.invitemedia.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
g-pixel.invitemedia.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
sales.liveperson.net [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.liveperson.net [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.pointroll.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.pointroll.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ads.pointroll.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\Bowman\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
2mdn.net [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
adsatt.espn.go.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
bannerfarm.ace.advertising.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
cache.specificmedia.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
cdn.eyewonder.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
cdn.insights.gravity.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
cdn4.specificclick.net [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
cloudfront.mediamatters.org [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
content.oddcast.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
core.insightexpressai.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
ds.serving-sys.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
ec.atdmt.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
googleads.g.doubleclick.net [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
ia.media-imdb.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
interclick.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
m1.2mdn.net [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
m1.au.2mdn.net [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
macromedia.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
media.kcrg.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
media.mgnetwork.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
media.mtvnservices.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
media.northlandsnewscenter.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
media.onsugar.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
media.oprah.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
media.scanscout.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
media.sonnysbbq.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
media.tattomedia.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
media.vmixcore.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
media.wkbw.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
media.wktv.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
media01.kyte.tv [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
msnbcmedia.msn.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
multimedia.msn.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
objects.tremormedia.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
richmedia247.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
rmd.atdmt.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
s0.2mdn.net [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
secure-us.imrworldwide.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
service.twistage.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
serving-sys.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
sftrack.searchforce.net [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
spe.atdmt.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
speed.pointroll.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
static.2mdn.net [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
udn.specificclick.net [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
www.naiadsystems.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
www.pornhub.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
zedo.com [ C:\Users\Bowman\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\QSY9MJJY ]
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@22squared.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@247realmedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@2o7[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@a1.interclick[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@account.norton[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@account.norton[3].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@account.woot[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ad.thehill[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ad.us-ec.adtechus[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ad.wsod[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ad.yieldmanager[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ad.yieldmanager[3].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@adbrite[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@adecn[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@adinterax[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@adlegend[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.addesktop[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.addynamix[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.agorafinancial[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.associatedcontent[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.bleepingcomputer[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.caradvice.com[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.cnn[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.cpxadroit[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.esm1[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.foodbuzz[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.gmodules[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.llli[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.nba[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.nefar[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.places.musictoday[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.pointroll[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.pubmatic[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.sesameworkshop[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.shopstyle[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.townhall[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.undertone[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.veoh[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.verticalscope[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads.wncoutdoors[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ads2.theawl[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@adserver.adtechus[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@adserver.lawnsite[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@adserver.medrise[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@adserving.autotrader[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@adtech[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@adv.dmv[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@advertising.mombloggersclub[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@advertising[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@adxpansion[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@adxpose[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@affiliate.tpptracker[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@amex-insights[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@andomedia[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@apmebf[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ar.atwola[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@articleclick[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@associatedcontent.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@at.atwola[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@atdmt[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@atwola[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@avgtechnologies.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@babynamescountry[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@banners.facebookofsex[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@bazumedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@beacon.dmsinsights[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@beta-ads.ace.advertising[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@bizrate[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@bs.serving-sys[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@burstbeacon[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@burstnet[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@care2.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@casalemedia[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@cbi.122.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@centralmediaserver[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@cfbillpay41.digitalinsight[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@chitika[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@citi.bridgetrack[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@citygridmedia[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@claycountyfair[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@clickfuse[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@cn.clickable[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@collective-media[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@comcast.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@commission-junction[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@commonsensemedia[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@content.yieldmanager[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@content.yieldmanager[3].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@countrycrock[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@countryhome[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@countyfloors[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@crackberry[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@csc.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@csm.rotator.hadj7.adjuggler[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@d.coedmediagroup[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@d.mediaforge[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@data.coremetrics[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@dc.tremormedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@dealtime[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@demandwarecrocs.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@discountednewspapers[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@discounttire.122.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@discounttire[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@discount[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@dmedia.122.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@dmtracker[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@doubleclick[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6aekignazofp.stats.esomniture[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6aekoskdzglp.stats.esomniture[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6wdkooicpwbp.stats.esomniture[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6wfligpdjako.stats.esomniture[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6wjk4klcjifp.stats.esomniture[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6wjkowjazwdo.stats.esomniture[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6wjkysicpafo.stats.esomniture[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6wjliohcpcdp.stats.esomniture[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6wjlyomczibq.stats.esomniture[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6wjny-1id5ec.stats.esomniture[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6wjnyciazigp.stats.esomniture[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6wjnycnczwlq.stats.esomniture[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6wjnyogd5efp.stats.esomniture[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6wjnysmc5shq.stats.esomniture[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@e-2dj6wnl4ohczibp.stats.esomniture[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@eas.apm.emediate[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@edge.ru4[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@edgeadx[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ehg-nelnetinc.hitbox[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ehg-nestleusainc.hitbox[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ero-advertising[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@eyewonder[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@f2network.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@facebookofsex[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@fastclick[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@findarticles[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@findlegalforms[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@forums.crackberry[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@gscounters.gigya[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@harpo.122.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@hitbox[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@imrworldwide[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@in.getclicky[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@insightexpressai[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@interclick[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@intermundomedia[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@invitemedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@jcwhitney.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@kanoodle[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@kontera[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@leads.specificmedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@legolas-media[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@lfstmedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@linksynergy.walmart[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@linksynergy[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@livenation.122.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@liveperson[11].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@liveperson[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@liveperson[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@liveperson[3].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@liveperson[4].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@liveperson[5].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@liveperson[6].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@liveperson[7].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@liveperson[8].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@liveperson[9].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@lm.logicalmedia[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@lucidmedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@media.adfrontiers[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@media.causes[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@media.ford[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@media.photobucket[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@media.rismedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@media2.legacy[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@media6degrees[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@mediabrandsww[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@mediaforge[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@mediaite[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@mediamatters[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@mediaplex[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@mediawebmonster[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@microsoftsto.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@microsoftwindows.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@mm.chitika[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@myaccount.citygridmedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@mynortonaccount[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@naked[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@nestleusa.122.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@network.realmedia[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@newsletter.rismedia[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@oasc09.247realmedia[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@openads.rismedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@openx.rismedia[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@overture[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@paypal.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@pearson.122.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@pfizer.122.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@pointroll[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@porndad[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@pornhublive[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@pornless[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@pornstarspunishment[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@pro-market[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@pubads.g.doubleclick.media-centrix[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@pussies.topteens[3].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@qksrv[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@questionmarket[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@r1-ads.ace.advertising[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@realmedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@revenue[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@revsci[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@rismedia[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@robeez.122.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@rotator.adjuggler[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@ru4[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@s.clickability[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@sales.liveperson[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@sdctrack.thomasnet[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@server.iad.liveperson[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@serving-sys[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@sextubetop[3].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@singletracks[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@spafinder[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@specificclick[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@specificmedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@stat.dealtime[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@statcounter[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@static.freewebs.getclicky[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@stats.paypal[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@statse.webtrendslive[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@steelhousemedia[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@t.pointroll[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@tacoda.at.atwola[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@tacoda[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@tec.advertserve[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@teendvdclub[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@teenmegaworld[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@test.coremetrics[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@thefind[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@thomasvillefurniture.122.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@timeinc.122.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@tracking.dsmmadvantage[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@tracking.foxnews[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@tracking.hearthstoneonline[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@tracking.realtor[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@trackit.sitescout[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@tradedoubler[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@traffic.prod.cobaltgroup[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@trafficmp[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@traveladvertising[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@tribalfusion[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@tysonfoodsinc.122.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@valassis.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@walmart.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@webreports.digitalinsight[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@websitebiz.112.2o7[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.adultdvd[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.blowadvertising[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.burstbeacon[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.burstnet[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.claycountytax[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.clickmanage[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.commission-junction[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.commonsensemedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.coregmedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.coregmedia[3].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.counter160[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.countryhome[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.discounttire[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.findlegalforms[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.googleadservices[10].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.googleadservices[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.googleadservices[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.googleadservices[4].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.googleadservices[7].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.googleadservices[9].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.insightexpress[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.machinefinder[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.mediaite[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.mlsfinder[3].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.mynortonaccount[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.mynortonaccount[3].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.onetruemedia[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.online-media-stats[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.pixeltrack66[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.porndad[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.pornhublive[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.pornstarspunishment[2].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@www.qksrv[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@yieldmanager[1].txt
C:\Users\Bowman\AppData\Roaming\Microsoft\Windows\Cookies\Low\bowman@zedo[1].txt

Adware.MyWebSearch/FunWebProducts
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib#Version

Edited by c410berry, 05 May 2011 - 05:18 AM.


#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:43 PM

Posted 05 May 2011 - 06:44 AM

Can you gmer scan?

#6 c410berry

c410berry
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 05 May 2011 - 07:37 AM

Yes, here it is:

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-05 08:35:28
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST3250820AS rev.3.CHL
Running: k281d62j.exe; Driver: C:\Users\Bowman\AppData\Local\Temp\kglyipoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x89DA3202]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8A6BBC48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x89DA57F0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x89DA5848]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x89DA595E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x89DA5746]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x89DA5898]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x89DA579A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x89DA590C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x89DA3226]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0x8A6C41AE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8A6BBCF8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x89DA2FF0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x89DA324A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x89DA5D56]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x89DA3CDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x89DA5820]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x89DA5870]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x89DA5988]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x89DA5772]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0x8A6C40EA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x89DA58D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x89DA57C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0x8A6C4150]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x89DA5936]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8A6BBD90]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x89DA3BA0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x89DA326E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x89DA3292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x89DA304A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x89DA3186]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x89DA3162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x89DA31AA]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8A7A1620]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x89DA32B6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8A6D1762]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 5B0 82081034 4 Bytes [EA, 40, 6C, 8A]
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 821BFD69 4 Bytes CALL 89DA434B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 821C77DC 4 Bytes CALL 89DA4361 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 821F2D4B 5 Bytes JMP 8A6CD11E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 821F8882 5 Bytes JMP 8A6CEBBC \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 8221381D 7 Bytes JMP 8A6D1766 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text win32k.sys!EngMultiByteToUnicodeN + 2B73 92220FF7 5 Bytes JMP 89DA6440 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetRgnData + C9D 92224E6D 5 Bytes JMP 89DA6316 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTransparentBlt + 4E6 92252D36 5 Bytes JMP 89DA6F72 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTransparentBlt + 37CC 9225601C 5 Bytes JMP 89DA5E58 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 273B 9225E974 5 Bytes JMP 89DA603E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + A683 922668BC 5 Bytes JMP 89DA6BD8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 11665 9226D89E 5 Bytes JMP 89DA5D8C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 118A6 9226DADF 5 Bytes JMP 89DA6180 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 11979 9226DBB2 5 Bytes JMP 89DA6326 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text ...
.text win32k.sys!EngMapFontFileFD + F717 92280D5E 5 Bytes JMP 89DA5F34 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPaint + 3290 922864C2 5 Bytes JMP 89DA6E0C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPaint + 69A5 92289BD7 5 Bytes JMP 89DA5FA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 44F5 922ACEAC 5 Bytes JMP 89DA5E70 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBlt + 3BF8 922D2BAD 5 Bytes JMP 89DA7014 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bEnum + AA 922D5612 5 Bytes JMP 89DA6D54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + CE84 922E2C1F 5 Bytes JMP 89DA6BAE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 1D65 922E9DDB 5 Bytes JMP 89DA6CA2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFindImageProcAddress + 1A09 922F565B 5 Bytes JMP 89DA60E8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteClip + 59E8 9230B49C 5 Bytes JMP 89DA6008 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bPolyBezierTo + 62D 9231379F 5 Bytes JMP 89DA60AE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + 38A2 9233114B 5 Bytes JMP 89DA5EF0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 1A89 9236F44E 5 Bytes JMP 89DA6ECA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\wuauclt.exe[264] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000601F8
.text C:\Windows\system32\wuauclt.exe[264] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000603FC
.text C:\Windows\system32\wuauclt.exe[264] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\wuauclt.exe[264] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00070A08
.text C:\Windows\system32\wuauclt.exe[264] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00070600
.text C:\Windows\system32\wuauclt.exe[264] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00070804
.text C:\Windows\system32\wuauclt.exe[264] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000703FC
.text C:\Windows\system32\wuauclt.exe[264] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000701F8
.text C:\Windows\system32\wuauclt.exe[264] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000803FC
.text C:\Windows\system32\wuauclt.exe[264] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00080600
.text C:\Windows\system32\wuauclt.exe[264] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00080A08
.text C:\Windows\system32\wuauclt.exe[264] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00081014
.text C:\Windows\system32\wuauclt.exe[264] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00080804
.text C:\Windows\system32\wuauclt.exe[264] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00080C0C
.text C:\Windows\system32\wuauclt.exe[264] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00080E10
.text C:\Windows\system32\wuauclt.exe[264] ADVAPI32.dll!CreateServiceA 768F3C41 3 Bytes JMP 000801F8
.text C:\Windows\system32\wuauclt.exe[264] ADVAPI32.dll!CreateServiceA + 4 768F3C45 1 Byte [89]
.text C:\Windows\system32\Dwm.exe[468] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\Dwm.exe[468] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\Dwm.exe[468] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[468] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\Dwm.exe[468] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\Dwm.exe[468] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\Dwm.exe[468] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\Dwm.exe[468] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\Dwm.exe[468] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\Dwm.exe[468] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\Dwm.exe[468] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\Dwm.exe[468] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 000C0A08
.text C:\Windows\system32\Dwm.exe[468] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 000C0600
.text C:\Windows\system32\Dwm.exe[468] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 000C0804
.text C:\Windows\system32\Dwm.exe[468] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000C03FC
.text C:\Windows\system32\Dwm.exe[468] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000C01F8
.text C:\Windows\system32\csrss.exe[508] KERNEL32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[512] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskeng.exe[512] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskeng.exe[512] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[512] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\taskeng.exe[512] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\taskeng.exe[512] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\taskeng.exe[512] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\taskeng.exe[512] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\taskeng.exe[512] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\taskeng.exe[512] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\taskeng.exe[512] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\taskeng.exe[512] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 000C0A08
.text C:\Windows\system32\taskeng.exe[512] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 000C0600
.text C:\Windows\system32\taskeng.exe[512] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 000C0804
.text C:\Windows\system32\taskeng.exe[512] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000C03FC
.text C:\Windows\system32\taskeng.exe[512] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000C01F8
.text C:\Windows\system32\wininit.exe[552] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[552] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[552] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\wininit.exe[552] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000503FC
.text C:\Windows\system32\wininit.exe[552] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00050600
.text C:\Windows\system32\wininit.exe[552] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00050A08
.text C:\Windows\system32\wininit.exe[552] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00051014
.text C:\Windows\system32\wininit.exe[552] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00050804
.text C:\Windows\system32\wininit.exe[552] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00050C0C
.text C:\Windows\system32\wininit.exe[552] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00050E10
.text C:\Windows\system32\wininit.exe[552] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000501F8
.text C:\Windows\system32\wininit.exe[552] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00060A08
.text C:\Windows\system32\wininit.exe[552] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00060600
.text C:\Windows\system32\wininit.exe[552] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00060804
.text C:\Windows\system32\wininit.exe[552] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000603FC
.text C:\Windows\system32\wininit.exe[552] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000601F8
.text C:\Windows\system32\csrss.exe[564] KERNEL32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\services.exe[596] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\services.exe[596] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\services.exe[596] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\services.exe[596] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00080A08
.text C:\Windows\system32\services.exe[596] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00080600
.text C:\Windows\system32\services.exe[596] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00080804
.text C:\Windows\system32\services.exe[596] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000803FC
.text C:\Windows\system32\services.exe[596] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000801F8
.text C:\Windows\system32\lsass.exe[608] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\lsass.exe[608] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\lsass.exe[608] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00080A08
.text C:\Windows\system32\lsass.exe[608] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00080600
.text C:\Windows\system32\lsass.exe[608] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00080804
.text C:\Windows\system32\lsass.exe[608] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000803FC
.text C:\Windows\system32\lsass.exe[608] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000801F8
.text C:\Windows\system32\lsm.exe[616] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\lsm.exe[616] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\lsm.exe[616] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\lsm.exe[616] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\lsm.exe[616] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\lsm.exe[616] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\lsm.exe[616] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\lsm.exe[616] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\lsm.exe[616] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\lsm.exe[616] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\lsm.exe[616] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\winlogon.exe[668] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[668] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[668] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[668] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000503FC
.text C:\Windows\system32\winlogon.exe[668] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00050600
.text C:\Windows\system32\winlogon.exe[668] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00050A08
.text C:\Windows\system32\winlogon.exe[668] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00051014
.text C:\Windows\system32\winlogon.exe[668] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00050804
.text C:\Windows\system32\winlogon.exe[668] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00050C0C
.text C:\Windows\system32\winlogon.exe[668] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00050E10
.text C:\Windows\system32\winlogon.exe[668] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000501F8
.text C:\Windows\system32\winlogon.exe[668] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00060A08
.text C:\Windows\system32\winlogon.exe[668] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00060600
.text C:\Windows\system32\winlogon.exe[668] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00060804
.text C:\Windows\system32\winlogon.exe[668] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000603FC
.text C:\Windows\system32\winlogon.exe[668] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000601F8
.text C:\Windows\Explorer.EXE[808] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\Explorer.EXE[808] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\Explorer.EXE[808] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\Explorer.EXE[808] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\Explorer.EXE[808] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\Explorer.EXE[808] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\Explorer.EXE[808] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\Explorer.EXE[808] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\Explorer.EXE[808] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\Explorer.EXE[808] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\Explorer.EXE[808] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\Explorer.EXE[808] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00080A08
.text C:\Windows\Explorer.EXE[808] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00080600
.text C:\Windows\Explorer.EXE[808] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00080804
.text C:\Windows\Explorer.EXE[808] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000803FC
.text C:\Windows\Explorer.EXE[808] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000801F8
.text C:\Windows\system32\svchost.exe[816] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[816] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[816] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 002A0A08
.text C:\Windows\system32\svchost.exe[816] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 002A0600
.text C:\Windows\system32\svchost.exe[816] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 002A0804
.text C:\Windows\system32\svchost.exe[816] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 002A03FC
.text C:\Windows\system32\svchost.exe[816] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 002A01F8
.text C:\Windows\system32\svchost.exe[884] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000901F8
.text C:\Windows\system32\svchost.exe[884] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000903FC
.text C:\Windows\system32\svchost.exe[884] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000C03FC
.text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 000C0600
.text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 000C0A08
.text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 000C1014
.text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 000C0804
.text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 000C0C0C
.text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 000C0E10
.text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000C01F8
.text C:\Windows\system32\svchost.exe[884] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00A50A08
.text C:\Windows\system32\svchost.exe[884] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00A50600
.text C:\Windows\system32\svchost.exe[884] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00A50804
.text C:\Windows\system32\svchost.exe[884] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 00A503FC
.text C:\Windows\system32\svchost.exe[884] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 00A501F8
.text C:\Windows\System32\svchost.exe[924] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[924] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[924] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\System32\svchost.exe[924] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[924] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[924] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[924] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[924] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[924] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[924] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[924] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[924] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 000D0A08
.text C:\Windows\System32\svchost.exe[924] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 000D0600
.text C:\Windows\System32\svchost.exe[924] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 000D0804
.text C:\Windows\System32\svchost.exe[924] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000D03FC
.text C:\Windows\System32\svchost.exe[924] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000D01F8
.text C:\Windows\System32\svchost.exe[1000] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000901F8
.text C:\Windows\System32\svchost.exe[1000] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000903FC
.text C:\Windows\System32\svchost.exe[1000] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000B03FC
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 000B0600
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 000B0A08
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 000B1014
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 000B0804
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 000B0C0C
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 000B0E10
.text C:\Windows\System32\svchost.exe[1000] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000B01F8
.text C:\Windows\System32\svchost.exe[1000] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00170A08
.text C:\Windows\System32\svchost.exe[1000] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00170600
.text C:\Windows\System32\svchost.exe[1000] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00170804
.text C:\Windows\System32\svchost.exe[1000] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 001703FC
.text C:\Windows\System32\svchost.exe[1000] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 001701F8
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[1036] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[1036] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00BB0A08
.text C:\Windows\System32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00BB0600
.text C:\Windows\System32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00BB0804
.text C:\Windows\System32\svchost.exe[1036] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 00BB03FC
.text C:\Windows\System32\svchost.exe[1036] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 00BB01F8
.text C:\Windows\system32\svchost.exe[1076] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000901F8
.text C:\Windows\system32\svchost.exe[1076] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000903FC
.text C:\Windows\system32\svchost.exe[1076] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000B03FC
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 000B0600
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 000B0A08
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 000B1014
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 000B0804
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 000B0C0C
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 000B0E10
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000B01F8
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00170A08
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00170600
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00170804
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 001703FC
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 001701F8
.text C:\Windows\system32\taskeng.exe[1172] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskeng.exe[1172] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskeng.exe[1172] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[1172] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\taskeng.exe[1172] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\taskeng.exe[1172] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\taskeng.exe[1172] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\taskeng.exe[1172] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\taskeng.exe[1172] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\taskeng.exe[1172] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\taskeng.exe[1172] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\taskeng.exe[1172] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00080A08
.text C:\Windows\system32\taskeng.exe[1172] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00080600
.text C:\Windows\system32\taskeng.exe[1172] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00080804
.text C:\Windows\system32\taskeng.exe[1172] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000803FC
.text C:\Windows\system32\taskeng.exe[1172] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000801F8
.text C:\Windows\system32\AUDIODG.EXE[1188] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\SLsvc.exe[1228] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1252] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1252] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1252] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1252] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1252] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00250A08
.text C:\Windows\system32\svchost.exe[1252] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00250600
.text C:\Windows\system32\svchost.exe[1252] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00250804
.text C:\Windows\system32\svchost.exe[1252] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 002503FC
.text C:\Windows\system32\svchost.exe[1252] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 002501F8
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 001501F8
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 001503FC
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 001703FC
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00170600
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00170A08
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00171014
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00170804
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00170C0C
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00170E10
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 001701F8
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00180A08
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00180600
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00180804
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 001803FC
.text C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe[1288] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 001801F8
.text C:\Windows\system32\svchost.exe[1344] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1344] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1344] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1412] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1412] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1412] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1412] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1412] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1412] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1412] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1412] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00350A08
.text C:\Windows\system32\svchost.exe[1412] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00350600
.text C:\Windows\system32\svchost.exe[1412] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00350804
.text C:\Windows\system32\svchost.exe[1412] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 003503FC
.text C:\Windows\system32\svchost.exe[1412] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 003501F8
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1532] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1532] kernel32.dll!SetUnhandledExceptionFilter 77DDD177 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00080A08
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00080600
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00080804
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000803FC
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000801F8
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000903FC
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00090600
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00090A08
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00091014
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00090804
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00090C0C
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00090E10
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1836] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000901F8
.text C:\Windows\System32\spoolsv.exe[1840] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\System32\spoolsv.exe[1840] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\System32\spoolsv.exe[1840] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[1840] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\System32\spoolsv.exe[1840] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\System32\spoolsv.exe[1840] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\System32\spoolsv.exe[1840] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\System32\spoolsv.exe[1840] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\System32\spoolsv.exe[1840] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\System32\spoolsv.exe[1840] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\System32\spoolsv.exe[1840] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\System32\spoolsv.exe[1840] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 000D0A08
.text C:\Windows\System32\spoolsv.exe[1840] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 000D0600
.text C:\Windows\System32\spoolsv.exe[1840] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 000D0804
.text C:\Windows\System32\spoolsv.exe[1840] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000D03FC
.text C:\Windows\System32\spoolsv.exe[1840] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000D01F8
.text C:\Windows\system32\svchost.exe[1868] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1868] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1868] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00180A08
.text C:\Windows\system32\svchost.exe[1868] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00180600
.text C:\Windows\system32\svchost.exe[1868] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00180804
.text C:\Windows\system32\svchost.exe[1868] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 001803FC
.text C:\Windows\system32\svchost.exe[1868] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 001801F8
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 001903FC
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00190600
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00190A08
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00191014
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00190804
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00190C0C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00190E10
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 001901F8
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 001A0A08
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 001A0600
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 001A0804
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 001A03FC
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2116] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 001A01F8
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00170A08
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00170600
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00170804
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 001703FC
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 001701F8
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 001803FC
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00180600
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00180A08
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00181014
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00180804
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00180C0C
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00180E10
.text C:\Program Files\Common Files\Motive\McciCMService.exe[2144] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 001801F8
.text C:\Windows\System32\svchost.exe[2184] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[2184] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[2184] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\System32\svchost.exe[2184] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[2184] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[2184] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[2184] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[2184] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[2184] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[2184] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[2184] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[2184] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00290A08
.text C:\Windows\System32\svchost.exe[2184] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00290600
.text C:\Windows\System32\svchost.exe[2184] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00290804
.text C:\Windows\System32\svchost.exe[2184] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 002903FC
.text C:\Windows\System32\svchost.exe[2184] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 002901F8
.text C:\Windows\System32\svchost.exe[2228] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[2228] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[2228] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\System32\svchost.exe[2228] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[2228] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[2228] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[2228] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[2228] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[2228] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[2228] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[2228] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[2240] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[2240] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[2240] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 000A0A08
.text C:\Windows\system32\svchost.exe[2240] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 000A0600
.text C:\Windows\system32\svchost.exe[2240] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 000A0804
.text C:\Windows\system32\svchost.exe[2240] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000A03FC
.text C:\Windows\system32\svchost.exe[2240] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000A01F8
.text C:\Windows\system32\svchost.exe[2260] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[2260] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[2260] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2260] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[2260] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[2260] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[2260] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[2260] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[2260] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[2260] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[2260] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[2296] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[2296] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[2296] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\System32\svchost.exe[2296] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[2296] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[2296] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[2296] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[2296] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[2296] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[2296] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[2296] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\SearchIndexer.exe[2316] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\SearchIndexer.exe[2316] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\SearchIndexer.exe[2316] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[2316] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\SearchIndexer.exe[2316] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\SearchIndexer.exe[2316] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\SearchIndexer.exe[2316] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\SearchIndexer.exe[2316] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\SearchIndexer.exe[2316] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\SearchIndexer.exe[2316] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\SearchIndexer.exe[2316] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\SearchIndexer.exe[2316] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00580A08
.text C:\Windows\system32\SearchIndexer.exe[2316] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00580600
.text C:\Windows\system32\SearchIndexer.exe[2316] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00580804
.text C:\Windows\system32\SearchIndexer.exe[2316] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 005803FC
.text C:\Windows\system32\SearchIndexer.exe[2316] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 005801F8
.text C:\Windows\ehome\ehmsas.exe[2428] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000401F8
.text C:\Windows\ehome\ehmsas.exe[2428] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000403FC
.text C:\Windows\ehome\ehmsas.exe[2428] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\ehome\ehmsas.exe[2428] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000603FC
.text C:\Windows\ehome\ehmsas.exe[2428] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00060600
.text C:\Windows\ehome\ehmsas.exe[2428] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00060A08
.text C:\Windows\ehome\ehmsas.exe[2428] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00061014
.text C:\Windows\ehome\ehmsas.exe[2428] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00060804
.text C:\Windows\ehome\ehmsas.exe[2428] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00060C0C
.text C:\Windows\ehome\ehmsas.exe[2428] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00060E10
.text C:\Windows\ehome\ehmsas.exe[2428] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000601F8
.text C:\Windows\ehome\ehmsas.exe[2428] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00070A08
.text C:\Windows\ehome\ehmsas.exe[2428] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00070600
.text C:\Windows\ehome\ehmsas.exe[2428] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00070804
.text C:\Windows\ehome\ehmsas.exe[2428] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000703FC
.text C:\Windows\ehome\ehmsas.exe[2428] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000701F8
.text C:\Windows\system32\WUDFHost.exe[2572] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\WUDFHost.exe[2572] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\WUDFHost.exe[2572] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\WUDFHost.exe[2572] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\WUDFHost.exe[2572] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\WUDFHost.exe[2572] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\WUDFHost.exe[2572] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\WUDFHost.exe[2572] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\WUDFHost.exe[2572] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\WUDFHost.exe[2572] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\WUDFHost.exe[2572] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\WUDFHost.exe[2572] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00080A08
.text C:\Windows\system32\WUDFHost.exe[2572] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00080600
.text C:\Windows\system32\WUDFHost.exe[2572] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00080804
.text C:\Windows\system32\WUDFHost.exe[2572] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000803FC
.text C:\Windows\system32\WUDFHost.exe[2572] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000801F8
.text C:\Windows\system32\igfxsrvc.exe[2628] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 001501F8
.text C:\Windows\system32\igfxsrvc.exe[2628] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 001503FC
.text C:\Windows\system32\igfxsrvc.exe[2628] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\igfxsrvc.exe[2628] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00180A08
.text C:\Windows\system32\igfxsrvc.exe[2628] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00180600
.text C:\Windows\system32\igfxsrvc.exe[2628] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00180804
.text C:\Windows\system32\igfxsrvc.exe[2628] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 001803FC
.text C:\Windows\system32\igfxsrvc.exe[2628] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 001801F8
.text C:\Windows\system32\igfxsrvc.exe[2628] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 001903FC
.text C:\Windows\system32\igfxsrvc.exe[2628] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00190600
.text C:\Windows\system32\igfxsrvc.exe[2628] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00190A08
.text C:\Windows\system32\igfxsrvc.exe[2628] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00191014
.text C:\Windows\system32\igfxsrvc.exe[2628] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00190804
.text C:\Windows\system32\igfxsrvc.exe[2628] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00190C0C
.text C:\Windows\system32\igfxsrvc.exe[2628] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00190E10
.text C:\Windows\system32\igfxsrvc.exe[2628] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 001901F8
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000401F8
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000403FC
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000603FC
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00060600
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00060A08
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00061014
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00060804
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00060C0C
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00060E10
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000601F8
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00070A08
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00070600
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00070804
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000703FC
.text C:\Program Files\Internet Explorer\ieuser.exe[3084] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000701F8
.text C:\Windows\system32\taskeng.exe[3380] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskeng.exe[3380] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskeng.exe[3380] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[3380] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\system32\taskeng.exe[3380] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\system32\taskeng.exe[3380] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\system32\taskeng.exe[3380] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\system32\taskeng.exe[3380] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\system32\taskeng.exe[3380] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\system32\taskeng.exe[3380] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\system32\taskeng.exe[3380] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\system32\taskeng.exe[3380] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00080A08
.text C:\Windows\system32\taskeng.exe[3380] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00080600
.text C:\Windows\system32\taskeng.exe[3380] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00080804
.text C:\Windows\system32\taskeng.exe[3380] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000803FC
.text C:\Windows\system32\taskeng.exe[3380] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000801F8
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 008C0A08
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 008C0600
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 008C0804
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 008C03FC
.text C:\Program Files\Windows Defender\MSASCui.exe[3768] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 008C01F8
.text C:\hp\support\hpsysdrv.exe[3776] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 001501F8
.text C:\hp\support\hpsysdrv.exe[3776] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 001503FC
.text C:\hp\support\hpsysdrv.exe[3776] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\hp\support\hpsysdrv.exe[3776] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00180A08
.text C:\hp\support\hpsysdrv.exe[3776] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00180600
.text C:\hp\support\hpsysdrv.exe[3776] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00180804
.text C:\hp\support\hpsysdrv.exe[3776] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 001803FC
.text C:\hp\support\hpsysdrv.exe[3776] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 001801F8
.text C:\hp\support\hpsysdrv.exe[3776] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 001903FC
.text C:\hp\support\hpsysdrv.exe[3776] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00190600
.text C:\hp\support\hpsysdrv.exe[3776] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00190A08
.text C:\hp\support\hpsysdrv.exe[3776] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00191014
.text C:\hp\support\hpsysdrv.exe[3776] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00190804
.text C:\hp\support\hpsysdrv.exe[3776] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00190C0C
.text C:\hp\support\hpsysdrv.exe[3776] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00190E10
.text C:\hp\support\hpsysdrv.exe[3776] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 001901F8
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 001501F8
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 001503FC
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00170A08
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00170600
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00170804
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 001703FC
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 001701F8
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 001803FC
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00180600
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00180A08
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00181014
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00180804
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00180C0C
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00180E10
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[3784] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 001801F8
.text C:\Windows\RtHDVCpl.exe[3840] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 001501F8
.text C:\Windows\RtHDVCpl.exe[3840] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 001503FC
.text C:\Windows\RtHDVCpl.exe[3840] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\RtHDVCpl.exe[3840] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 001703FC
.text C:\Windows\RtHDVCpl.exe[3840] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00170600
.text C:\Windows\RtHDVCpl.exe[3840] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00170A08
.text C:\Windows\RtHDVCpl.exe[3840] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00171014
.text C:\Windows\RtHDVCpl.exe[3840] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00170804
.text C:\Windows\RtHDVCpl.exe[3840] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00170C0C
.text C:\Windows\RtHDVCpl.exe[3840] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00170E10
.text C:\Windows\RtHDVCpl.exe[3840] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 001701F8
.text C:\Windows\RtHDVCpl.exe[3840] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00180A08
.text C:\Windows\RtHDVCpl.exe[3840] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00180600
.text C:\Windows\RtHDVCpl.exe[3840] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00180804
.text C:\Windows\RtHDVCpl.exe[3840] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 001803FC
.text C:\Windows\RtHDVCpl.exe[3840] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 001801F8
.text C:\Users\Bowman\Desktop\k281d62j.exe[3880] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\System32\hkcmd.exe[3916] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 001501F8
.text C:\Windows\System32\hkcmd.exe[3916] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 001503FC
.text C:\Windows\System32\hkcmd.exe[3916] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\System32\hkcmd.exe[3916] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00180A08
.text C:\Windows\System32\hkcmd.exe[3916] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00180600
.text C:\Windows\System32\hkcmd.exe[3916] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00180804
.text C:\Windows\System32\hkcmd.exe[3916] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 001803FC
.text C:\Windows\System32\hkcmd.exe[3916] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 001801F8
.text C:\Windows\System32\hkcmd.exe[3916] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 001903FC
.text C:\Windows\System32\hkcmd.exe[3916] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00190600
.text C:\Windows\System32\hkcmd.exe[3916] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00190A08
.text C:\Windows\System32\hkcmd.exe[3916] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00191014
.text C:\Windows\System32\hkcmd.exe[3916] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00190804
.text C:\Windows\System32\hkcmd.exe[3916] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00190C0C
.text C:\Windows\System32\hkcmd.exe[3916] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00190E10
.text C:\Windows\System32\hkcmd.exe[3916] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 001901F8
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 001501F8
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 001503FC
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00190A08
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00190600
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00190804
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 001903FC
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 001901F8
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 001B03FC
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 001B0600
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 001B0A08
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 001B1014
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 001B0804
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 001B0C0C
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 001B0E10
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[3928] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 001B01F8
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3944] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 001801F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 001803FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 001B03FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 001B0600
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 001B0A08
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 001B1014
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 001B0804
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 001B0C0C
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 001B0E10
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 001B01F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 001C0A08
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 001C0600
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 001C0804
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 001C03FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[3984] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 001C01F8
.text C:\Windows\ehome\ehtray.exe[4024] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000501F8
.text C:\Windows\ehome\ehtray.exe[4024] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000503FC
.text C:\Windows\ehome\ehtray.exe[4024] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\ehome\ehtray.exe[4024] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000703FC
.text C:\Windows\ehome\ehtray.exe[4024] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00070600
.text C:\Windows\ehome\ehtray.exe[4024] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00070A08
.text C:\Windows\ehome\ehtray.exe[4024] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00071014
.text C:\Windows\ehome\ehtray.exe[4024] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00070804
.text C:\Windows\ehome\ehtray.exe[4024] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00070C0C
.text C:\Windows\ehome\ehtray.exe[4024] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00070E10
.text C:\Windows\ehome\ehtray.exe[4024] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000701F8
.text C:\Windows\ehome\ehtray.exe[4024] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 000C0A08
.text C:\Windows\ehome\ehtray.exe[4024] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 000C0600
.text C:\Windows\ehome\ehtray.exe[4024] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 000C0804
.text C:\Windows\ehome\ehtray.exe[4024] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000C03FC
.text C:\Windows\ehome\ehtray.exe[4024] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000C01F8
.text C:\Windows\servicing\TrustedInstaller.exe[4092] ntdll.dll!LdrLoadDll 77F0EB00 5 Bytes JMP 000401F8
.text C:\Windows\servicing\TrustedInstaller.exe[4092] ntdll.dll!LdrUnloadDll 77F1BF0A 5 Bytes JMP 000403FC
.text C:\Windows\servicing\TrustedInstaller.exe[4092] kernel32.dll!GetBinaryTypeW + 70 77DD714D 1 Byte [62]
.text C:\Windows\servicing\TrustedInstaller.exe[4092] ADVAPI32.dll!CreateServiceW 768B8686 5 Bytes JMP 000603FC
.text C:\Windows\servicing\TrustedInstaller.exe[4092] ADVAPI32.dll!DeleteService 768B8788 5 Bytes JMP 00060600
.text C:\Windows\servicing\TrustedInstaller.exe[4092] ADVAPI32.dll!ChangeServiceConfigW 768BA26A 5 Bytes JMP 00060A08
.text C:\Windows\servicing\TrustedInstaller.exe[4092] ADVAPI32.dll!SetServiceObjectSecurity 768F3791 5 Bytes JMP 00061014
.text C:\Windows\servicing\TrustedInstaller.exe[4092] ADVAPI32.dll!ChangeServiceConfigA 768F3891 5 Bytes JMP 00060804
.text C:\Windows\servicing\TrustedInstaller.exe[4092] ADVAPI32.dll!ChangeServiceConfig2A 768F3A39 5 Bytes JMP 00060C0C
.text C:\Windows\servicing\TrustedInstaller.exe[4092] ADVAPI32.dll!ChangeServiceConfig2W 768F3B81 5 Bytes JMP 00060E10
.text C:\Windows\servicing\TrustedInstaller.exe[4092] ADVAPI32.dll!CreateServiceA 768F3C41 5 Bytes JMP 000601F8
.text C:\Windows\servicing\TrustedInstaller.exe[4092] USER32.dll!UnhookWindowsHookEx 77D17CE7 5 Bytes JMP 00070A08
.text C:\Windows\servicing\TrustedInstaller.exe[4092] USER32.dll!SetWindowsHookExA 77D1891A 5 Bytes JMP 00070600
.text C:\Windows\servicing\TrustedInstaller.exe[4092] USER32.dll!SetWindowsHookExW 77D1913D 5 Bytes JMP 00070804
.text C:\Windows\servicing\TrustedInstaller.exe[4092] USER32.dll!UnhookWinEvent 77D22C74 5 Bytes JMP 000703FC
.text C:\Windows\servicing\TrustedInstaller.exe[4092] USER32.dll!SetWinEventHook 77D29C6D 5 Bytes JMP 000701F8

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[596] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 000B0002
IAT C:\Windows\system32\services.exe[596] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 000B0000
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74EEFBC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74EBB9AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74EAA31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74EACBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74EA8AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74EBCF28] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74EA7D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74EA7CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74EA6A64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74F3C1D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74EC7F56] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74EA90CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74EB2179] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74EB21A4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74EB7F1C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74EB7D3E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[808] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74EE83D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:43 PM

Posted 05 May 2011 - 08:39 AM

Please read the following: How do I remove Trojan Vundo and see if there is anything hinding.

#8 c410berry

c410berry
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 28 May 2011 - 01:55 PM

I seemed to be doing fine for a week or so after following your advice. Then I started getting the same error message again. Today I can not print. I tried to go back to the last link you gave me and follow through the steps again, but it doesn't seem to be working. The scans are coming up with no files to remove. What should I try next?
Christy

#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:43 PM

Posted 28 May 2011 - 05:37 PM

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

#10 c410berry

c410berry
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 11 June 2011 - 01:23 AM

This is a link to MY NEW TOPIC.

I didn't have any trouble creating the logs. When I said "it doesn't seem to be working", I just meant that going back through the steps in the link you gave me above, entitled How do I remove Trojan Vundo, did not solve the problem.

Thank you for you continued help.

Christy

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:43 PM

Posted 11 June 2011 - 10:22 AM

Hello,

Now for the hard and frustrating part: waiting.

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users