Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yet another Win32 Zaccess.e infection removal request for HELP!


  • Please log in to reply
4 replies to this topic

#1 paXnic

paXnic

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 23 October 2011 - 09:16 PM

Thank you for this forum.
XP Home SP3 IE8
After noticing redirects to unheard of search engines in IE8 tried to run Malwarebytes - program wouldn't update or run. Trojan also disabled MS Security Essentials. I ran TDSSKiller before found this forum which reported Win32 Zaccess.e and same.g a second time each returned after restart after "Cure". Eset online scanner then found 2 more variants of Win32's PATCHED.HN and Sirefef.*
Hopefully my previous actions have not fouled an easy solution for my problems. I am requesting help as to my next move in fixing my family member's computer.
Thanks a bunch!

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:56 PM

Posted 24 October 2011 - 12:25 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 paXnic

paXnic
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 24 October 2011 - 05:47 PM

Thanks for this forum!
Redirects to phony search engines. TDSSKiller 'Cures' but trojans return after restart.

14:53:09.0984 2796 TDSS rootkit removing tool 2.6.12.0 Oct 21 2011 11:23:48
14:53:10.0109 2796 ============================================================
14:53:10.0109 2796 Current date / time: 2011/10/24 14:53:10.0109
14:53:10.0109 2796 SystemInfo:
14:53:10.0109 2796
14:53:10.0109 2796 OS Version: 5.1.2600 ServicePack: 3.0
14:53:10.0109 2796 Product type: Workstation
14:53:10.0109 2796 ComputerName: DDV1DS61
14:53:10.0109 2796 UserName: Derri
14:53:10.0109 2796 Windows directory: C:\WINDOWS
14:53:10.0109 2796 System windows directory: C:\WINDOWS
14:53:10.0109 2796 Processor architecture: Intel x86
14:53:10.0109 2796 Number of processors: 1
14:53:10.0109 2796 Page size: 0x1000
14:53:10.0109 2796 Boot type: Normal boot
14:53:10.0109 2796 ============================================================
14:53:15.0406 2796 Initialize success
14:53:35.0625 2856 ============================================================
14:53:35.0625 2856 Scan started
14:53:35.0625 2856 Mode: Manual; SigCheck; TDLFS;
14:53:35.0625 2856 ============================================================
14:53:38.0734 2856 Abiosdsk - ok
14:53:39.0203 2856 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
14:53:53.0828 2856 abp480n5 - ok
14:53:54.0375 2856 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:53:54.0968 2856 ACPI - ok
14:53:55.0437 2856 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:53:55.0765 2856 ACPIEC - ok
14:53:56.0390 2856 admjoy (a23675760dec131b9f799b6fb038a1f0) C:\WINDOWS\system32\DRIVERS\admjoy.sys
14:53:56.0609 2856 admjoy - ok
14:53:57.0265 2856 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
14:53:57.0453 2856 adpu160m - ok
14:53:58.0015 2856 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:53:58.0343 2856 aec - ok
14:53:59.0078 2856 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
14:53:59.0343 2856 AFD - ok
14:54:00.0046 2856 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
14:54:00.0296 2856 agp440 - ok
14:54:00.0921 2856 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
14:54:01.0250 2856 agpCPQ - ok
14:54:02.0000 2856 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
14:54:02.0250 2856 Aha154x - ok
14:54:03.0812 2856 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
14:54:04.0218 2856 aic78u2 - ok
14:54:05.0000 2856 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
14:54:05.0265 2856 aic78xx - ok
14:54:06.0187 2856 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
14:54:06.0421 2856 AliIde - ok
14:54:07.0203 2856 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
14:54:09.0312 2856 alim1541 - ok
14:54:10.0281 2856 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
14:54:10.0546 2856 amdagp - ok
14:54:11.0156 2856 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
14:54:11.0312 2856 amsint - ok
14:54:12.0062 2856 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
14:54:12.0250 2856 asc - ok
14:54:13.0015 2856 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
14:54:13.0140 2856 asc3350p - ok
14:54:13.0890 2856 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
14:54:14.0109 2856 asc3550 - ok
14:54:14.0828 2856 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:54:15.0453 2856 AsyncMac - ok
14:54:16.0312 2856 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:54:16.0484 2856 atapi - ok
14:54:17.0000 2856 Atdisk - ok
14:54:17.0890 2856 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:54:18.0140 2856 Atmarpc - ok
14:54:19.0000 2856 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:54:19.0281 2856 audstub - ok
14:54:20.0187 2856 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:54:20.0390 2856 Beep - ok
14:54:21.0031 2856 bvrp_pci - ok
14:54:21.0031 2856 catchme - ok
14:54:21.0890 2856 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
14:54:22.0437 2856 cbidf - ok
14:54:23.0531 2856 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:54:23.0781 2856 cbidf2k - ok
14:54:24.0343 2856 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
14:54:24.0468 2856 cd20xrnt - ok
14:54:25.0093 2856 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:54:25.0359 2856 Cdaudio - ok
14:54:25.0796 2856 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:54:25.0953 2856 Cdfs - ok
14:54:26.0453 2856 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:54:26.0625 2856 Cdrom - ok
14:54:26.0953 2856 Changer - ok
14:54:27.0406 2856 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
14:54:27.0671 2856 CmdIde - ok
14:54:28.0187 2856 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
14:54:28.0500 2856 Cpqarray - ok
14:54:28.0750 2856 d0d28917 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\394908368:791508712.exe
14:54:34.0546 2856 Suspicious file (Hidden): C:\WINDOWS\394908368:791508712.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
14:54:34.0546 2856 d0d28917 ( Rootkit.Win32.PMax.gen ) - infected
14:54:34.0546 2856 d0d28917 - detected Rootkit.Win32.PMax.gen (0)
14:54:35.0015 2856 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
14:54:35.0328 2856 dac2w2k - ok
14:54:35.0625 2856 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
14:54:35.0875 2856 dac960nt - ok
14:54:36.0281 2856 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:54:36.0484 2856 Disk - ok
14:54:37.0109 2856 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:54:38.0140 2856 dmboot - ok
14:54:38.0484 2856 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:54:38.0796 2856 dmio - ok
14:54:38.0968 2856 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:54:39.0156 2856 dmload - ok
14:54:39.0375 2856 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:54:39.0515 2856 DMusic - ok
14:54:39.0671 2856 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
14:54:39.0843 2856 dpti2o - ok
14:54:40.0093 2856 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:54:40.0375 2856 drmkaud - ok
14:54:40.0562 2856 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
14:54:40.0750 2856 E100B - ok
14:54:40.0984 2856 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:54:41.0234 2856 Fastfat - ok
14:54:41.0484 2856 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:54:41.0640 2856 Fdc - ok
14:54:41.0796 2856 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:54:42.0062 2856 Fips - ok
14:54:42.0250 2856 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:54:42.0437 2856 Flpydisk - ok
14:54:42.0734 2856 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:54:42.0968 2856 FltMgr - ok
14:54:43.0312 2856 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:54:43.0531 2856 Fs_Rec - ok
14:54:43.0843 2856 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:54:44.0125 2856 Ftdisk - ok
14:54:44.0453 2856 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:54:44.0640 2856 Gpc - ok
14:54:44.0937 2856 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:54:45.0078 2856 HidUsb - ok
14:54:45.0500 2856 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
14:54:45.0656 2856 hpn - ok
14:54:46.0109 2856 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
14:54:46.0187 2856 HSFHWBS2 - ok
14:54:46.0546 2856 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
14:54:47.0109 2856 HSF_DP - ok
14:54:47.0562 2856 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:54:47.0843 2856 HTTP - ok
14:54:48.0234 2856 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
14:54:48.0375 2856 i2omgmt - ok
14:54:48.0546 2856 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
14:54:48.0734 2856 i2omp - ok
14:54:49.0031 2856 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:54:49.0171 2856 i8042prt - ok
14:54:49.0687 2856 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
14:54:50.0500 2856 ialm - ok
14:54:50.0875 2856 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:54:51.0031 2856 Imapi - ok
14:54:51.0468 2856 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
14:54:51.0656 2856 ini910u - ok
14:54:52.0062 2856 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:54:52.0234 2856 IntelIde - ok
14:54:52.0562 2856 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:54:52.0734 2856 intelppm - ok
14:54:53.0000 2856 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:54:53.0187 2856 Ip6Fw - ok
14:54:53.0625 2856 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:54:53.0828 2856 IpFilterDriver - ok
14:54:54.0140 2856 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:54:54.0312 2856 IpInIp - ok
14:54:54.0718 2856 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:54:54.0890 2856 IpNat - ok
14:54:55.0265 2856 IPSec (c3b55c9f04b8b9214b26659c56ec3e04) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:54:55.0265 2856 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: c3b55c9f04b8b9214b26659c56ec3e04, Fake md5: 23c74d75e36e7158768dd63d92789a91
14:54:55.0265 2856 IPSec ( Rootkit.Win32.ZAccess.e ) - infected
14:54:55.0265 2856 IPSec - detected Rootkit.Win32.ZAccess.e (0)
14:54:55.0687 2856 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:54:55.0890 2856 IRENUM - ok
14:54:56.0078 2856 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:54:56.0312 2856 isapnp - ok
14:54:56.0625 2856 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:54:56.0796 2856 Kbdclass - ok
14:54:57.0328 2856 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:54:57.0562 2856 kbdhid - ok
14:54:57.0859 2856 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:54:58.0046 2856 kmixer - ok
14:54:58.0234 2856 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:54:58.0546 2856 KSecDD - ok
14:54:58.0718 2856 lbrtfdc - ok
14:54:59.0015 2856 MBAMSwissArmy - ok
14:54:59.0296 2856 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:54:59.0328 2856 mdmxsdk - ok
14:54:59.0531 2856 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
14:54:59.0687 2856 mf - ok
14:54:59.0937 2856 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:55:00.0125 2856 mnmdd - ok
14:55:00.0421 2856 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:55:00.0562 2856 Modem - ok
14:55:00.0890 2856 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
14:55:01.0078 2856 MODEMCSA - ok
14:55:01.0406 2856 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:55:01.0578 2856 Mouclass - ok
14:55:01.0843 2856 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:55:02.0062 2856 mouhid - ok
14:55:02.0453 2856 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:55:02.0656 2856 MountMgr - ok
14:55:02.0937 2856 MpKsl08968551 - ok
14:55:03.0000 2856 MpKsla9904af3 - ok
14:55:03.0015 2856 MpKslcff73d0e - ok
14:55:03.0234 2856 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
14:55:03.0390 2856 mraid35x - ok
14:55:03.0828 2856 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:55:04.0046 2856 MRxDAV - ok
14:55:04.0359 2856 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:55:04.0593 2856 MRxSmb - ok
14:55:04.0843 2856 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:55:05.0000 2856 Msfs - ok
14:55:05.0265 2856 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:55:05.0453 2856 MSKSSRV - ok
14:55:05.0625 2856 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:55:05.0812 2856 MSPCLOCK - ok
14:55:06.0062 2856 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:55:06.0234 2856 MSPQM - ok
14:55:06.0515 2856 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:55:06.0671 2856 mssmbios - ok
14:55:06.0968 2856 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:55:07.0093 2856 Mup - ok
14:55:07.0343 2856 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:55:07.0515 2856 NDIS - ok
14:55:07.0781 2856 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:55:07.0937 2856 NdisTapi - ok
14:55:08.0234 2856 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:55:08.0390 2856 Ndisuio - ok
14:55:08.0609 2856 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:55:08.0796 2856 NdisWan - ok
14:55:09.0062 2856 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:55:09.0250 2856 NDProxy - ok
14:55:09.0484 2856 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:55:09.0640 2856 NetBIOS - ok
14:55:09.0843 2856 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:55:10.0046 2856 NetBT - ok
14:55:10.0281 2856 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:55:10.0437 2856 Npfs - ok
14:55:10.0812 2856 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:55:11.0203 2856 Ntfs - ok
14:55:11.0421 2856 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:55:11.0640 2856 Null - ok
14:55:12.0343 2856 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:55:13.0562 2856 nv - ok
14:55:13.0843 2856 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:55:13.0984 2856 NwlnkFlt - ok
14:55:14.0234 2856 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:55:14.0437 2856 NwlnkFwd - ok
14:55:14.0640 2856 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:55:14.0890 2856 Parport - ok
14:55:15.0140 2856 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:55:15.0312 2856 PartMgr - ok
14:55:15.0609 2856 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:55:15.0796 2856 ParVdm - ok
14:55:16.0046 2856 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:55:16.0218 2856 PCI - ok
14:55:16.0484 2856 PCIDump - ok
14:55:16.0687 2856 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:55:16.0859 2856 PCIIde - ok
14:55:17.0156 2856 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:55:17.0328 2856 Pcmcia - ok
14:55:17.0531 2856 PDCOMP - ok
14:55:17.0718 2856 PDFRAME - ok
14:55:17.0953 2856 PDRELI - ok
14:55:18.0171 2856 PDRFRAME - ok
14:55:18.0453 2856 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
14:55:18.0625 2856 perc2 - ok
14:55:18.0828 2856 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
14:55:18.0984 2856 perc2hib - ok
14:55:19.0406 2856 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:55:19.0593 2856 PptpMiniport - ok
14:55:19.0875 2856 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:55:20.0046 2856 PSched - ok
14:55:20.0265 2856 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:55:20.0421 2856 Ptilink - ok
14:55:20.0640 2856 pxkbf (0c738845c7c12c45f05b127edff2cc87) C:\WINDOWS\system32\drivers\pxkbf.sys
14:55:20.0703 2856 pxkbf - ok
14:55:20.0984 2856 pxrts (04d1c97a0818f9378eeaa793a09f8202) C:\WINDOWS\system32\drivers\pxrts.sys
14:55:21.0000 2856 pxrts - ok
14:55:21.0328 2856 pxscan (e6e1f9f717feab3e16c3b160b17e6855) C:\WINDOWS\system32\drivers\pxscan.sys
14:55:21.0359 2856 pxscan - ok
14:55:21.0593 2856 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
14:55:21.0765 2856 ql1080 - ok
14:55:22.0109 2856 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
14:55:22.0281 2856 Ql10wnt - ok
14:55:22.0515 2856 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
14:55:22.0703 2856 ql12160 - ok
14:55:22.0953 2856 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
14:55:23.0125 2856 ql1240 - ok
14:55:23.0421 2856 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
14:55:23.0578 2856 ql1280 - ok
14:55:23.0875 2856 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:55:24.0046 2856 RasAcd - ok
14:55:24.0281 2856 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:55:24.0437 2856 Rasl2tp - ok
14:55:24.0828 2856 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:55:24.0968 2856 RasPppoe - ok
14:55:25.0187 2856 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:55:25.0328 2856 Raspti - ok
14:55:25.0546 2856 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:55:25.0718 2856 Rdbss - ok
14:55:26.0031 2856 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:55:26.0203 2856 RDPCDD - ok
14:55:26.0437 2856 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:55:26.0640 2856 rdpdr - ok
14:55:26.0921 2856 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
14:55:27.0062 2856 RDPWD - ok
14:55:27.0312 2856 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:55:27.0468 2856 redbook - ok
14:55:27.0593 2856 SASDIFSV - ok
14:55:27.0609 2856 SASKUTIL - ok
14:55:27.0906 2856 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:55:28.0062 2856 Secdrv - ok
14:55:28.0265 2856 senfilt - ok
14:55:28.0546 2856 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
14:55:28.0703 2856 serenum - ok
14:55:28.0906 2856 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
14:55:29.0062 2856 Serial - ok
14:55:29.0375 2856 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:55:29.0531 2856 Sfloppy - ok
14:55:29.0765 2856 Simbad - ok
14:55:30.0015 2856 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
14:55:30.0171 2856 sisagp - ok
14:55:30.0390 2856 smwdm - ok
14:55:30.0765 2856 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
14:55:30.0843 2856 Sparrow - ok
14:55:31.0140 2856 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:55:31.0312 2856 splitter - ok
14:55:31.0562 2856 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:55:31.0718 2856 sr - ok
14:55:32.0046 2856 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
14:55:32.0312 2856 Srv - ok
14:55:32.0625 2856 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:55:32.0781 2856 swenum - ok
14:55:33.0046 2856 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:55:33.0187 2856 swmidi - ok
14:55:33.0546 2856 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
14:55:33.0687 2856 symc810 - ok
14:55:34.0000 2856 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
14:55:34.0156 2856 symc8xx - ok
14:55:34.0390 2856 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
14:55:34.0562 2856 sym_hi - ok
14:55:34.0796 2856 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
14:55:34.0984 2856 sym_u3 - ok
14:55:35.0234 2856 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:55:35.0406 2856 sysaudio - ok
14:55:35.0671 2856 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:55:35.0953 2856 Tcpip - ok
14:55:36.0359 2856 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:55:36.0515 2856 TDPIPE - ok
14:55:36.0765 2856 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:55:36.0937 2856 TDTCP - ok
14:55:37.0156 2856 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:55:37.0421 2856 TermDD - ok
14:55:37.0593 2856 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
14:55:37.0921 2856 TosIde - ok
14:55:38.0062 2856 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:55:38.0265 2856 Udfs - ok
14:55:38.0453 2856 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
14:55:38.0546 2856 ultra - ok
14:55:38.0828 2856 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:55:39.0031 2856 Update - ok
14:55:39.0328 2856 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:55:39.0500 2856 usbccgp - ok
14:55:39.0781 2856 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:55:39.0937 2856 usbehci - ok
14:55:40.0218 2856 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:55:40.0375 2856 usbhub - ok
14:55:40.0703 2856 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:55:40.0890 2856 usbprint - ok
14:55:41.0156 2856 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:55:41.0312 2856 usbscan - ok
14:55:41.0562 2856 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:55:41.0718 2856 USBSTOR - ok
14:55:42.0093 2856 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:55:42.0250 2856 usbuhci - ok
14:55:42.0578 2856 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:55:42.0750 2856 VgaSave - ok
14:55:43.0078 2856 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
14:55:43.0234 2856 viaagp - ok
14:55:43.0562 2856 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
14:55:43.0718 2856 ViaIde - ok
14:55:44.0093 2856 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:55:44.0265 2856 VolSnap - ok
14:55:44.0437 2856 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:55:44.0578 2856 Wanarp - ok
14:55:44.0703 2856 wanatw - ok
14:55:44.0734 2856 WDICA - ok
14:55:44.0812 2856 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:55:44.0953 2856 wdmaud - ok
14:55:45.0093 2856 wdm_au8830 (e1f5873636eab1e45265c501477841d0) C:\WINDOWS\system32\drivers\adm8830.sys
14:55:45.0218 2856 wdm_au8830 - ok
14:55:45.0375 2856 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
14:55:45.0453 2856 winachsf - ok
14:55:45.0593 2856 MBR (0x1B8) (a03e065717cb65f3034ad33ad58b6bba) \Device\Harddisk0\DR0
14:55:45.0656 2856 \Device\Harddisk0\DR0 - ok
14:55:45.0671 2856 MBR (0x1B8) (ddae9d649db12f6aff24483f2c298989) \Device\Harddisk1\DR4
14:55:45.0765 2856 \Device\Harddisk1\DR4 - ok
14:55:45.0796 2856 Boot (0x1200) (e03ed426e7180ac3930c75c9b20bac71) \Device\Harddisk0\DR0\Partition0
14:55:45.0796 2856 \Device\Harddisk0\DR0\Partition0 - ok
14:55:45.0796 2856 Boot (0x1200) (09b01a8f8ee85341669aaeebaa6b2f34) \Device\Harddisk1\DR4\Partition0
14:55:45.0796 2856 \Device\Harddisk1\DR4\Partition0 - ok
14:55:45.0812 2856 ============================================================
14:55:45.0812 2856 Scan finished
14:55:45.0812 2856 ============================================================
14:55:45.0937 2848 Detected object count: 2
14:55:45.0937 2848 Actual detected object count: 2
14:59:25.0562 2848 d0d28917 ( Rootkit.Win32.PMax.gen ) - User select action: Quarantine
14:59:25.0750 2848 C:\WINDOWS\system32\DRIVERS\ipsec.sys - copied to quarantine
14:59:25.0750 2848 IPSec ( Rootkit.Win32.ZAccess.e ) - User select action: Quarantine
14:59:35.0531 2788 Deinitialize success



******

Thanks a million guys!

Edited by Orange Blossom, 25 October 2011 - 01:18 AM.
Merged topics. ~ OB


#4 paXnic

paXnic
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 25 October 2011 - 12:07 AM

Your instructions were very easy to understand and follow. Thanks

I ran GMER and it quit before allowing me to save a log, but I was able to copy results up until termination and pasted what was captured. Had to install GMER again because of “Windows cannot access the specified device path or file” error message when scan quit first time.
Below are DDS and GMER logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Derri at 20:23:10 on 2011-10-24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.898 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\394908368:791508712.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\msfeedssync.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://msn.com/
mWinlogon: Userinit=userinit.exe,
BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [{D3BDF885-1079-EC06-70A1-89BFCC826530}] "c:\documents and settings\derri\application data\buik\zoze.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Raagtx] c:\program files\webex\webex\319\raagtx.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [OPSE reminder] "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.exe" -r "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.ini"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://dsgsupport.webex.com/client/T27LB/smt/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2011-10-20 32008]
R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2011-10-20 76696]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2011-10-20 26096]
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [2011-1-12 702080]
S1 MpKsl08968551;MpKsl08968551;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac596129-28f6-4275-af33-0161f0a6426a}\mpksl08968551.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac596129-28f6-4275-af33-0161f0a6426a}\MpKsl08968551.sys [?]
S1 MpKsla9904af3;MpKsla9904af3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{099bc1f2-434f-4018-a79a-9ce373907fe6}\mpksla9904af3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{099bc1f2-434f-4018-a79a-9ce373907fe6}\MpKsla9904af3.sys [?]
S1 MpKslcff73d0e;MpKslcff73d0e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac596129-28f6-4275-af33-0161f0a6426a}\mpkslcff73d0e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac596129-28f6-4275-af33-0161f0a6426a}\MpKslcff73d0e.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]
S2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2011-10-20 6416120]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-3-15 183560]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
=============== Created Last 30 ================
.
2011-10-20 17:08:09 76696 ----a-w- c:\windows\system32\drivers\pxrts.sys
2011-10-20 17:08:09 71880 ----a-w- c:\windows\system32\PxSecure.dll
2011-10-20 17:08:09 32008 ----a-w- c:\windows\system32\drivers\pxscan.sys
2011-10-20 17:08:08 26096 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2011-10-20 17:08:08 -------- d-----w- c:\program files\Prevx
2011-10-20 17:07:45 -------- d-----w- c:\documents and settings\all users\application data\PrevxCSI
2011-10-19 19:25:19 -------- d-----w- c:\program files\Microsoft Security Client
2011-10-19 17:00:13 48016 --sha-w- c:\windows\system32\c_84602.nl_
2011-10-19 16:57:55 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-19 00:46:47 -------- d-----w- c:\documents and settings\derri\local settings\application data\PCHealth
2011-10-19 00:43:00 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-10-19 00:43:00 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-16 00:02:31 -------- d-sh--w- c:\documents and settings\derri\local settings\application data\d0d28917
.
==================== Find3M ====================
.
2011-10-20 16:36:29 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-10-19 22:20:37 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-19 18:21:03 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-10-15 14:36:35 215864 ----a-w- c:\windows\system32\ataskernel.exe
2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ------w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2008-04-14 11:42:38 14336 --sha-r- c:\windows\system32\svchost.exe
.
============= FINISH: 20:24:48.37 ===============


and what I could capture from GMER scan before it shut down...

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-24 21:47:11
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Derri\LOCALS~1\Temp\pwloapog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAllocateVirtualMemory [0xB0DE6F60]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xB0DE6AF0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xB0DE6B40]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDebugActiveProcess [0xB0DE6F10]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteKey [0xB0DE6810]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteValueKey [0xB0DE68D0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDuplicateObject [0xB0DE7180]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0xB0DE7490]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenSection [0xB0DE6CD0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xB0DE7320]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xB0DE6BE0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xB0DE6AA0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetValueKey [0xB0DE69B0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSystemDebugControl [0xB0DE6E80]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0xB0DE7630]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0xB0DE6C80]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0xB0DE7000]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IoFreeIrp + 1CB 804E8765 7 Bytes CALL 8922AE85
.text atapi.sys F74AE84D 7 Bytes CALL 89227980
.text ipsec.sys!DdYzechRkpbxCvmzio B0D63000 17 Bytes [B0, FF, B5, 04, FF, FF, FF, ...]
.text ipsec.sys!RjgdXljfWoxymb + E B0D63012 87 Bytes [10, 00, 00, 57, 1B, DB, 81, ...]
.text ipsec.sys!TmNbpnm + 50 B0D6306A 129 Bytes [6A, 07, 56, 68, 30, 1F, D7, ...]
.text ipsec.sys!TmNbpnm + D2 B0D630EC 51 Bytes [5C, 00, 4D, 00, 61, 00, 63, ...]
.text ipsec.sys!TmNbpnm + 106 B0D63120 8 Bytes [74, 00, 72, 00, 6F, 00, 6C, ...]
.text ipsec.sys!TmNbpnm + 10F B0D63129 32 Bytes [00, 65, 00, 74, 00, 5C, 00, ...]
.text ipsec.sys!TmNbpnm + 130 B0D6314A 30 Bytes [43, 00, 00, 00, 45, 00, 6E, ...]
.text ...
.text ipsec.sys!DdYzechRkpbxCvmzio + CF B0D63296 1 Byte [73]
.text ipsec.sys!DdYzechRkpbxCvmzio + CF B0D63296 17 Bytes [73, 00, 75, 00, 6D, 00, 65, ...] {JAE 0x2; JNZ 0x4; INSD ; ADD [EBP+0x0], AH; PUSH EBP; ADD [EAX+EAX+0x50], AL; ADD [EBP+0x0], AL; OUTSB }
.text ipsec.sys!DdYzechRkpbxCvmzio + E1 B0D632A8 11 Bytes [63, 00, 61, 00, 70, 00, 73, ...] {ARPL [EAX], AX; POPA ; ADD [EAX+0x0], DH; JAE 0x8; JNZ 0xa; INSB }
.text ipsec.sys!DdYzechRkpbxCvmzio + ED B0D632B4 25 Bytes [61, 00, 74, 00, 69, 00, 6F, ...]
.text ipsec.sys!DdYzechRkpbxCvmzio + 107 B0D632CE 123 Bytes [6E, 00, 53, 00, 65, 00, 6E, ...]
.text ...
? C:\WINDOWS\system32\DRIVERS\ipsec.sys suspicious PE modification
? C:\DOCUME~1\Derri\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[780] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 02543FA7
.text C:\WINDOWS\Explorer.EXE[780] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0254418D
.text C:\WINDOWS\Explorer.EXE[780] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 0254422F
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 025449E1
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 02544963
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0253995B
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 025449A2
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 02543F01
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 02543F51
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 02543E62
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 02545B4F
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 02545BE9
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 025457DD
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 0254582D
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 025458D7
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 02543F29
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 02545C3B
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 0254584B
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 0254485A
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 025448C8
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02543D34
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 02543D02
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 02545A81
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 02543F7C
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!GetUpdateRect 7E42A8C9 5 Bytes JMP 02544A21
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 02545ACA
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 02545891
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 02543DB8
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 02543E12
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 02544908
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 02545B9C
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 02544AB4
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 02545963
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 025459F5
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 02539AC8
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 0254591D
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 025459AC
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 02545A3B
.text C:\WINDOWS\Explorer.EXE[780] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 02543D7B
.text C:\WINDOWS\Explorer.EXE[780] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 02549A66
.text C:\WINDOWS\Explorer.EXE[780] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 02548AA0
.text C:\WINDOWS\Explorer.EXE[780] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 02548B55
.text C:\WINDOWS\Explorer.EXE[780] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 02548A5D
.text C:\WINDOWS\Explorer.EXE[780] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 02548B29
.text C:\WINDOWS\Explorer.EXE[780] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0254887D
.text C:\WINDOWS\Explorer.EXE[780] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 025488D1
.text C:\WINDOWS\Explorer.EXE[780] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 02548ADF
.text C:\WINDOWS\Explorer.EXE[780] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 025489C1
.text C:\WINDOWS\Explorer.EXE[780] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 02548925
.text C:\WINDOWS\Explorer.EXE[780] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0254979E
.text C:\WINDOWS\Explorer.EXE[780] WS2_32.dll!send 71AB4C27 5 Bytes JMP 025497D6
.text C:\WINDOWS\Explorer.EXE[780] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 025497F7
.text C:\WINDOWS\system32\wscntfy.exe[1028] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00AF3FA7
.text C:\WINDOWS\system32\wscntfy.exe[1028] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00AF418D
.text C:\WINDOWS\system32\wscntfy.exe[1028] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00AF422F
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 00AF49E1
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00AF4963
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00AE995B
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 00AF49A2
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 00AF3F01
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 00AF3F51
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 00AF3E62
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 00AF5B4F
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 00AF5BE9
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 00AF57DD
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 00AF582D
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 00AF58D7
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 00AF3F29
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 00AF5C3B
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 00AF584B
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 00AF485A
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 00AF48C8
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00AF3D34
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 00AF3D02
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00AF5A81
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 00AF3F7C
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!GetUpdateRect 7E42A8C9 5 Bytes JMP 00AF4A21
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 00AF5ACA
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 00AF5891
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 00AF3DB8
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 00AF3E12
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 00AF4908
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 00AF5B9C
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 00AF4AB4
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 00AF5963
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 00AF59F5
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00AE9AC8
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 00AF591D
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 00AF59AC
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 00AF5A3B
.text C:\WINDOWS\system32\wscntfy.exe[1028] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 00AF3D7B
.text C:\WINDOWS\system32\wscntfy.exe[1028] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00AF979E
.text C:\WINDOWS\system32\wscntfy.exe[1028] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00AF97D6
.text C:\WINDOWS\system32\wscntfy.exe[1028] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00AF97F7
.text C:\WINDOWS\system32\wscntfy.exe[1028] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 00AF9A66
.text C:\WINDOWS\system32\wscntfy.exe[1028] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00AF8AA0
.text C:\WINDOWS\system32\wscntfy.exe[1028] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00AF8B55
.text C:\WINDOWS\system32\wscntfy.exe[1028] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00AF8A5D
.text C:\WINDOWS\system32\wscntfy.exe[1028] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00AF8B29
.text C:\WINDOWS\system32\wscntfy.exe[1028] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00AF887D
.text C:\WINDOWS\system32\wscntfy.exe[1028] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 00AF88D1
.text C:\WINDOWS\system32\wscntfy.exe[1028] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 00AF8ADF
.text C:\WINDOWS\system32\wscntfy.exe[1028] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 00AF89C1
.text C:\WINDOWS\system32\wscntfy.exe[1028] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 00AF8925
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00D23FA7
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00D2418D
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00D2422F
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 00D249E1
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00D24963
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00D1995B
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 00D249A2
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 00D23F01
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 00D23F51
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 00D23E62
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 00D25B4F
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 00D25BE9
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 00D257DD
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 00D2582D
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 00D258D7
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 00D23F29
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 00D25C3B
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 00D2584B
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 00D2485A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 00D248C8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00D23D34
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 00D23D02
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00D25A81
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 00D23F7C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!GetUpdateRect 7E42A8C9 5 Bytes JMP 00D24A21
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 00D25ACA
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 00D25891
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 00D23DB8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 00D23E12
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 00D24908
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 00D25B9C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 00D24AB4
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 00D25963
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 00D259F5
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00D19AC8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 00D2591D
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 00D259AC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 00D25A3B
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 00D23D7B
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00D28AA0
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00D28B55
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00D28A5D
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00D28B29
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00D2887D
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 00D288D1
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 00D28ADF
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 00D289C1
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 00D28925
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D2979E
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D297D6
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D297F7
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2072] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 00D29A66
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 010A3FA7
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 010A418D
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 010A422F
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 010A49E1
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 010A4963
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0109995B
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 010A49A2
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 010A3F01
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 010A3F51
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 010A3E62
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 010A5B4F
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 010A5BE9
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 010A57DD
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 010A582D
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 010A58D7
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 010A3F29
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 010A5C3B
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 010A584B
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 010A485A
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 010A48C8
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 010A3D34
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 010A3D02
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 010A5A81
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 010A3F7C
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!GetUpdateRect 7E42A8C9 5 Bytes JMP 010A4A21
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 010A5ACA
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 010A5891
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 010A3DB8
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 010A3E12
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 010A4908
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 010A5B9C
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 010A4AB4
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 010A5963
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 010A59F5
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 01099AC8
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 010A591D
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 010A59AC
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 010A5A3B
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 010A3D7B
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010A979E
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010A97D6
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010A97F7
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 010A9A66
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 010A8AA0
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 010A8B55
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 010A8A5D
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 010A8B29
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 010A887D
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 010A88D1
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 010A8ADF
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 010A89C1
.text C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe[2088] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 010A8925
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00883FA7
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0088418D
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 0088422F
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 008849E1
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00884963
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0087995B
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 008849A2
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 00883F01
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 00883F51
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 00883E62
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 00885B4F
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 00885BE9
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 008857DD
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 0088582D
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 008858D7
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 00883F29
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 00885C3B
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 0088584B
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 0088485A
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 008848C8
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00883D34
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 00883D02
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00885A81
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 00883F7C
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!GetUpdateRect 7E42A8C9 5 Bytes JMP 00884A21
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 00885ACA
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 00885891
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 00883DB8
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 00883E12
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 00884908
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 00885B9C
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 00884AB4
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 00885963
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 008859F5
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00879AC8
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 0088591D
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 008859AC
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 00885A3B
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 00883D7B
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0088979E
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] WS2_32.dll!send 71AB4C27 5 Bytes JMP 008897D6
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 008897F7
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 00889A66
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00888AA0
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00888B55
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00888A5D
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00888B29
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0088887D
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 008888D1
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 00888ADF
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 008889C1
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2140] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 00888925
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 01143FA7
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0114418D
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 0114422F
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01148AA0
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 01148B55
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 01148A5D
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01148B29
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0114887D
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 011488D1
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 01148ADF
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 011489C1
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 01148925
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 011449E1
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 01144963
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0113995B
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 011449A2
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 01143F01
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 01143F51
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 01143E62
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 01145B4F
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 01145BE9
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 011457DD
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 0114582D
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 011458D7
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 01143F29
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 01145C3B
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 0114584B
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 0114485A
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 011448C8
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01143D34
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 01143D02
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 01145A81
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 01143F7C
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!GetUpdateRect 7E42A8C9 5 Bytes JMP 01144A21
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 01145ACA
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 01145891
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 01143DB8
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 01143E12
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 01144908
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 01145B9C
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 01144AB4
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 01145963
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 011459F5
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 01139AC8
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 0114591D
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 011459AC
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 01145A3B
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 01143D7B
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0114979E
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011497D6
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011497F7
.text C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe[2196] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 01149A66
.text C:\WINDOWS\system32\ctfmon.exe[2208] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 009D3FA7
.text C:\WINDOWS\system32\ctfmon.exe[2208] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 009D418D
.text C:\WINDOWS\system32\ctfmon.exe[2208] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 009D422F
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 009D49E1
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 009D4963
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 009C995B
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 009D49A2
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 009D3F01
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 009D3F51
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 009D3E62
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 009D5B4F
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 009D5BE9
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 009D57DD
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 009D582D
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 009D58D7
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 009D3F29
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 009D5C3B
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 009D584B
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 009D485A
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 009D48C8
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 009D3D34
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 009D3D02
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 009D5A81
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 009D3F7C
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!GetUpdateRect 7E42A8C9 5 Bytes JMP 009D4A21
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 009D5ACA
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 009D5891
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 009D3DB8
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 009D3E12
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 009D4908
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 009D5B9C
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 009D4AB4
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 009D5963
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 009D59F5
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 009C9AC8
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 009D591D
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 009D59AC
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 009D5A3B
.text C:\WINDOWS\system32\ctfmon.exe[2208] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 009D3D7B
.text C:\WINDOWS\system32\ctfmon.exe[2208] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 009D979E
.text C:\WINDOWS\system32\ctfmon.exe[2208] WS2_32.dll!send 71AB4C27 5 Bytes JMP 009D97D6
.text C:\WINDOWS\system32\ctfmon.exe[2208] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 009D97F7
.text C:\WINDOWS\system32\ctfmon.exe[2208] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 009D9A66
.text C:\WINDOWS\system32\ctfmon.exe[2208] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 009D8AA0
.text C:\WINDOWS\system32\ctfmon.exe[2208] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 009D8B55
.text C:\WINDOWS\system32\ctfmon.exe[2208] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 009D8A5D
.text C:\WINDOWS\system32\ctfmon.exe[2208] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 009D8B29
.text C:\WINDOWS\system32\ctfmon.exe[2208] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 009D887D
.text C:\WINDOWS\system32\ctfmon.exe[2208] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 009D88D1
.text C:\WINDOWS\system32\ctfmon.exe[2208] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 009D8ADF
.text C:\WINDOWS\system32\ctfmon.exe[2208] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 009D89C1
.text C:\WINDOWS\system32\ctfmon.exe[2208] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 009D8925
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00C33FA7
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00C3418D
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00C3422F
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 00C349E1
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00C34963
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00C2995B
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 00C349A2
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 00C33F01
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 00C33F51
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 00C33E62
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 00C35B4F
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 00C35BE9
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 00C357DD
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 00C3582D
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 00C358D7
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 00C33F29
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 00C35C3B
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 00C3584B
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 00C3485A
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 00C348C8
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00C33D34
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 00C33D02
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00C35A81
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 00C33F7C
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!GetUpdateRect 7E42A8C9 5 Bytes JMP 00C34A21
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 00C35ACA
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 00C35891
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 00C33DB8
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 00C33E12
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 00C34908
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 00C35B9C
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 00C34AB4
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 00C35963
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 00C359F5
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00C29AC8
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 00C3591D
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 00C359AC
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 00C35A3B
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 00C33D7B
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C3979E
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] ws2_32.dll!send 71AB4C27 5 Bytes JMP 00C397D6
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C397F7
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 00C39A66
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00C38AA0
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00C38B55
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00C38A5D
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00C38B29
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00C3887D
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 00C388D1
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 00C38ADF
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 00C389C1
.text C:\Program Files\Dell Support\DSAgnt.exe[2216] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 00C38925
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00143FA7
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0014418D
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 0014422F
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 001449E1
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00144963
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0013995B
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 001449A2
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 00143F01
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 00143F51
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 00143E62
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 00145B4F
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 00145BE9
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 001457DD
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 0014582D
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 001458D7
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 00143F29
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 00145C3B
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 0014584B
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 0014485A
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 001448C8
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00143D34
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 00143D02
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00145A81
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 00143F7C
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!GetUpdateRect 7E42A8C9 5 Bytes JMP 00144A21
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 00145ACA
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 00145891
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 00143DB8
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 00143E12
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 00144908
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 00145B9C
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 00144AB4
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 00145963
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 001459F5
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00139AC8
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 0014591D
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 001459AC
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 00145A3B
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 00143D7B
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0014979E
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] WS2_32.dll!send 71AB4C27 5 Bytes JMP 001497D6
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 001497F7
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 00149A66
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00148AA0
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00148B55
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00148A5D
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00148B29
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0014887D
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 001488D1
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 00148ADF
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 001489C1
.text C:\Documents and Settings\Derri\Desktop\gmer\1\gmer.exe[2916] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 00148925

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\00001320 \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 89225140

and that is the end of my captured text.

(Note an attempt to install Prevx AV last week failed. Only mentioned because I see right above.)

Thanks

Edited by Orange Blossom, 25 October 2011 - 01:19 AM.
Merged topics. ~ OB


#5 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:56 PM

Posted 27 October 2011 - 09:50 PM

paXnic,

The information provided shows characteristics of the ZeroAccess Rootkit.

First, let's take care of this file:
C:\WINDOWS\394908368:791508712.exe


It throws a wrench in the works, and programs will not run successfully...

Please download DummyCreator.zip

Unzip the folder:
•Right-click and select: Extract all…
•Follow the prompts to extract

Open the new folder that appears on the Desktop:
•Double-click DummyCreator/DummyMaker to run the tool.

•Now, copy/paste the following into the blank area:

C:\WINDOWS\394908368

•Press the Create button

•Save the content of the Result.txt to your Desktop, and post it in your reply.

Next, restart the computer!




Now, please download aswMBR

Save it to the Desktop.

Double-click aswMBR.exe to start the tool.
Click Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop,

Note - Do NOT attempt any fix anything!!.

Please post the aswMBR log in your reply.



Also, you will notice that another file is created on the Desktop.
It is named MBR.dat.

Keep the file on the Desktop, and do not remove.

This is important, just in case we need to access the MBR information!!


However, do submit MBR.dat for analysis to VirusTotal
paXnic

Use the 'Browse' button to navigate to the location of the file.
Click on the file, then, click the 'Open' button.
The file is now displayed in the Submit Box.

Scroll down and click 'Send File', and wait for the results
If you get a message saying: 'File has already been analyzed', click 'Reanalyze file now'
Once scanned, please provide the link to the results page in your reply.


Please do not run any malware removal programs while we are in the process of making malware repairs. Doing so may just make matters worse, and that, you do not want!

Thanks!

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users