Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor Trojan/Bot/


  • This topic is locked This topic is locked
14 replies to this topic

#1 Raker

Raker

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 19 September 2011 - 07:12 PM

I have been trying to get rid of several infections on my laptop. It seemed to start around a couple of weeks ago. I started getting these Symantec tamper alerts that had something Tlgwgp.exe in the message C:\Documents and Settings\mkershaw\Application Data\Tlgwgp.exe (PID 2880)
It only seemed to log them. There would be about 20 of them every time I would start my laptop.When I dug deeper I found some malware that was lableled "Services.EXE". There were two instances of that which one appears to be a legitimate windows service and the other seems suspcious. That was just the tip of the ice burg.

I noticed that PDF readers would hang or crash when viewing PDFs. Then progressively (over about a dozen reboots) the laptop would start up very slowly compared to normal operation. I can not browse to any security related websites. Other websites no problem just not anything that would help in getting rid of infection. I have run ESET online scanner, RKill, TDSSKiller, CKScanner, ATF Cleaner, Brontok disinfection tool, Brontok worm removal tool, Super Anti-Spyware, Malware Bytes, and Symantec End point protection. All seemed to have found something but I do not think they have found everything. Hard drive activity light seems to light up with a lot of activity when connecting to a network. Here is link to the other thread which is where I started with trying to get this stuff removed http://www.bleepingcomputer.com/forums/topic418406.html
Any help on this issue is very much appreciated. Thank You in advance.



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-19 19:38:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST9500420ASG rev.0002SDM1
Running: 32mzuy1p.exe; Driver: C:\DOCUME~1\mkershaw\LOCALS~1\Temp\kwroqkow.sys


---- System - GMER 1.0.15 ----

SSDT 89C22940 ZwAlertResumeThread
SSDT 89D91350 ZwAlertThread
SSDT 89C413D0 ZwAllocateVirtualMemory
SSDT 897A1860 ZwConnectPort
SSDT 89565218 ZwCreateMutant
SSDT 89DA2778 ZwCreateThread
SSDT 89986628 ZwFreeVirtualMemory
SSDT 8956F2B8 ZwImpersonateAnonymousToken
SSDT 89C6D260 ZwImpersonateThread
SSDT 89C98DF8 ZwMapViewOfSection
SSDT 896DA778 ZwOpenEvent
SSDT 896EA2B0 ZwOpenProcessToken
SSDT 897A8EA0 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB9B6D8B0]
SSDT 89DAA638 ZwResumeThread
SSDT 896E2378 ZwSetContextThread
SSDT 89C2A6E8 ZwSetInformationProcess
SSDT 89C2B9B0 ZwSetInformationThread
SSDT 89C3E810 ZwSuspendProcess
SSDT 89C412F0 ZwSuspendThread
SSDT 89D41958 ZwTerminateProcess
SSDT 89C3D1E0 ZwTerminateThread
SSDT 89C28B10 ZwUnmapViewOfSection
SSDT 8956A220 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F74 80504810 8 Bytes [E8, A6, C2, 89, B0, B9, C2, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 8 Bytes CALL 9340D23C
? C:\DOCUME~1\mkershaw\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00946390
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00946640
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 009453D0
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00945300
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009411C0
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00941290
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00942570
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00941000
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 009410A0
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00942510
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00941D10
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00947250
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 009420A0
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 009423A0
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[164] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00942160
.text C:\WINDOWS\system32\svchost.exe[192] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00BF6390
.text C:\WINDOWS\system32\svchost.exe[192] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00BF6640
.text C:\WINDOWS\system32\svchost.exe[192] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00BF53D0
.text C:\WINDOWS\system32\svchost.exe[192] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00BF5300
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF11C0
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF1290
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00BF2570
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00BF1000
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00BF10A0
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00BF2510
.text C:\WINDOWS\system32\svchost.exe[192] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00BF1D10
.text C:\WINDOWS\system32\svchost.exe[192] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BF7250
.text C:\WINDOWS\system32\svchost.exe[192] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00BF20A0
.text C:\WINDOWS\system32\svchost.exe[192] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00BF23A0
.text C:\WINDOWS\system32\svchost.exe[192] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00BF2160
.text C:\WINDOWS\system32\svchost.exe[292] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00D76390
.text C:\WINDOWS\system32\svchost.exe[292] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00D76640
.text C:\WINDOWS\system32\svchost.exe[292] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00D753D0
.text C:\WINDOWS\system32\svchost.exe[292] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00D75300
.text C:\WINDOWS\system32\svchost.exe[292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D711C0
.text C:\WINDOWS\system32\svchost.exe[292] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D71290
.text C:\WINDOWS\system32\svchost.exe[292] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00D72570
.text C:\WINDOWS\system32\svchost.exe[292] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00D71000
.text C:\WINDOWS\system32\svchost.exe[292] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00D710A0
.text C:\WINDOWS\system32\svchost.exe[292] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00D72510
.text C:\WINDOWS\system32\svchost.exe[292] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00D720A0
.text C:\WINDOWS\system32\svchost.exe[292] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00D723A0
.text C:\WINDOWS\system32\svchost.exe[292] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00D72160
.text C:\WINDOWS\system32\svchost.exe[292] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00D71D10
.text C:\WINDOWS\system32\svchost.exe[292] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D77250
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00A66390
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00A66640
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00A653D0
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00A65300
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A611C0
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A61290
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00A62570
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00A61000
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00A610A0
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00A62510
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00A61D10
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A67250
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00A620A0
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00A623A0
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[352] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00A62160
.text C:\WINDOWS\system32\ctfmon.exe[396] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00A16390
.text C:\WINDOWS\system32\ctfmon.exe[396] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00A16640
.text C:\WINDOWS\system32\ctfmon.exe[396] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00A153D0
.text C:\WINDOWS\system32\ctfmon.exe[396] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00A15300
.text C:\WINDOWS\system32\ctfmon.exe[396] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A111C0
.text C:\WINDOWS\system32\ctfmon.exe[396] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A11290
.text C:\WINDOWS\system32\ctfmon.exe[396] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00A12570
.text C:\WINDOWS\system32\ctfmon.exe[396] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00A11000
.text C:\WINDOWS\system32\ctfmon.exe[396] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00A110A0
.text C:\WINDOWS\system32\ctfmon.exe[396] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00A12510
.text C:\WINDOWS\system32\ctfmon.exe[396] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00A11D10
.text C:\WINDOWS\system32\ctfmon.exe[396] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A17250
.text C:\WINDOWS\system32\ctfmon.exe[396] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00A120A0
.text C:\WINDOWS\system32\ctfmon.exe[396] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00A123A0
.text C:\WINDOWS\system32\ctfmon.exe[396] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00A12160
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01326390
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 01326640
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 013253D0
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01325300
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013211C0
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01321290
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 01322570
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01321000
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 013210A0
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 01322510
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 01321D10
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01327250
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 013220A0
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 013223A0
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[404] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 01322160
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00656390
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00656640
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 006553D0
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00655300
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006511C0
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00651290
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00652570
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00651000
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 006510A0
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00652510
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00651D10
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00657250
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 006520A0
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 006523A0
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[424] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00652160
.text C:\WINDOWS\system32\cisvc.exe[452] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00E26390
.text C:\WINDOWS\system32\cisvc.exe[452] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00E26640
.text C:\WINDOWS\system32\cisvc.exe[452] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00E253D0
.text C:\WINDOWS\system32\cisvc.exe[452] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00E25300
.text C:\WINDOWS\system32\cisvc.exe[452] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E211C0
.text C:\WINDOWS\system32\cisvc.exe[452] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E21290
.text C:\WINDOWS\system32\cisvc.exe[452] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00E22570
.text C:\WINDOWS\system32\cisvc.exe[452] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00E21000
.text C:\WINDOWS\system32\cisvc.exe[452] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00E210A0
.text C:\WINDOWS\system32\cisvc.exe[452] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00E22510
.text C:\WINDOWS\system32\cisvc.exe[452] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00E21D10
.text C:\WINDOWS\system32\cisvc.exe[452] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E27250
.text C:\WINDOWS\system32\cisvc.exe[452] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00E220A0
.text C:\WINDOWS\system32\cisvc.exe[452] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00E223A0
.text C:\WINDOWS\system32\cisvc.exe[452] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00E22160
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00C96390
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00C96640
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00C953D0
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00C95300
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C911C0
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C91290
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00C92570
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00C91000
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00C910A0
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00C92510
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00C91D10
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C97250
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00C920A0
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00C923A0
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[476] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00C92160
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 026B6390
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 026B6640
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 026B53D0
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 026B5300
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 026B11C0
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 026B1290
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 026B2570
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 026B1000
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 026B10A0
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 026B2510
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] ws2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 026B1D10
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] ws2_32.dll!send 71AB4C27 5 Bytes JMP 026B7250
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 026B20A0
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 026B23A0
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[496] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 026B2160
.text C:\WINDOWS\system32\svchost.exe[624] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00B56390
.text C:\WINDOWS\system32\svchost.exe[624] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00B56640
.text C:\WINDOWS\system32\svchost.exe[624] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00B553D0
.text C:\WINDOWS\system32\svchost.exe[624] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00B55300
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B511C0
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B51290
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00B52570
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00B51000
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00B510A0
.text C:\WINDOWS\system32\svchost.exe[624] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00B52510
.text C:\WINDOWS\system32\svchost.exe[624] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00B51D10
.text C:\WINDOWS\system32\svchost.exe[624] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B57250
.text C:\WINDOWS\system32\svchost.exe[624] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00B520A0
.text C:\WINDOWS\system32\svchost.exe[624] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00B523A0
.text C:\WINDOWS\system32\svchost.exe[624] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00B52160
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 008F6390
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 008F6640
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 008F53D0
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 008F5300
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008F11C0
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008F1290
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 008F2570
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 008F1000
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 008F10A0
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 008F2510
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 008F1D10
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] WS2_32.dll!send 71AB4C27 5 Bytes JMP 008F7250
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 008F20A0
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 008F23A0
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[676] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 008F2160
.text C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 006E6390
.text C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 006E6640
.text C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 006E53D0
.text C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 006E5300
.text C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E11C0
.text C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E1290
.text C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 006E2570
.text C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 006E1000
.text C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 006E10A0
.text C:\WINDOWS\System32\svchost.exe[752] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 006E2510
.text C:\WINDOWS\System32\svchost.exe[752] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 006E1D10
.text C:\WINDOWS\System32\svchost.exe[752] WS2_32.dll!send 71AB4C27 5 Bytes JMP 006E7250
.text C:\WINDOWS\System32\svchost.exe[752] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 006E20A0
.text C:\WINDOWS\System32\svchost.exe[752] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 006E23A0
.text C:\WINDOWS\System32\svchost.exe[752] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 006E2160
.text C:\Program Files\Mozilla Firefox\firefox.exe[812] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00166390
.text C:\Program Files\Mozilla Firefox\firefox.exe[812] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00166640
.text C:\Program Files\Mozilla Firefox\firefox.exe[812] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 001653D0
.text C:\Program Files\Mozilla Firefox\firefox.exe[812] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00165300
.text C:\Program Files\Mozilla Firefox\firefox.exe[812] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00161D10
.text C:\Program Files\Mozilla Firefox\firefox.exe[812] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00167250
.text C:\Program Files\Mozilla Firefox\firefox.exe[812] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 001620A0
.text C:\Program Files\Mozilla Firefox\firefox.exe[812] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 001623A0
.text C:\Program Files\Mozilla Firefox\firefox.exe[812] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00162160
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01456390
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 01456640
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 014553D0
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01455300
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014511C0
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01451290
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 01452570
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01451000
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 014510A0
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 01452510
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 01451D10
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01457250
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 014520A0
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 014523A0
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[836] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 01452160
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 05E96390
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 05E96640
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 05E953D0
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 05E95300
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05E911C0
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05E91290
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 05E92570
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 05E91000
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 05E910A0
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 05E92510
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 05E91D10
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] WS2_32.dll!send 71AB4C27 5 Bytes JMP 05E97250
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 05E920A0
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 05E923A0
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[924] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 05E92160
.text C:\WINDOWS\system32\svchost.exe[1076] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00BB6390
.text C:\WINDOWS\system32\svchost.exe[1076] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00BB6640
.text C:\WINDOWS\system32\svchost.exe[1076] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00BB53D0
.text C:\WINDOWS\system32\svchost.exe[1076] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00BB5300
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB11C0
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB1290
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00BB2570
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00BB1000
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00BB10A0
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00BB2510
.text C:\WINDOWS\system32\svchost.exe[1076] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00BB1D10
.text C:\WINDOWS\system32\svchost.exe[1076] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BB7250
.text C:\WINDOWS\system32\svchost.exe[1076] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00BB20A0
.text C:\WINDOWS\system32\svchost.exe[1076] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00BB23A0
.text C:\WINDOWS\system32\svchost.exe[1076] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00BB2160
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 03746390
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 03746640
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 037453D0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 03745300
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 037411C0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03741290
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 03742570
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 03741000
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 037410A0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 03742510
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 03741D10
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03747250
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 037420A0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 037423A0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1092] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 03742160
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 006E6390
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 006E6640
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 006E53D0
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 006E5300
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E11C0
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E1290
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 006E2570
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 006E1000
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 006E10A0
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 006E2510
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 006E1D10
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!send 71AB4C27 5 Bytes JMP 006E7250
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 006E20A0
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 006E23A0
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 006E2160
.text C:\Program Files\Tether\TBService.exe[1220] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00636390
.text C:\Program Files\Tether\TBService.exe[1220] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00636640
.text C:\Program Files\Tether\TBService.exe[1220] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 006353D0
.text C:\Program Files\Tether\TBService.exe[1220] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00635300
.text C:\Program Files\Tether\TBService.exe[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006311C0
.text C:\Program Files\Tether\TBService.exe[1220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00631290
.text C:\Program Files\Tether\TBService.exe[1220] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00632570
.text C:\Program Files\Tether\TBService.exe[1220] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00631000
.text C:\Program Files\Tether\TBService.exe[1220] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 006310A0
.text C:\Program Files\Tether\TBService.exe[1220] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00632510
.text C:\Program Files\Tether\TBService.exe[1220] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00631D10
.text C:\Program Files\Tether\TBService.exe[1220] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00637250
.text C:\Program Files\Tether\TBService.exe[1220] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 006320A0
.text C:\Program Files\Tether\TBService.exe[1220] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 006323A0
.text C:\Program Files\Tether\TBService.exe[1220] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00632160
.text C:\WINDOWS\system32\csrss.exe[1272] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01496390
.text C:\WINDOWS\system32\csrss.exe[1272] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 01496640
.text C:\WINDOWS\system32\csrss.exe[1272] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 014953D0
.text C:\WINDOWS\system32\csrss.exe[1272] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01495300
.text C:\WINDOWS\system32\csrss.exe[1272] KERNEL32.dll!CreateFileA 7C801A28 5 Bytes JMP 014911C0
.text C:\WINDOWS\system32\csrss.exe[1272] KERNEL32.dll!CreateFileW 7C810800 5 Bytes JMP 01491290
.text C:\WINDOWS\system32\csrss.exe[1272] KERNEL32.dll!MoveFileW 7C821261 5 Bytes JMP 01492570
.text C:\WINDOWS\system32\csrss.exe[1272] KERNEL32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01491000
.text C:\WINDOWS\system32\csrss.exe[1272] KERNEL32.dll!CopyFileW 7C82F87B 5 Bytes JMP 014910A0
.text C:\WINDOWS\system32\csrss.exe[1272] KERNEL32.dll!MoveFileA 7C835EBF 5 Bytes JMP 01492510
.text C:\WINDOWS\system32\csrss.exe[1272] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 01491D10
.text C:\WINDOWS\system32\csrss.exe[1272] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01497250
.text C:\WINDOWS\system32\csrss.exe[1272] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 014920A0
.text C:\WINDOWS\system32\csrss.exe[1272] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 014923A0
.text C:\WINDOWS\system32\csrss.exe[1272] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 01492160
.text C:\WINDOWS\system32\spoolsv.exe[1280] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 018E6390
.text C:\WINDOWS\system32\spoolsv.exe[1280] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 018E6640
.text C:\WINDOWS\system32\spoolsv.exe[1280] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 018E53D0
.text C:\WINDOWS\system32\spoolsv.exe[1280] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 018E5300
.text C:\WINDOWS\system32\spoolsv.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 018E11C0
.text C:\WINDOWS\system32\spoolsv.exe[1280] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 018E1290
.text C:\WINDOWS\system32\spoolsv.exe[1280] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 018E2570
.text C:\WINDOWS\system32\spoolsv.exe[1280] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 018E1000
.text C:\WINDOWS\system32\spoolsv.exe[1280] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 018E10A0
.text C:\WINDOWS\system32\spoolsv.exe[1280] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 018E2510
.text C:\WINDOWS\system32\spoolsv.exe[1280] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 018E1D10
.text C:\WINDOWS\system32\spoolsv.exe[1280] WS2_32.dll!send 71AB4C27 5 Bytes JMP 018E7250
.text C:\WINDOWS\system32\spoolsv.exe[1280] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 018E20A0
.text C:\WINDOWS\system32\spoolsv.exe[1280] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 018E23A0
.text C:\WINDOWS\system32\spoolsv.exe[1280] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 018E2160
.text C:\WINDOWS\system32\winlogon.exe[1300] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 019B6390
.text C:\WINDOWS\system32\winlogon.exe[1300] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 019B6640
.text C:\WINDOWS\system32\winlogon.exe[1300] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 019B53D0
.text C:\WINDOWS\system32\winlogon.exe[1300] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 019B5300
.text C:\WINDOWS\system32\winlogon.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 019B11C0
.text C:\WINDOWS\system32\winlogon.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 019B1290
.text C:\WINDOWS\system32\winlogon.exe[1300] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 019B2570
.text C:\WINDOWS\system32\winlogon.exe[1300] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 019B1000
.text C:\WINDOWS\system32\winlogon.exe[1300] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 019B10A0
.text C:\WINDOWS\system32\winlogon.exe[1300] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 019B2510
.text C:\WINDOWS\system32\winlogon.exe[1300] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 019B1D10
.text C:\WINDOWS\system32\winlogon.exe[1300] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019B7250
.text C:\WINDOWS\system32\winlogon.exe[1300] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 019B20A0
.text C:\WINDOWS\system32\winlogon.exe[1300] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 019B23A0
.text C:\WINDOWS\system32\winlogon.exe[1300] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 019B2160
.text C:\WINDOWS\system32\services.exe[1356] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00D16390
.text C:\WINDOWS\system32\services.exe[1356] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00D16640
.text C:\WINDOWS\system32\services.exe[1356] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00D153D0
.text C:\WINDOWS\system32\services.exe[1356] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00D15300
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D111C0
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D11290
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00D12570
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00D11000
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00D110A0
.text C:\WINDOWS\system32\services.exe[1356] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00D12510
.text C:\WINDOWS\system32\services.exe[1356] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00D11D10
.text C:\WINDOWS\system32\services.exe[1356] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D17250
.text C:\WINDOWS\system32\services.exe[1356] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00D120A0
.text C:\WINDOWS\system32\services.exe[1356] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00D123A0
.text C:\WINDOWS\system32\services.exe[1356] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00D12160
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 02416390
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 02416640
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 024153D0
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 02415300
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024111C0
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02411290
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 02412570
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 02411000
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 024110A0
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 02412510
.text C:\WINDOWS\system32\svchost.exe[1512] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 02411D10
.text C:\WINDOWS\system32\svchost.exe[1512] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02417250
.text C:\WINDOWS\system32\svchost.exe[1512] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 024120A0
.text C:\WINDOWS\system32\svchost.exe[1512] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 024123A0
.text C:\WINDOWS\system32\svchost.exe[1512] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 02412160
.text C:\WINDOWS\System32\svchost.exe[1544] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 000A6390
.text C:\WINDOWS\System32\svchost.exe[1544] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 000A6640
.text C:\WINDOWS\System32\svchost.exe[1544] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 000A53D0
.text C:\WINDOWS\System32\svchost.exe[1544] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A5300
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 000A11C0
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 000A1290
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 000A2570
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 000A1000
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 000A10A0
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 000A2510
.text C:\WINDOWS\System32\svchost.exe[1544] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 000A1D10
.text C:\WINDOWS\System32\svchost.exe[1544] WS2_32.dll!send 71AB4C27 5 Bytes JMP 000A7250
.text C:\WINDOWS\System32\svchost.exe[1544] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 000A20A0
.text C:\WINDOWS\System32\svchost.exe[1544] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 000A23A0
.text C:\WINDOWS\System32\svchost.exe[1544] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 000A2160
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00DD6390
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00DD6640
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00DD53D0
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00DD5300
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DD11C0
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DD1290
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00DD2570
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00DD1000
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00DD10A0
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00DD2510
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00DD1D10
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DD7250
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00DD20A0
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00DD23A0
.text C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe[1552] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00DD2160
.text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00D46390
.text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00D46640
.text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00D453D0
.text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00D45300
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D411C0
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D41290
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00D42570
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00D41000
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00D410A0
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00D42510
.text C:\WINDOWS\system32\svchost.exe[1648] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00D41D10
.text C:\WINDOWS\system32\svchost.exe[1648] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D47250
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00D420A0
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00D423A0
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00D42160
.text C:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 02BC6390
.text C:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 02BC6640
.text C:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 02BC53D0
.text C:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 02BC5300
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02BC11C0
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02BC1290
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 02BC2570
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 02BC1000
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 02BC10A0
.text C:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 02BC2510
.text C:\WINDOWS\System32\svchost.exe[1692] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 02BC1D10
.text C:\WINDOWS\System32\svchost.exe[1692] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02BC7250
.text C:\WINDOWS\System32\svchost.exe[1692] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 02BC20A0
.text C:\WINDOWS\System32\svchost.exe[1692] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 02BC23A0
.text C:\WINDOWS\System32\svchost.exe[1692] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 02BC2160
.text C:\WINDOWS\System32\SCardSvr.exe[1716] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 007B6390
.text C:\WINDOWS\System32\SCardSvr.exe[1716] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 007B6640
.text C:\WINDOWS\System32\SCardSvr.exe[1716] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 007B53D0
.text C:\WINDOWS\System32\SCardSvr.exe[1716] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 007B5300
.text C:\WINDOWS\System32\SCardSvr.exe[1716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B11C0
.text C:\WINDOWS\System32\SCardSvr.exe[1716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B1290
.text C:\WINDOWS\System32\SCardSvr.exe[1716] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 007B2570
.text C:\WINDOWS\System32\SCardSvr.exe[1716] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 007B1000
.text C:\WINDOWS\System32\SCardSvr.exe[1716] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 007B10A0
.text C:\WINDOWS\System32\SCardSvr.exe[1716] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 007B2510
.text C:\WINDOWS\System32\SCardSvr.exe[1716] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 007B1D10
.text C:\WINDOWS\System32\SCardSvr.exe[1716] WS2_32.dll!send 71AB4C27 5 Bytes JMP 007B7250
.text C:\WINDOWS\System32\SCardSvr.exe[1716] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 007B20A0
.text C:\WINDOWS\System32\SCardSvr.exe[1716] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 007B23A0
.text C:\WINDOWS\System32\SCardSvr.exe[1716] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 007B2160
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00D96390
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00D96640
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00D953D0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00D95300
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D911C0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D91290
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00D92570
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00D91000
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00D910A0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00D92510
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00D91D10
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D97250
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00D920A0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00D923A0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe[1800] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00D92160
.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 007A6390
.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 007A6640
.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 007A53D0
.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 007A5300
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007A11C0
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007A1290
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 007A2570
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 007A1000
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 007A10A0
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 007A2510
.text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 007A1D10
.text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!send 71AB4C27 5 Bytes JMP 007A7250
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 007A20A0
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 007A23A0
.text C:\WINDOWS\system32\svchost.exe[1972] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 007A2160
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01236390
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 01236640
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 012353D0
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01235300
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012311C0
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01231290
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 01232570
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01231000
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 012310A0
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 01232510
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 01231D10
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01237250
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 012320A0
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 012323A0
.text C:\WINDOWS\system32\igfxsrvc.exe[2212] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 01232160
.text C:\WINDOWS\system32\cidaemon.exe[2368] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 000A6390
.text C:\WINDOWS\system32\cidaemon.exe[2368] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 000A6640
.text C:\WINDOWS\system32\cidaemon.exe[2368] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 000A53D0
.text C:\WINDOWS\system32\cidaemon.exe[2368] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A5300
.text C:\WINDOWS\system32\cidaemon.exe[2368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 000A11C0
.text C:\WINDOWS\system32\cidaemon.exe[2368] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 000A1290
.text C:\WINDOWS\system32\cidaemon.exe[2368] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 000A2570
.text C:\WINDOWS\system32\cidaemon.exe[2368] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 000A1000
.text C:\WINDOWS\system32\cidaemon.exe[2368] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 000A10A0
.text C:\WINDOWS\system32\cidaemon.exe[2368] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 000A2510
.text C:\WINDOWS\system32\cidaemon.exe[2368] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 000A1D10
.text C:\WINDOWS\system32\cidaemon.exe[2368] WS2_32.dll!send 71AB4C27 5 Bytes JMP 000A7250
.text C:\WINDOWS\system32\cidaemon.exe[2368] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 000A20A0
.text C:\WINDOWS\system32\cidaemon.exe[2368] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 000A23A0
.text C:\WINDOWS\system32\cidaemon.exe[2368] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 000A2160
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00A56390
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00A56640
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00A553D0
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00A55300
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A511C0
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A51290
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00A52570
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00A51000
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00A510A0
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00A52510
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00A51D10
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A57250
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00A520A0
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00A523A0
.text C:\Program Files\DellTPad\ApMsgFwd.exe[2464] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00A52160
.text C:\WINDOWS\system32\cidaemon.exe[2476] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 000A6390
.text C:\WINDOWS\system32\cidaemon.exe[2476] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 000A6640
.text C:\WINDOWS\system32\cidaemon.exe[2476] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 000A53D0
.text C:\WINDOWS\system32\cidaemon.exe[2476] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A5300
.text C:\WINDOWS\system32\cidaemon.exe[2476] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 000A11C0
.text C:\WINDOWS\system32\cidaemon.exe[2476] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 000A1290
.text C:\WINDOWS\system32\cidaemon.exe[2476] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 000A2570
.text C:\WINDOWS\system32\cidaemon.exe[2476] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 000A1000
.text C:\WINDOWS\system32\cidaemon.exe[2476] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 000A10A0
.text C:\WINDOWS\system32\cidaemon.exe[2476] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 000A2510
.text C:\WINDOWS\system32\cidaemon.exe[2476] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 000A1D10
.text C:\WINDOWS\system32\cidaemon.exe[2476] WS2_32.dll!send 71AB4C27 5 Bytes JMP 000A7250
.text C:\WINDOWS\system32\cidaemon.exe[2476] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 000A20A0
.text C:\WINDOWS\system32\cidaemon.exe[2476] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 000A23A0
.text C:\WINDOWS\system32\cidaemon.exe[2476] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 000A2160
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00166390
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00166640
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 001653D0
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00165300
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001611C0
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00161290
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00162570
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00161000
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 001610A0
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00162510
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00161D10
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00167250
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104B229C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104B2861 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 001620A0
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 001623A0
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2556] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00162160
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01576390
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 01576640
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 015753D0
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01575300
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015711C0
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01571290
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 01572570
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01571000
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 015710A0
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 01572510
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 01571D10
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01577250
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 015720A0
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 015723A0
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[2780] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 01572160
.text C:\Program Files\DellTPad\HidFind.exe[3104] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00A56390
.text C:\Program Files\DellTPad\HidFind.exe[3104] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00A56640
.text C:\Program Files\DellTPad\HidFind.exe[3104] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00A553D0
.text C:\Program Files\DellTPad\HidFind.exe[3104] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00A55300
.text C:\Program Files\DellTPad\HidFind.exe[3104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A511C0
.text C:\Program Files\DellTPad\HidFind.exe[3104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A51290
.text C:\Program Files\DellTPad\HidFind.exe[3104] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00A52570
.text C:\Program Files\DellTPad\HidFind.exe[3104] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00A51000
.text C:\Program Files\DellTPad\HidFind.exe[3104] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00A510A0
.text C:\Program Files\DellTPad\HidFind.exe[3104] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00A52510
.text C:\Program Files\DellTPad\HidFind.exe[3104] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00A51D10
.text C:\Program Files\DellTPad\HidFind.exe[3104] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A57250
.text C:\Program Files\DellTPad\HidFind.exe[3104] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00A520A0
.text C:\Program Files\DellTPad\HidFind.exe[3104] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00A523A0
.text C:\Program Files\DellTPad\HidFind.exe[3104] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00A52160
.text C:\Program Files\DellTPad\Apntex.exe[3128] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00B56390
.text C:\Program Files\DellTPad\Apntex.exe[3128] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00B56640
.text C:\Program Files\DellTPad\Apntex.exe[3128] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00B553D0
.text C:\Program Files\DellTPad\Apntex.exe[3128] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00B55300
.text C:\Program Files\DellTPad\Apntex.exe[3128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B511C0
.text C:\Program Files\DellTPad\Apntex.exe[3128] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B51290
.text C:\Program Files\DellTPad\Apntex.exe[3128] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00B52570
.text C:\Program Files\DellTPad\Apntex.exe[3128] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00B51000
.text C:\Program Files\DellTPad\Apntex.exe[3128] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00B510A0
.text C:\Program Files\DellTPad\Apntex.exe[3128] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00B52510
.text C:\Program Files\DellTPad\Apntex.exe[3128] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00B51D10
.text C:\Program Files\DellTPad\Apntex.exe[3128] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B57250
.text C:\Program Files\DellTPad\Apntex.exe[3128] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00B520A0
.text C:\Program Files\DellTPad\Apntex.exe[3128] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00B523A0
.text C:\Program Files\DellTPad\Apntex.exe[3128] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00B52160
.text C:\WINDOWS\system32\svchost.exe[3192] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01926390
.text C:\WINDOWS\system32\svchost.exe[3192] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 01926640
.text C:\WINDOWS\system32\svchost.exe[3192] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 019253D0
.text C:\WINDOWS\system32\svchost.exe[3192] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes JMP 01925300
.text C:\WINDOWS\system32\svchost.exe[3192] ntdll.dll!LdrLoadDll + 4 7C916331 1 Byte [85]
.text C:\WINDOWS\system32\svchost.exe[3192] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 019211C0
.text C:\WINDOWS\system32\svchost.exe[3192] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01921290
.text C:\WINDOWS\system32\svchost.exe[3192] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 01922570
.text C:\WINDOWS\system32\svchost.exe[3192] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01921000
.text C:\WINDOWS\system32\svchost.exe[3192] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 019210A0
.text C:\WINDOWS\system32\svchost.exe[3192] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 01922510
.text C:\WINDOWS\system32\svchost.exe[3192] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 01921D10
.text C:\WINDOWS\system32\svchost.exe[3192] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01927250
.text C:\WINDOWS\system32\svchost.exe[3192] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 019220A0
.text C:\WINDOWS\system32\svchost.exe[3192] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 019223A0
.text C:\WINDOWS\system32\svchost.exe[3192] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 01922160
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00E96390
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00E96640
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00E953D0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00E95300
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E911C0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E91290
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00E92570
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00E91000
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00E910A0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00E92510
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00E91D10
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E97250
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00E920A0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00E923A0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3488] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00E92160
.text C:\WINDOWS\System32\alg.exe[3500] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00B16390
.text C:\WINDOWS\System32\alg.exe[3500] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00B16640
.text C:\WINDOWS\System32\alg.exe[3500] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00B153D0
.text C:\WINDOWS\System32\alg.exe[3500] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00B15300
.text C:\WINDOWS\System32\alg.exe[3500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B111C0
.text C:\WINDOWS\System32\alg.exe[3500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B11290
.text C:\WINDOWS\System32\alg.exe[3500] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00B12570
.text C:\WINDOWS\System32\alg.exe[3500] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00B11000
.text C:\WINDOWS\System32\alg.exe[3500] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00B110A0
.text C:\WINDOWS\System32\alg.exe[3500] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00B12510
.text C:\WINDOWS\System32\alg.exe[3500] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00B11D10
.text C:\WINDOWS\System32\alg.exe[3500] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B17250
.text C:\WINDOWS\System32\alg.exe[3500] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00B120A0
.text C:\WINDOWS\System32\alg.exe[3500] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00B123A0
.text C:\WINDOWS\System32\alg.exe[3500] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00B12160
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00166390
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00166640
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 001653D0
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00165300
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001611C0
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00161290
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00162570
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00161000
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 001610A0
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00162510
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00161D10
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00167250
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 001620A0
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 001623A0
.text C:\Documents and Settings\mkershaw\Desktop\32mzuy1p.exe[3684] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00162160
.text C:\WINDOWS\Explorer.EXE[3740] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 02406390
.text C:\WINDOWS\Explorer.EXE[3740] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 02406640
.text C:\WINDOWS\Explorer.EXE[3740] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 024053D0
.text C:\WINDOWS\Explorer.EXE[3740] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 02405300
.text C:\WINDOWS\Explorer.EXE[3740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024011C0
.text C:\WINDOWS\Explorer.EXE[3740] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02401290
.text C:\WINDOWS\Explorer.EXE[3740] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 02402570
.text C:\WINDOWS\Explorer.EXE[3740] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 02401000
.text C:\WINDOWS\Explorer.EXE[3740] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 024010A0
.text C:\WINDOWS\Explorer.EXE[3740] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 02402510
.text C:\WINDOWS\Explorer.EXE[3740] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 024020A0
.text C:\WINDOWS\Explorer.EXE[3740] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 024023A0
.text C:\WINDOWS\Explorer.EXE[3740] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 02402160
.text C:\WINDOWS\Explorer.EXE[3740] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 02401D10
.text C:\WINDOWS\Explorer.EXE[3740] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02407250
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 02E86390
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 02E86640
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 02E853D0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 02E85300
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02E811C0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02E81290
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 02E82570
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 02E81000
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 02E810A0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 02E82510
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 02E81D10
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02E87250
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 02E820A0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 02E823A0
.text C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe[3764] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 02E82160
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01B56390
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 01B56640
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 01B553D0
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01B55300
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01B511C0
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01B51290
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 01B52570
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01B51000
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 01B510A0
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 01B52510
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 01B520A0
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 01B523A0
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 01B52160
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 01B51D10
.text C:\Program Files\Dell\QuickSet\quickset.exe[4000] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01B57250
.text C:\WINDOWS\system32\hkcmd.exe[4064] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01096390
.text C:\WINDOWS\system32\hkcmd.exe[4064] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 01096640
.text C:\WINDOWS\system32\hkcmd.exe[4064] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 010953D0
.text C:\WINDOWS\system32\hkcmd.exe[4064] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01095300
.text C:\WINDOWS\system32\hkcmd.exe[4064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010911C0
.text C:\WINDOWS\system32\hkcmd.exe[4064] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01091290
.text C:\WINDOWS\system32\hkcmd.exe[4064] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 01092570
.text C:\WINDOWS\system32\hkcmd.exe[4064] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01091000
.text C:\WINDOWS\system32\hkcmd.exe[4064] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 010910A0
.text C:\WINDOWS\system32\hkcmd.exe[4064] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 01092510
.text C:\WINDOWS\system32\hkcmd.exe[4064] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 01091D10
.text C:\WINDOWS\system32\hkcmd.exe[4064] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01097250
.text C:\WINDOWS\system32\hkcmd.exe[4064] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 010920A0
.text C:\WINDOWS\system32\hkcmd.exe[4064] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 010923A0
.text C:\WINDOWS\system32\hkcmd.exe[4064] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 01092160
.text C:\WINDOWS\system32\igfxpers.exe[4076] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01096390
.text C:\WINDOWS\system32\igfxpers.exe[4076] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 01096640
.text C:\WINDOWS\system32\igfxpers.exe[4076] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 010953D0
.text C:\WINDOWS\system32\igfxpers.exe[4076] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01095300
.text C:\WINDOWS\system32\igfxpers.exe[4076] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010911C0
.text C:\WINDOWS\system32\igfxpers.exe[4076] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01091290
.text C:\WINDOWS\system32\igfxpers.exe[4076] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 01092570
.text C:\WINDOWS\system32\igfxpers.exe[4076] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01091000
.text C:\WINDOWS\system32\igfxpers.exe[4076] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 010910A0
.text C:\WINDOWS\system32\igfxpers.exe[4076] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 01092510
.text C:\WINDOWS\system32\igfxpers.exe[4076] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 01091D10
.text C:\WINDOWS\system32\igfxpers.exe[4076] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01097250
.text C:\WINDOWS\system32\igfxpers.exe[4076] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 010920A0
.text C:\WINDOWS\system32\igfxpers.exe[4076] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 010923A0
.text C:\WINDOWS\system32\igfxpers.exe[4076] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 01092160
.text C:\Program Files\DellTPad\Apoint.exe[4084] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00C46390
.text C:\Program Files\DellTPad\Apoint.exe[4084] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00C46640
.text C:\Program Files\DellTPad\Apoint.exe[4084] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00C453D0
.text C:\Program Files\DellTPad\Apoint.exe[4084] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00C45300
.text C:\Program Files\DellTPad\Apoint.exe[4084] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C411C0
.text C:\Program Files\DellTPad\Apoint.exe[4084] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C41290
.text C:\Program Files\DellTPad\Apoint.exe[4084] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00C42570
.text C:\Program Files\DellTPad\Apoint.exe[4084] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00C41000
.text C:\Program Files\DellTPad\Apoint.exe[4084] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00C410A0
.text C:\Program Files\DellTPad\Apoint.exe[4084] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00C42510
.text C:\Program Files\DellTPad\Apoint.exe[4084] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 00C41D10
.text C:\Program Files\DellTPad\Apoint.exe[4084] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C47250
.text C:\Program Files\DellTPad\Apoint.exe[4084] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00C420A0
.text C:\Program Files\DellTPad\Apoint.exe[4084] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 00C423A0
.text C:\Program Files\DellTPad\Apoint.exe[4084] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00C42160
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 015E6390
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 015E6640
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 015E53D0
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 015E5300
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015E11C0
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 015E1290
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 015E2570
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 015E1000
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 015E10A0
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 015E2510
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] ws2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 015E1D10
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] ws2_32.dll!send 71AB4C27 5 Bytes JMP 015E7250
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 015E20A0
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] WININET.dll!InternetWriteFile 3D958D5C 5 Bytes JMP 015E23A0
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[4092] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 015E2160

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\SYMTDI \Device\SymTDI wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Zlgwgv C:\Documents and Settings\mkershaw\Application Data\Zlgwgv.exe

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\mkershaw\Application Data\Zlgwgv.exe 282624 bytes executable

---- EOF - GMER 1.0.15 ----




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by mkershaw at 18:42:51 on 2011-09-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1334 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Tether\TBService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Documents and Settings\mkershaw\Application Data\Zlgwgv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Tlgwgp] c:\documents and settings\mkershaw\application data\Tlgwgp.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon]
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {026F6032-3CAD-412D-A803-06ABDF5E9347} - hxxp://192.168.105.21/nwcv4setup.exe
DPF: {5BE9B876-2CFB-4C26-A0A6-3C282C34F434} - hxxp://10.5.1.23/nwcv4Ssetup.exe
DPF: {5D92D17F-0818-46E6-AFED-B439028BDCDE} - hxxp://10.0.0.2/wvasetup.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1304355581422
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {96ADD1E5-1B8D-41BB-AB80-2C69FFB82E4A} - hxxp://10.5.1.22/nwcv4Ssetup.exe
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://10.5.1.21/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{CAF59F7C-0D5E-4A26-A0A2-B3C6E931CB99} : DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{E5C9F1B8-F8D0-422B-8887-BF8F39025CA7} : NameServer = 208.67.222.222,208.67.220.220
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mkershaw\application data\mozilla\firefox\profiles\vax6hrux.default\
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-5-6 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-5-6 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-7-1 1832072]
R2 Tether;Tether;c:\program files\tether\TBService.exe [2011-5-10 52664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-9-12 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110912.003\NAVENG.SYS [2011-9-12 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110912.003\NAVEX15.SYS [2011-9-12 1576312]
S0 bmnf;bmnf;c:\windows\system32\drivers\rbfkrsdy.sys --> c:\windows\system32\drivers\rbfkrsdy.sys [?]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-5-21 23888]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [2011-5-10 45608]
.
=============== Created Last 30 ================
.
2011-09-19 22:24:14 282624 ----a-w- c:\documents and settings\mkershaw\application data\2.tmp
2011-09-19 10:10:56 282624 ----a-w- c:\documents and settings\mkershaw\application data\7.tmp
2011-09-18 03:55:35 278528 ----a-w- c:\documents and settings\mkershaw\application data\3.tmp
2011-09-17 11:12:41 -------- d-----w- c:\program files\ESET
2011-09-14 21:59:53 290816 ----a-w- c:\documents and settings\mkershaw\application data\6.tmp
2011-09-14 21:38:01 290816 ----a-w- c:\documents and settings\mkershaw\application data\5.tmp
2011-09-14 21:16:39 290816 ----a-w- c:\documents and settings\mkershaw\application data\4.tmp
2011-09-13 20:00:35 -------- d-----w- c:\windows\system32\Redist
2011-09-13 20:00:04 -------- d-----w- c:\program files\Spswin
2011-09-11 01:14:48 -------- d-----w- c:\documents and settings\mkershaw\application data\Malwarebytes
2011-09-11 01:14:28 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-11 01:14:24 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-11 01:14:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-11 00:12:58 -------- d-----w- c:\documents and settings\mkershaw\application data\SUPERAntiSpyware.com
2011-09-11 00:07:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-11 00:07:30 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-09-10 01:05:56 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-08-31 17:27:53 -------- d-----w- c:\documents and settings\mkershaw\local settings\application data\Identities
2011-08-30 18:06:05 -------- d-----w- c:\program files\Pelco
2011-08-30 18:06:05 -------- d-----w- c:\documents and settings\mkershaw\application data\Pelco
2011-08-25 20:31:31 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-08-25 20:20:10 -------- d-----w- c:\program files\Versa XS
2011-08-24 01:50:05 -------- d-----w- c:\windows\pss
2011-08-22 14:36:33 -------- d-----w- c:\documents and settings\mkershaw\local settings\application data\LogMeIn
2011-08-22 14:36:33 -------- d-----w- c:\documents and settings\all users\application data\LogMeIn
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 00:39:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 18:43:48.73 ===============




.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/2/2011 8:02:02 AM
System Uptime: 9/19/2011 6:14:15 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0HN341
Processor: Intel® Core™2 Duo CPU T7500 @ 2.20GHz | Microprocessor | 2194/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 444.162 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: SASKUTIL
Device ID: ROOT\LEGACY_SASKUTIL\0000
Manufacturer:
Name: SASKUTIL
PNP Device ID: ROOT\LEGACY_SASKUTIL\0000
Service: SASKUTIL
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C7200 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C7200 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: HP LaserJet 5100 Series
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer: Hewlett-Packard
Name: HP LaserJet 5100 Series
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service:
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: HP LaserJet P3005
Device ID: ROOT\MULTIFUNCTION\0002
Manufacturer: Hewlett-Packard
Name: HP LaserJet P3005
PNP Device ID: ROOT\MULTIFUNCTION\0002
Service:
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: HP Color LaserJet CP2025n
Device ID: ROOT\MULTIFUNCTION\0003
Manufacturer: Hewlett-Packard
Name: HP Color LaserJet CP2025n
PNP Device ID: ROOT\MULTIFUNCTION\0003
Service:
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: hp LaserJet 1320 series
Device ID: ROOT\MULTIFUNCTION\0004
Manufacturer: Hewlett-Packard
Name: hp LaserJet 1320 series
PNP Device ID: ROOT\MULTIFUNCTION\0004
Service:
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: hp LaserJet 2420
Device ID: ROOT\MULTIFUNCTION\0005
Manufacturer: Hewlett-Packard
Name: hp LaserJet 2420
PNP Device ID: ROOT\MULTIFUNCTION\0005
Service:
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: HP LaserJet 1022n
Device ID: ROOT\MULTIFUNCTION\0006
Manufacturer: Hewlett-Packard
Name: HP LaserJet 1022n
PNP Device ID: ROOT\MULTIFUNCTION\0006
Service:
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Tether Ethernet Adapter
Device ID: ROOT\ROOT&QRKIS\0000
Manufacturer: Tether
Name: Tether Ethernet Adapter
PNP Device ID: ROOT\ROOT&QRKIS\0000
Service: qrkis
.
==== System Restore Points ===================
.
RP107: 6/20/2011 8:04:35 AM - Installed SMS Express 4.0.
RP108: 6/20/2011 10:20:08 AM - Software Distribution Service 3.0
RP109: 6/21/2011 11:57:20 AM - System Checkpoint
RP110: 6/22/2011 9:25:46 AM - Installed Adobe Reader X (10.1.0).
RP111: 6/23/2011 9:58:10 AM - System Checkpoint
RP112: 6/24/2011 10:35:10 AM - System Checkpoint
RP113: 6/27/2011 8:07:07 AM - System Checkpoint
RP114: 6/27/2011 10:15:42 AM - Removed Network Camera View 4S
RP115: 6/27/2011 10:15:53 AM - Removed Network Camera View 4
RP116: 6/27/2011 10:18:07 AM - Removed WebVideo ActiveX
RP117: 6/27/2011 10:18:43 AM - Installed WebVideo ActiveX
RP118: 6/28/2011 1:54:01 PM - Installed Network Camera View 4S
RP119: 6/28/2011 4:56:51 PM - Software Distribution Service 3.0
RP120: 7/1/2011 8:30:17 PM - System Checkpoint
RP121: 7/4/2011 9:33:48 PM - System Checkpoint
RP122: 7/7/2011 10:30:24 AM - System Checkpoint
RP123: 7/7/2011 5:40:56 PM - Installed Comcast Desktop Software (v1.2.0.9)
RP124: 7/9/2011 1:41:43 PM - System Checkpoint
RP125: 7/14/2011 11:12:10 AM - Software Distribution Service 3.0
RP126: 7/16/2011 3:06:54 PM - System Checkpoint
RP127: 7/16/2011 3:42:05 PM - Software Distribution Service 3.0
RP128: 7/17/2011 8:30:30 PM - System Checkpoint
RP129: 7/23/2011 6:48:19 PM - System Checkpoint
RP130: 7/24/2011 7:25:36 PM - System Checkpoint
RP131: 7/25/2011 7:38:26 PM - System Checkpoint
RP132: 7/26/2011 7:46:38 PM - System Checkpoint
RP133: 7/28/2011 9:06:11 AM - System Checkpoint
RP134: 7/30/2011 10:42:18 AM - System Checkpoint
RP135: 7/31/2011 3:52:48 PM - System Checkpoint
RP136: 8/1/2011 10:15:26 PM - System Checkpoint
RP137: 8/4/2011 9:33:12 AM - System Checkpoint
RP138: 8/6/2011 7:52:28 PM - System Checkpoint
RP139: 8/9/2011 8:53:26 PM - System Checkpoint
RP140: 8/12/2011 9:04:26 PM - Software Distribution Service 3.0
RP141: 8/13/2011 11:01:29 PM - System Checkpoint
RP142: 8/15/2011 8:39:45 AM - System Checkpoint
RP143: 8/16/2011 10:39:30 AM - System Checkpoint
RP144: 8/18/2011 10:27:11 AM - System Checkpoint
RP145: 8/19/2011 9:48:16 PM - System Checkpoint
RP146: 8/21/2011 7:39:25 AM - System Checkpoint
RP147: 8/22/2011 7:31:42 PM - System Checkpoint
RP148: 8/23/2011 7:35:44 PM - System Checkpoint
RP149: 8/23/2011 7:56:35 PM - Software Distribution Service 3.0
RP150: 8/24/2011 10:06:49 PM - System Checkpoint
RP151: 8/25/2011 4:20:07 PM - Installed Versa XS 3.0
RP152: 8/25/2011 4:29:26 PM - Installed Versa XS 2.1
RP153: 8/25/2011 4:30:38 PM - Removed Versa XS 2.1
RP154: 8/25/2011 4:31:14 PM - Removed Versa XS 3.0
RP155: 8/25/2011 4:31:57 PM - Installed Versa XS 3.0
RP156: 8/28/2011 11:34:35 AM - System Checkpoint
RP157: 8/29/2011 6:27:22 PM - System Checkpoint
RP158: 8/30/2011 2:05:57 PM - Installed DS ControlPoint.
RP159: 9/1/2011 9:09:21 PM - System Checkpoint
RP160: 9/3/2011 9:51:40 AM - System Checkpoint
RP161: 9/4/2011 1:53:37 PM - System Checkpoint
RP162: 9/5/2011 6:21:57 PM - System Checkpoint
RP163: 9/7/2011 1:32:19 PM - System Checkpoint
RP164: 9/7/2011 1:53:36 PM - Software Distribution Service 3.0
RP165: 9/9/2011 7:01:43 PM - Removed Adobe Reader X (10.1.0).
RP166: 9/9/2011 9:05:37 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP167: 9/10/2011 8:26:53 AM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP168: 9/11/2011 10:48:58 PM - System Checkpoint
RP169: 9/12/2011 11:40:09 PM - System Checkpoint
RP170: 9/13/2011 3:59:51 PM - Installed SPSWin Suite 4.2
RP171: 9/13/2011 7:52:54 PM - Installed Microsoft Fix it 50267
RP172: 9/13/2011 9:14:59 PM - Software Distribution Service 3.0
RP173: 9/15/2011 12:56:42 PM - System Checkpoint
RP174: 9/17/2011 12:36:59 PM - System Checkpoint
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Software Update
AXIS Media Control Embedded
BlackBerry Desktop Software 6.0.2
Bluetooth Stack for Windows by Toshiba
Broadcom ASF Management Applications
Broadcom Gigabit Integrated Controller
BufferChm
C7200
C7200_Help
Cards_Calendar_OrderGift_DoMorePlugout
Comcast Desktop Software (v1.2.0.9)
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Copy
Dell Touchpad
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DLS 2002
DLS 2002 North America
DLS 2002 PC5900 v1.0 Driver
DLS 2002 Skyroute v2.3-2.4 Driver
DLS2002 2010 Event Buffer Fix Driver
DLS2002 LCD5500Z v3.1 Driver
DLS2002 PC1555 v3.2 Driver Pack
DLS2002 PC1555MX v2.3 Driver
DLS2002 PC1616 v4.1 Driver Pack
DLS2002 PC1616 v4.1CP-01 Driver Pack
DLS2002 PC1616 v4.2 Driver Pack
DLS2002 PC1616 v4.2CP01 Driver Pack
DLS2002 PC1832 v4.1 Driver Pack
DLS2002 PC1832 v4.1CP-01 Driver Pack
DLS2002 PC1832 v4.2 Driver Pack
DLS2002 PC1832 v4.2CP01 Driver Pack
DLS2002 PC1864 v4.1 Driver Pack
DLS2002 PC1864 v4.1CP-01 Driver Pack
DLS2002 PC1864 v4.2 Driver Pack
DLS2002 PC1864 v4.2CP01 Driver Pack
DLS2002 PC4020 v3.3 Driver
DLS2002 PC4020 v3.5 Driver
DLS2002 PC5010 v3.2 Driver Pack
DLS2002 PC5132-433 v4.2NA Driver
DLS2002 PC5950 v1.1 Driver Pack
DLS2002 PK5500 v1.1 Driver Pack
DLS2002 PK5500 v1.2 Driver Pack
DLS2002 PK55XX v1.0 Driver Pack
DLS2002 Practical Peripherals Support Driver
DLS2002 RF5108 v1.0 Driver
DLS2002 RF5132-433 v5.0NA Driver Pack
DLS2002 RF5132 v5.1 Driver Pack
DLS2002 RF5501 v5.0 Driver
DLS2002 RFK5132 v5.1NA Driver Pack
DLS2002 RFK5132 v5.2 Driver Pack
DLS2002 RFK5132 v5.3 Driver Pack
DLS2002 SCW9045 v1.0 Driver Pack
DLS2002 SCW9047 v1.0 Driver Pack
DLS2002 SCW9047 v1.0CP-01 Driver Pack
DLS2002 Service Pack 2
DLS2002 Tlink II Driver
DLS2002 Web Update Add-In
DocProc
DocProcQFolder
DS ControlPoint
ESET Online Scanner v3
eSupportQFolder
Fax
GPBaseService
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Imaging Device Functions 10.0
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.5
HP Solution Center 10.0
HP Update
HPDiagnosticAlert
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
HPSSupply
Intel® Graphics Media Accelerator Driver
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Office Visio Standard 2003
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 6.0.2 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetDeviceManager
Network Camera View 4S
NVIDIA Drivers
OCR Software by I.R.I.S. 10.0
OZ776 SCR Driver V1.1.4.202
PanoStandAlone
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_min
PSSWCORE
QuickSet
QuickTime
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Shop for HP Supplies
SigmaTel Audio
SIW version 2010.07.14
SMS Express 4.0
SolutionCenter
SPSWin Suite 4.2
Status
SUPERAntiSpyware
Symantec Endpoint Protection
System Requirements Lab for Intel
Tether 1.4.3.7
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Versa XS 3.0
VideoToolkit01
WebFldrs XP
WebReg
WebVideo ActiveX
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Player Firefox Plugin
Windows Mobile® Device Handbook
Windows XP Service Pack 3
WinDSX V3.7.132
.
==== Event Viewer Messages From Past Week ========
.
9/17/2011 10:15:20 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/16/2011 9:20:45 PM, error: Service Control Manager [7034] - The HP Network Devices Support service terminated unexpectedly. It has done this 1 time(s).
9/16/2011 7:52:25 PM, error: Dhcp [1002] - The IP address lease 98.216.115.170 for the Network Card with network address 001D09B9A37D has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
9/16/2011 11:55:44 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/16/2011 11:25:44 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/15/2011 8:29:44 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/15/2011 5:09:19 PM, error: System Error [1003] - Error code 00000044, parameter1 8872e008, parameter2 00001bc0, parameter3 00000000, parameter4 00000000.
9/14/2011 4:30:09 PM, error: Dhcp [1002] - The IP address lease 172.27.251.109 for the Network Card with network address 001E4CB39956 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/14/2011 2:33:13 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service.
9/14/2011 12:07:12 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001E4CB39956 has been denied by the DHCP server 172.27.30.18 (The DHCP Server sent a DHCPNACK message).
9/13/2011 6:41:01 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Tether service.
9/13/2011 10:20:37 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
9/13/2011 10:10:52 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV eeCtrl Fips intelppm SASDIFSV SPBBCDrv SRTSP SRTSPX SYMTDI
9/13/2011 10:10:34 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/12/2011 7:30:05 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
9/12/2011 2:28:46 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
9/12/2011 2:26:01 PM, error: NETLOGON [5719] - No Domain Controller is available for domain INVENSYS due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
.
==== End Of File ===========================

Edited by Orange Blossom, 19 September 2011 - 11:16 PM.
Revealed link. ~ OB


BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 AM

Posted 22 September 2011 - 10:04 AM

Hello and welcome to the forum. :welcome:

I apologize for the delay in responding to your request for help but it is very busy here and we can get overwhelmed at times.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

If you still do need our help, please note the following:

  • While working we us, please refrain from running tools or applying updates other than those we suggest while we are cleaning your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please also include a clear description of the problems you're having.
  • After 5 days if your topic is not replied I will assume it has been abandoned and will close it.

Please be patient while I analyze your logs. All of my fixes are checked by higher level forum members before posting.

Thank you.

Dave


#3 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 AM

Posted 23 September 2011 - 09:20 AM

OK Raker, here is what we have found.

There is a possibility of compromised data, until we can identify the infection positively. Once it is identified, we may have further advice or instructions but for now let's do the following.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable Security Programs

•Double click on ComboFix.exe & follow the prompts.

Notes: ComboFix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

Posted Image

If running XP, Click on YES and allow the Recovery Console to install. If running Vista or 7, click on NO to continue the scanning for malware.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy/Paste in your next reply.

Notes:

1.Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. ComboFix disconnects your machine from the internet. The connection is automatically restored before ComboFix completes its run.

Give it at least 20-30 minutes to finish if needed.

Please do not attach the scan results from ComboFix. Use copy/paste.

Also please describe how your computer behaves at the moment.

Thanks.

Dave

#4 Raker

Raker
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 23 September 2011 - 09:28 PM

I am not sure if it is running any differently yet after running combofix yet. I will post back in a little while when I have a better idea.

Here is the log from combofix


ComboFix 11-09-23.03 - mkershaw 09/23/2011 21:53:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1456 [GMT -4:00]
Running from: c:\documents and settings\mkershaw\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\mkershaw\Application Data\2.tmp
c:\documents and settings\mkershaw\Application Data\3.tmp
c:\documents and settings\mkershaw\Application Data\4.tmp
c:\documents and settings\mkershaw\Application Data\5.tmp
c:\documents and settings\mkershaw\Application Data\6.tmp
c:\documents and settings\mkershaw\Application Data\7.tmp
c:\documents and settings\mkershaw\Application Data\8.tmp
c:\documents and settings\mkershaw\Application Data\9.tmp
c:\documents and settings\mkershaw\Application Data\A.tmp
c:\documents and settings\mkershaw\Application Data\B.tmp
c:\documents and settings\mkershaw\Application Data\C.tmp
C:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-24 to 2011-09-24 )))))))))))))))))))))))))))))))
.
.
2011-09-17 11:12 . 2011-09-17 11:12 -------- d-----w- c:\program files\ESET
2011-09-13 20:00 . 2011-09-13 20:00 -------- d-----w- c:\windows\system32\Redist
2011-09-13 20:00 . 2011-09-15 21:20 -------- d-----w- c:\program files\Spswin
2011-09-11 01:14 . 2011-09-11 01:14 -------- d-----w- c:\documents and settings\mkershaw\Application Data\Malwarebytes
2011-09-11 01:14 . 2011-09-11 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-11 01:14 . 2011-09-14 22:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-11 01:14 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-11 00:12 . 2011-09-11 00:12 -------- d-----w- c:\documents and settings\mkershaw\Application Data\SUPERAntiSpyware.com
2011-09-11 00:07 . 2011-09-11 00:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-11 00:07 . 2011-09-11 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-10 01:05 . 2011-09-10 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-08-31 17:27 . 2011-08-31 17:27 -------- d-----w- c:\documents and settings\mkershaw\Local Settings\Application Data\Identities
2011-08-30 18:06 . 2011-08-30 18:11 -------- d-----w- c:\documents and settings\mkershaw\Application Data\Pelco
2011-08-30 18:06 . 2011-08-30 18:06 -------- d-----w- c:\program files\Pelco
2011-08-25 20:31 . 2011-09-13 19:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-08-25 20:20 . 2011-09-02 11:55 -------- d-----w- c:\program files\Versa XS
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-24 01:19 . 2011-09-24 01:19 282624 ----a-w- c:\documents and settings\mkershaw\Application Data\Zlgwgv.exe
2011-09-09 09:12 . 2004-08-04 00:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 00:39 . 2011-06-05 21:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2004-08-03 23:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-11 17:39 . 2011-07-11 17:42 3762130 ----a-w- C:\gxe500_130E.zip
2011-07-08 14:02 . 2001-08-23 08:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-09-03 06:01 . 2011-09-13 23:46 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-23 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-23 142360]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-05-06 115560]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WinDSX\\cs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Documents and Settings\\mkershaw\\My Documents\\Products\\CCTV\\Panasonic\\EasyIpSetup.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]
R2 Tether;Tether;c:\program files\Tether\TBService.exe [5/10/2011 11:28 PM 52664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/12/2011 10:40 PM 105592]
R3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [5/10/2011 11:29 PM 45608]
S0 bmnf;bmnf;c:\windows\system32\drivers\rbfkrsdy.sys --> c:\windows\system32\drivers\rbfkrsdy.sys [?]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/21/2010 7:27 AM 23888]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E5C9F1B8-F8D0-422B-8887-BF8F39025CA7}: NameServer = 208.67.222.222,208.67.220.220
DPF: {026F6032-3CAD-412D-A803-06ABDF5E9347} - hxxp://192.168.105.21/nwcv4setup.exe
DPF: {5BE9B876-2CFB-4C26-A0A6-3C282C34F434} - hxxp://10.5.1.23/nwcv4Ssetup.exe
DPF: {5D92D17F-0818-46E6-AFED-B439028BDCDE} - hxxp://10.0.0.2/wvasetup.exe
DPF: {96ADD1E5-1B8D-41BB-AB80-2C69FFB82E4A} - hxxp://10.5.1.22/nwcv4Ssetup.exe
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://10.5.1.21/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\mkershaw\Application Data\Mozilla\Firefox\Profiles\vax6hrux.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Tlgwgp - c:\documents and settings\mkershaw\Application Data\Tlgwgp.exe
HKLM-Run-hpqSRMon - (no file)
Notify-TPSvc - TPSvc.dll
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-23 22:04
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwEnumerateValueKey, ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Zlgwgv = c:\documents and settings\mkershaw\Application Data\Zlgwgv.exe
.
scanning hidden files ...
.
.
c:\documents and settings\mkershaw\Application Data\Zlgwgv.exe 282624 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zlgwgv"="c:\\Documents and Settings\\mkershaw\\Application Data\\Zlgwgv.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1784)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'csrss.exe'(1732)
c:\windows\system32\WININET.dll
.
Completion time: 2011-09-23 22:08:34
ComboFix-quarantined-files.txt 2011-09-24 02:08
.
Pre-Run: 476,662,603,776 bytes free
Post-Run: 476,800,933,888 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 22AF1DFD3E367B68836FB9ABC919D298

#5 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 AM

Posted 25 September 2011 - 07:23 AM

Let's now:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zlgwgv"=-

Rootkit::
c:\Documents and Settings\mkershaw\Application Data\Zlgwgv.exe

File::
c:\windows\system32\drivers\rbfkrsdy.sys

Driver::
bmnf

Save this as CFScript.txt, on your Desktop.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks.

DR

#6 Raker

Raker
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 25 September 2011 - 06:10 PM

I followed your instructions and now I am able to open task manager via control alt delete, browse to security sites (like Kaspersky),Symantec does not show the tamper alert message now when I startup, and now I can update my symantec antivirus. However the pc still starts up very slowly.





ComboFix 11-09-24.04 - mkershaw 09/25/2011 9:27.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1470 [GMT -4:00]
Running from: c:\documents and settings\mkershaw\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mkershaw\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.
FILE ::
"c:\windows\system32\drivers\rbfkrsdy.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\AutoRun.inf
c:\windows\system32\comct332.ocx
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_bmnf
.
.
((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))
.
.
2011-09-17 11:12 . 2011-09-17 11:12 -------- d-----w- c:\program files\ESET
2011-09-13 20:00 . 2011-09-13 20:00 -------- d-----w- c:\windows\system32\Redist
2011-09-13 20:00 . 2011-09-15 21:20 -------- d-----w- c:\program files\Spswin
2011-09-11 01:14 . 2011-09-11 01:14 -------- d-----w- c:\documents and settings\mkershaw\Application Data\Malwarebytes
2011-09-11 01:14 . 2011-09-11 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-11 01:14 . 2011-09-14 22:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-11 01:14 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-11 00:12 . 2011-09-11 00:12 -------- d-----w- c:\documents and settings\mkershaw\Application Data\SUPERAntiSpyware.com
2011-09-11 00:07 . 2011-09-11 00:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-11 00:07 . 2011-09-11 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-10 01:05 . 2011-09-10 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-08-31 17:27 . 2011-08-31 17:27 -------- d-----w- c:\documents and settings\mkershaw\Local Settings\Application Data\Identities
2011-08-30 18:06 . 2011-08-30 18:11 -------- d-----w- c:\documents and settings\mkershaw\Application Data\Pelco
2011-08-30 18:06 . 2011-08-30 18:06 -------- d-----w- c:\program files\Pelco
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-08-04 00:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 00:39 . 2011-06-05 21:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2004-08-03 23:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-11 17:39 . 2011-07-11 17:42 3762130 ----a-w- C:\gxe500_130E.zip
2011-07-08 14:02 . 2001-08-23 08:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-09-03 06:01 . 2011-09-13 23:46 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-23 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-23 142360]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-05-06 115560]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WinDSX\\cs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Documents and Settings\\mkershaw\\My Documents\\Products\\CCTV\\Panasonic\\EasyIpSetup.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]
R2 Tether;Tether;c:\program files\Tether\TBService.exe [5/10/2011 11:28 PM 52664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/12/2011 10:40 PM 105592]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/21/2010 7:27 AM 23888]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [5/10/2011 11:29 PM 45608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E5C9F1B8-F8D0-422B-8887-BF8F39025CA7}: NameServer = 208.67.222.222,208.67.220.220
DPF: {026F6032-3CAD-412D-A803-06ABDF5E9347} - hxxp://192.168.105.21/nwcv4setup.exe
DPF: {5BE9B876-2CFB-4C26-A0A6-3C282C34F434} - hxxp://10.5.1.23/nwcv4Ssetup.exe
DPF: {5D92D17F-0818-46E6-AFED-B439028BDCDE} - hxxp://10.0.0.2/wvasetup.exe
DPF: {96ADD1E5-1B8D-41BB-AB80-2C69FFB82E4A} - hxxp://10.5.1.22/nwcv4Ssetup.exe
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://10.5.1.21/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\mkershaw\Application Data\Mozilla\Firefox\Profiles\vax6hrux.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-25 09:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1408)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3612)
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdo.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2011-09-25 09:57:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-25 13:57
ComboFix2.txt 2011-09-24 02:08
.
Pre-Run: 476,823,605,248 bytes free
Post-Run: 476,722,495,488 bytes free
.
- - End Of File - - AD0DF2E674F85A4A2A4B2E9A355B92C1

#7 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 AM

Posted 26 September 2011 - 12:55 PM

Looks better Raker!

You already have MBAM installed, so:


Launch Malwarebytes' Anti-Malware

  • Select the Update Tab and click on Check for Updates
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, you can manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Thanks.

Dave

#8 Raker

Raker
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 26 September 2011 - 08:03 PM

I ran Malware Bytes as instructed and it did not find anything this time. However this morning I ran Symantec scan which picked up a bunch of things.
I will include the symantec log as well so you can see what it found. It is kind of a habit for me to run a scan when I have time in the office and I forgot that it might mess things up. Sorry if it makes the removal process more difficult. :(



Here is my Malware Bytes log:




Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7804

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/26/2011 8:40:57 PM
mbam-log-2011-09-26 (20-40-57).txt

Scan type: Quick scan
Objects scanned: 197396
Time elapsed: 18 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Filename Risk Action Risk Type Original Location Computer User Status Current Location Primary Action Secondary Action Logged By Action Description Date and Time
Cookie:mkershaw@atdmt.com/ Tracking Cookies Deleted Trackware Cookie:mkershaw@atdmt.com/ MKERSHAWLPT4 mkershaw Deleted Deleted Quarantine Leave alone (log only) Manual scan The file was deleted successfully. 9/25/2011 19:20
3.tmp.vir Trojan.Gen.2 Quarantined File c:\Qoobox\Quarantine\C\Documents and Settings\mkershaw\Application Data\ MKERSHAWLPT4 mkershaw Infected Quarantine Clean security risk Quarantine Manual scan The file was quarantined successfully. 9/25/2011 20:34
7.tmp.vir Trojan.Gen.2 Quarantined File c:\Qoobox\Quarantine\C\Documents and Settings\mkershaw\Application Data\ MKERSHAWLPT4 mkershaw Infected Quarantine Clean security risk Quarantine Manual scan The file was quarantined successfully. 9/25/2011 20:34
9.tmp.vir Trojan.Gen.2 Quarantined File c:\Qoobox\Quarantine\C\Documents and Settings\mkershaw\Application Data\ MKERSHAWLPT4 mkershaw Infected Quarantine Clean security risk Quarantine Manual scan The file was quarantined successfully. 9/25/2011 20:34
Zlgwgv.exe.vir Bloodhound.MalPE Quarantined Heuristics c:\Qoobox\Quarantine\C\Documents and Settings\mkershaw\Application Data\ MKERSHAWLPT4 mkershaw Infected Quarantine Clean security risk Quarantine Manual scan The file was quarantined successfully. 9/25/2011 20:34
A0042377.exe Trojan.Gen Quarantined File c:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP167\ MKERSHAWLPT4 mkershaw Infected Quarantine Clean security risk Quarantine Manual scan The file was quarantined successfully. 9/25/2011 20:39
A0052816.exe Trojan.Gen.2 Quarantined File c:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP174\ MKERSHAWLPT4 mkershaw Infected Quarantine Clean security risk Quarantine Manual scan The file was quarantined successfully. 9/25/2011 20:46
A0052845.exe Trojan.Gen.2 Quarantined File c:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP174\ MKERSHAWLPT4 mkershaw Infected Quarantine Clean security risk Quarantine Manual scan The file was quarantined successfully. 9/25/2011 20:46
A0052858.exe Trojan.Gen.2 Quarantined File c:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP175\ MKERSHAWLPT4 mkershaw Infected Quarantine Clean security risk Quarantine Manual scan The file was quarantined successfully. 9/25/2011 20:46
A0053899.exe Trojan.Gen.2 Quarantined File c:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP177\ MKERSHAWLPT4 mkershaw Infected Quarantine Clean security risk Quarantine Manual scan The file was quarantined successfully. 9/25/2011 20:48
A0053941.exe Trojan.Gen.2 Quarantined File c:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP177\ MKERSHAWLPT4 mkershaw Infected Quarantine Clean security risk Quarantine Manual scan The file was quarantined successfully. 9/25/2011 20:48
A0054204.exe Bloodhound.MalPE Quarantined Heuristics c:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP183\ MKERSHAWLPT4 mkershaw Infected Quarantine Clean security risk Quarantine Manual scan The file was quarantined successfully. 9/25/2011 20:50

#9 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 AM

Posted 27 September 2011 - 07:08 AM

They look OK. The folder Qoobox is created by ComboFix and that is where it quarantines what it finds. When we remove CF, that will disappear.

The same with the System_Restore folder, which has contents that will go away as well.

I'll be right back with the next instructions.

Dave

#10 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 AM

Posted 27 September 2011 - 11:05 AM

Things look pretty good but I would like you to run an On-Line Scanner.

You might want to also install a PDF reader and see if that crashes, like it did previously.
If installing Adobe Reader, watch that you UNCHECK the EXTRA Google Toolbar or McAfee Internet Scanner




Now I'd like you to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Thanks.

Dave

#11 Raker

Raker
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 28 September 2011 - 04:56 AM

I ran Eset online scanner as instructed and it found 23 items. Also when the system finished scanning it seemed to have changed the clock on the pc to 3 hours earlier. Strange. I tried to install foxit reader for a pdf reader and the installation never completed. It will read pdfs but it always says something like "there is no effective skin under the skin folder" when I open a PDF.


Anyway here is the Eset online scanner log file.



C:\Qoobox\Quarantine\C\Documents and Settings\mkershaw\Application Data\2.tmp.vir Win32/Dorkbot.B worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\mkershaw\Application Data\4.tmp.vir a variant of Win32/Injector.JLP trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\mkershaw\Application Data\5.tmp.vir a variant of Win32/Injector.JLP trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\mkershaw\Application Data\6.tmp.vir a variant of Win32/Injector.JLP trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\mkershaw\Application Data\8.tmp.vir Win32/Dorkbot.B worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\mkershaw\Application Data\A.tmp.vir a variant of Win32/Injector.JLP trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\mkershaw\Application Data\B.tmp.vir a variant of Win32/Injector.JLP trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\mkershaw\Application Data\C.tmp.vir Win32/Dorkbot.B worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\mkershaw\Application Data\_Zlgwgv_.exe.zip Win32/Dorkbot.B worm deleted - quarantined
C:\RECYCLER\S-1-5-21-1551510154-521342247-1539857752-9435\Dc18.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-1551510154-521342247-1539857752-9435\Dc25.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP167\A0042436.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP167\A0042438.exe a variant of Win32/Injector.JEH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP172\A0045712.exe a variant of Win32/Injector.JEH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP172\A0046714.exe a variant of Win32/Injector.JEH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP172\A0047714.exe a variant of Win32/Injector.JEH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP173\A0051778.exe a variant of Win32/InstallCore.C application cleaned by deleting - quarantined
C:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP174\A0052786.exe a variant of Win32/Injector.JLP trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP175\A0052879.exe Win32/Dorkbot.B worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP175\snapshot\MFEX-1.DAT Win32/Dorkbot.B worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP182\A0054001.exe a variant of Win32/Injector.JLP trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP185\A0054489.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{2318AAF4-1BB9-4282-AE7B-FB61233A462B}\RP185\A0054490.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined

#12 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 AM

Posted 28 September 2011 - 10:28 AM

I see that others have had that same problem with Foxit. Here is a link to a discussion of it and a fix:

http://forums.foxitsoftware.com/archive/index.php/t-31023.html


Now you can uninstall ComboFix.

Click Start>Run on the taskbar and then type Combofix /uninstall.
This should start ComboFix running and uninstall it.



Please read the following, in order to prevent reinfecting your PC:

1.Install and update the following programs regularly:
  • an outbound firewall
    A comprehensive tutorial and a list of possible firewalls can be found here.
  • an AntiVirus Software
    It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
  • an Anti-Spyware program
    Malware Byte's Anti Malware
    is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Spyware Blaster
    A tutorial for Spywareblaster can be found here. The commercial version provides automatic updating.
  • MVPs hosts file
    A tutorial for MVPs hosts file can be found here. For more information on the hosts file, and what it can do for you, please consult the Tutorial on the Hosts file
2.Keep Windows (and your other Microsoft software) up to date!
This is EXTREMELY important. Holes are often found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

3.Keep your other software up to date as well
Software does not need to be made by Microsoft to be insecure.

4.Stay up to date!
The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead.

Don't forget, if you feel obliged, to make a donation to this forum, in any amount. We are all volunteers here and depend on the kindness of others.

Safe surfing! :thumbup2:

DR

#13 Raker

Raker
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 29 September 2011 - 07:46 PM

Thanks for all your help you have been a huge help!!! :thumbup2:

One thing I have a question on is the pc startup time is much much longer than it use to be. Is this due to something messing with the registry or something else running on startup? There is nothing in the startup menu. Should I run Auto runs to check it out?

#14 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 AM

Posted 30 September 2011 - 07:05 AM

Check out this forum for suggestions on how to speed up your computer.

http://www.bleepingcomputer.com/forums/topic44690.html


Many programs will insert an autorun feature, to load them when you starup. Adobe, Quicktime, Quickbooks and your AV programs can all be culprits.

If I find out any further info I will post again here.

Take care!

DR

Edited by rigacci, 30 September 2011 - 02:29 PM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:47 PM

Posted 14 October 2011 - 07:32 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users