Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with google redirect. Need more advanced help (thread from what do I do forum)


  • This topic is locked This topic is locked
68 replies to this topic

#1 acgtek

acgtek

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 08 November 2011 - 08:48 PM

Hello,

Here is the thread in what do I do forum:

http://www.bleepingcomputer.com/forums/topic426829.html/page__gopid__2468241#entry2468241

I was advised by the moderator to seek more advance help from this forum. The thread above contains logs from several scans.

Appreciate the help!

Here is the log for DDS.txt and attach.txt (as attached) :

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Jun C at 19:39:45 on 2011-11-08
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3033.1849 [GMT -6:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Lenovo\ReadyComm\common\IGRS.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\Nuance\PDF Professional 6\PDFProFiltSrv.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\windows\System32\IgrsSvcs.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Brother\BRAgent\BRAgtSrv.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskhost.exe
C:\windows\System32\rundll32.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe
C:\Program Files\Lenovo\Energy Management\utility.exe
C:\Program Files\Lenovo\Energy Management\Energy Management.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\V0230Mon.exe
C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe
C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\windows\system32\conhost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\NJStar Chinese WP\Njstar.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
C:\Program Files\DDNI\DIBS\DDNIService.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.marsonsourcing.com/
mStart Page = hxxp://lenovo.live.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PlusIEEventHelper Class: {551a852f-39a6-44a7-9c13-afbec9185a9d} - c:\program files\nuance\pdf professional 6\bin\PlusIEContextMenu.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf professional 6\bin\ZeonIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:\program files\nuance\pdf professional 6\bin\ZeonIEFavClient.dll
uRun: [cdloader] "c:\users\jun c\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IdeaNotesUser] c:\program files\ddni\lenovo idea notes\DDNIMSGUser.exe
mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe
mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [PDFHook] c:\program files\nuance\pdf professional 6\pdfpro6hook.exe
mRun: [PDF6 Registry Controller] c:\program files\nuance\pdf professional 6\RegistryController.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [BlackArmorBackupMonitor.exe] c:\program files\seagate\blackarmorbackup\BlackArmorBackupMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\blackarmorbackup\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Open with Nuance PDF Converter 6.0 - c:\program files\nuance\pdf professional 6\cnvres_eng.dll /100
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4C0BD9B6-7257-4480-9337-8D4CA89CA04A} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4C0BD9B6-7257-4480-9337-8D4CA89CA04A}\34F657274797162746 : DhcpNameServer = 4.2.2.1 8.8.8.8
TCP: Interfaces\{4C0BD9B6-7257-4480-9337-8D4CA89CA04A}\44454502A4F686E6 : DhcpNameServer = 202.96.134.133 202.96.128.86
TCP: Interfaces\{4C0BD9B6-7257-4480-9337-8D4CA89CA04A}\544786F63747275616D6 : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{4C0BD9B6-7257-4480-9337-8D4CA89CA04A}\E6564777963756 : DhcpNameServer = 10.1.1.1
TCP: Interfaces\{4C0BD9B6-7257-4480-9337-8D4CA89CA04A}\F6260746 : DhcpNameServer = 10.1.10.1
TCP: Interfaces\{84A38643-2267-4DA0-B597-43BE10A51BE5} : DhcpNameServer = 192.168.1.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jun c\appdata\roaming\mozilla\firefox\profiles\t7bpiwg5.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.marsonsourcing.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\autodesk\autodesk design review firefox add-on v1.1\npADRdwf.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\nuance\pdf professional 6\bin\nppdf.dll
FF - plugin: c:\program files\nuance\pdf professional 6\bin\nppdf.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-9-24 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-10-30 320856]
R1 funfrm;funfrm;c:\windows\system32\drivers\funfrm.sys [2009-9-4 54800]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-30 20568]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-10-30 54616]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-9-24 44768]
R2 DDNIMSGService;DDNIMSGService;c:\program files\ddni\lenovo idea notes\DDNIMSGService.exe [2009-6-23 172720]
R2 DDNIService;DDNIService;c:\program files\ddni\dibs\DDNIService.exe [2009-8-25 156336]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50ST7.EXE [2011-4-25 153600]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50RP7.EXE [2011-4-25 121856]
R2 IGRS;IGRS;c:\program files\lenovo\readycomm\common\IGRS.exe [2009-7-14 38152]
R2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\nuance\pdf professional 6\PDFProFiltSrv.exe [2009-6-30 134944]
R2 ReadyComm.DirectRouter;ReadyComm.DirectRouter;c:\windows\system32\igrssvcs.exe -k igrssvcs --> c:\windows\system32\IgrsSvcs.exe -k IgrsSvcs [?]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-11-20 617984]
R2 WBA_Agent_Client;Brother BRAgent;c:\program files\brother\bragent\BRAgtSrv.exe [2009-10-30 86016]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-9-4 21520]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-5-30 260648]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
R3 wdmirror;wdmirror;c:\windows\system32\drivers\WDMirror.sys [2009-9-4 11792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Bridge0;Bridge0;c:\windows\system32\drivers\wdbridge.sys [2009-9-4 63240]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-13 229888]
S3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\lenovo\readycomm\AppSvc.exe [2009-9-4 414984]
S3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\lenovo\readycomm\ConnSvc.exe [2009-9-4 472328]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 PS_MDP;ReadyComm Presentation Space Helper Service;c:\windows\system32\igrssvcs.exe -k igrssvcs --> c:\windows\system32\IgrsSvcs.exe -k IgrsSvcs [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-25 171520]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2010-6-20 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2010-6-20 509760]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-11-2 1343400]
S3 wsvd;wsvd;c:\windows\system32\drivers\wsvd.sys [2009-7-21 81704]
.
=============== Created Last 30 ================
.
2011-11-03 21:12:05 -------- d-sh--w- C:\$RECYCLE.BIN
2011-11-03 21:11:54 -------- d-----w- c:\users\jun c\appdata\local\temp
2011-11-03 19:10:48 -------- d-----w- c:\programdata\360safe
2011-11-03 19:03:04 -------- d-----w- c:\program files\360
2011-11-03 03:40:51 -------- d-----w- c:\users\jun c\appdata\roaming\PC Cleaners
2011-11-03 03:40:45 5359888 ----a-w- c:\windows\uninst.exe
2011-11-03 03:40:44 -------- d-----w- c:\programdata\PC1Data
2011-11-02 20:19:17 -------- d-----w- c:\windows\system32\Wat
2011-11-02 17:09:55 294912 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-11-02 17:09:38 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2011-11-02 17:09:38 666624 ----a-w- c:\windows\system32\mssvp.dll
2011-11-02 17:09:38 59392 ----a-w- c:\windows\system32\msscntrs.dll
2011-11-02 17:09:38 428032 ----a-w- c:\windows\system32\SearchIndexer.exe
2011-11-02 17:09:38 337408 ----a-w- c:\windows\system32\mssph.dll
2011-11-02 17:09:38 197120 ----a-w- c:\windows\system32\mssphtb.dll
2011-11-02 17:09:38 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2011-11-02 17:09:38 1553920 ----a-w- c:\windows\system32\tquery.dll
2011-11-02 17:09:38 1401856 ----a-w- c:\windows\system32\mssrch.dll
2011-11-02 17:09:01 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-11-02 17:08:47 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-11-02 17:08:47 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-11-02 17:08:47 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-11-02 17:08:34 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-11-02 17:08:20 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-02 17:08:20 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-02 17:03:18 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-11-02 17:03:02 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-11-02 17:02:51 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-11-02 17:02:33 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-11-02 17:02:20 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-11-02 17:02:02 2614784 ----a-w- c:\windows\explorer.exe
2011-11-02 17:01:45 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-11-02 17:01:45 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-11-02 17:01:30 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-11-02 17:01:30 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-11-02 17:01:00 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-11-02 17:00:44 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-11-02 17:00:27 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-11-02 17:00:27 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-11-02 17:00:13 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-11-02 16:59:58 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-11-02 16:59:58 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-11-02 16:59:58 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-11-02 16:59:43 2690560 ----a-w- c:\windows\system32\mstscax.dll
2011-11-02 16:59:43 1034240 ----a-w- c:\windows\system32\mstsc.exe
2011-11-02 16:59:27 850432 ----a-w- c:\windows\system32\sbe.dll
2011-11-02 16:59:27 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-11-02 16:59:27 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-11-02 16:59:27 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-11-02 16:59:10 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-11-02 16:59:10 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-11-02 16:59:10 1289536 ----a-w- c:\windows\system32\ntdll.dll
2011-11-02 16:58:03 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-11-02 16:58:03 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-11-02 16:58:03 107520 ----a-w- c:\windows\system32\cdd.dll
2011-11-02 16:56:42 109056 ----a-w- c:\windows\system32\t2embed.dll
2011-11-02 16:56:32 4247040 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2011-11-02 16:56:32 1413632 ----a-w- c:\windows\system32\ole32.dll
2011-11-02 16:56:21 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-11-02 16:56:21 954288 ----a-w- c:\windows\system32\mfc40u.dll
2011-11-02 16:56:13 530432 ----a-w- c:\windows\system32\comctl32.dll
2011-11-02 16:56:04 738816 ----a-w- c:\windows\system32\wmpmde.dll
2011-11-02 16:55:56 224256 ----a-w- c:\windows\system32\schannel.dll
2011-11-02 16:55:48 101760 ----a-w- c:\windows\system32\consent.exe
2011-11-02 16:55:40 516096 ----a-w- c:\program files\windows mail\wab.exe
2011-11-02 16:55:32 314368 ----a-w- c:\windows\system32\webio.dll
2011-11-02 16:55:24 749056 ----a-w- c:\windows\system32\schedsvc.dll
2011-11-02 16:55:24 496128 ----a-w- c:\windows\system32\taskschd.dll
2011-11-02 16:55:24 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-11-02 16:55:24 305152 ----a-w- c:\windows\system32\taskcomp.dll
2011-11-02 16:55:24 192000 ----a-w- c:\windows\system32\taskeng.exe
2011-11-02 16:55:24 179712 ----a-w- c:\windows\system32\schtasks.exe
2011-11-02 16:54:56 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-11-02 16:54:56 417792 ----a-w- c:\windows\system32\msdri.dll
2011-11-02 16:54:56 204288 ----a-w- c:\windows\system32\MSNP.ax
2011-11-02 16:54:24 164864 ----a-w- c:\program files\windows media player\wmplayer.exe
2011-11-02 16:54:24 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2011-11-02 16:54:11 168448 ----a-w- c:\windows\system32\srvsvc.dll
2011-11-02 16:54:05 363520 ----a-w- c:\windows\system32\StructuredQuery.dll
2011-11-02 16:54:01 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2011-11-02 16:54:01 146304 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2011-11-02 16:53:56 316928 ----a-w- c:\windows\system32\spoolsv.exe
2011-11-02 16:53:49 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2011-11-02 16:53:42 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2011-11-02 16:53:17 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2011-11-02 16:53:17 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2011-11-02 16:53:17 369152 ----a-w- c:\windows\system32\secproc.dll
2011-11-02 16:53:17 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2011-11-02 16:53:17 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2011-11-02 16:53:17 320512 ----a-w- c:\windows\system32\RMActivate.exe
2011-11-02 16:53:17 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2011-11-02 16:53:17 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2011-11-02 16:37:48 -------- d-----w- c:\users\jun c\appdata\roaming\IObit
2011-11-02 16:37:46 -------- d-----w- c:\program files\IObit
2011-11-02 05:04:04 98816 ----a-w- c:\windows\sed.exe
2011-11-02 05:04:04 518144 ----a-w- c:\windows\SWREG.exe
2011-11-02 05:04:04 256000 ----a-w- c:\windows\PEV.exe
2011-11-02 05:04:04 208896 ----a-w- c:\windows\MBR.exe
2011-10-30 04:31:55 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-10-30 04:31:54 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-10-30 04:31:14 -------- d-----w- c:\programdata\Hitman Pro
2011-10-28 22:37:39 -------- d-----w- c:\programdata\STOPzilla!
2011-10-10 06:17:04 90624 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\HPZPPWN7.DLL
.
==================== Find3M ====================
.
2011-11-02 16:57:51 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-11-02 16:57:37 80384 ----a-w- c:\windows\system32\davclnt.dll
2011-11-02 16:57:37 73728 ----a-w- c:\windows\system32\wscsvc.dll
2011-11-02 16:57:37 51200 ----a-w- c:\windows\system32\wscapi.dll
2011-11-02 16:57:37 350720 ----a-w- c:\windows\system32\winhttp.dll
2011-11-02 16:57:37 204800 ----a-w- c:\windows\system32\WebClnt.dll
2011-11-02 16:57:37 204288 ----a-w- c:\windows\system32\upnp.dll
2011-11-02 16:57:37 14336 ----a-w- c:\windows\system32\slwga.dll
2011-11-02 16:57:37 1389568 ----a-w- c:\windows\system32\msxml6.dll
2011-11-02 16:57:37 1236992 ----a-w- c:\windows\system32\msxml3.dll
2011-11-02 16:57:17 541184 ----a-w- c:\windows\system32\kerberos.dll
2011-11-02 16:57:05 573440 ----a-w- c:\windows\system32\odbc32.dll
2011-09-06 20:45:29 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:38:05 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:36:26 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-08-31 23:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 19:40:39.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 acgtek

acgtek
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 08 November 2011 - 09:53 PM

Here is latest GMER.log with CD emulation disabled:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-08 20:50:58
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.11.0
Running: 4y6tsekr.exe; Driver: C:\Users\JUNC~1\AppData\Local\Temp\kwdcipog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8B999374]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x90A242B8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8B99B996]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8B99B9EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8B99BB04]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8B99B8EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8B99BA3E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8B99B940]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8B99BAB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8B999398]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x90A24368]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8B999162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8B9993BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8B99BEFC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8B999E54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8B99B9C6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8B99BA16]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8B99BB2E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8B99B918]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8B99BA7E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8B99B96E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8B99BADC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x90A24400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8B999D1A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8B9993E0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8B999404]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8B9991BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8B9992F8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8B9992D4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8B99931C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8B999428]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E51589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E76092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 214 82E7D824 4 Bytes [74, 93, 99, 8B]
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 82E7D84C 4 Bytes [B8, 42, A2, 90]
.text ntkrnlpa.exe!RtlSidHashLookup + 2F0 82E7D900 8 Bytes [96, B9, 99, 8B, EE, B9, 99, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 2FC 82E7D90C 4 Bytes [04, BB, 99, 8B]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 82E7D928 4 Bytes [EC, B8, 99, 8B]
.text ...
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 8307B5CA 4 Bytes CALL 8B99A4C5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 830836A5 4 Bytes CALL 8B99A4DB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text user32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes [E9, 88, 3D, C6, 89] {JMP 0xffffffff89c63d8d}
.text user32.dll!UnhookWinEvent 765AD924 5 Bytes [E9, D3, 2A, C6, 89] {JMP 0xffffffff89c62ad8}
.text user32.dll!SetWindowsHookExW 765B210A 5 Bytes [E9, F5, E6, C5, 89] {JMP 0xffffffff89c5e6fa}
.text user32.dll!SetWinEventHook 765B507E 5 Bytes [E9, 75, B1, C5, 89] {JMP 0xffffffff89c5b17a}
.text user32.dll!SetWindowsHookExA 765D6DFA 5 Bytes [E9, 01, 98, C3, 89] {JMP 0xffffffff89c39806}
.text kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[436] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[436] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[436] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[436] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001F0A08
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[436] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001F03FC
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[436] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001F0804
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[436] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001F01F8
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[436] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001F0600
.text C:\windows\System32\svchost.exe[600] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\System32\svchost.exe[600] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\System32\svchost.exe[600] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\System32\svchost.exe[600] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001F0A08
.text C:\windows\System32\svchost.exe[600] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001F03FC
.text C:\windows\System32\svchost.exe[600] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001F0804
.text C:\windows\System32\svchost.exe[600] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001F01F8
.text C:\windows\System32\svchost.exe[600] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001F0600
.text C:\windows\system32\csrss.exe[604] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Apoint2K\ApMsgFwd.exe[608] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Program Files\Apoint2K\ApMsgFwd.exe[608] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Program Files\Apoint2K\ApMsgFwd.exe[608] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Apoint2K\ApMsgFwd.exe[608] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001F0A08
.text C:\Program Files\Apoint2K\ApMsgFwd.exe[608] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001F03FC
.text C:\Program Files\Apoint2K\ApMsgFwd.exe[608] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001F0804
.text C:\Program Files\Apoint2K\ApMsgFwd.exe[608] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001F01F8
.text C:\Program Files\Apoint2K\ApMsgFwd.exe[608] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001F0600
.text C:\windows\system32\wininit.exe[656] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000703FC
.text C:\windows\system32\wininit.exe[656] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000701F8
.text C:\windows\system32\wininit.exe[656] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\wininit.exe[656] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00090A08
.text C:\windows\system32\wininit.exe[656] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 000903FC
.text C:\windows\system32\wininit.exe[656] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00090804
.text C:\windows\system32\wininit.exe[656] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 000901F8
.text C:\windows\system32\wininit.exe[656] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00090600
.text C:\windows\system32\csrss.exe[668] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\services.exe[712] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\services.exe[712] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\services.exe[712] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\lsass.exe[732] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\lsass.exe[732] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\lsass.exe[732] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\lsass.exe[732] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 000B0A08
.text C:\windows\system32\lsass.exe[732] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 000B03FC
.text C:\windows\system32\lsass.exe[732] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 000B0804
.text C:\windows\system32\lsass.exe[732] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 000B01F8
.text C:\windows\system32\lsass.exe[732] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 000B0600
.text C:\windows\system32\lsm.exe[740] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\lsm.exe[740] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\lsm.exe[740] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\winlogon.exe[768] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000303FC
.text C:\windows\system32\winlogon.exe[768] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000301F8
.text C:\windows\system32\winlogon.exe[768] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\winlogon.exe[768] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00100A08
.text C:\windows\system32\winlogon.exe[768] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001003FC
.text C:\windows\system32\winlogon.exe[768] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00100804
.text C:\windows\system32\winlogon.exe[768] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001001F8
.text C:\windows\system32\winlogon.exe[768] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00100600
.text C:\windows\system32\svchost.exe[880] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\svchost.exe[880] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\svchost.exe[880] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\svchost.exe[972] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\svchost.exe[972] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\svchost.exe[972] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\System32\svchost.exe[1036] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\System32\svchost.exe[1036] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\System32\svchost.exe[1036] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\System32\svchost.exe[1036] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00170A08
.text C:\windows\System32\svchost.exe[1036] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001703FC
.text C:\windows\System32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00170804
.text C:\windows\System32\svchost.exe[1036] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001701F8
.text C:\windows\System32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00170600
.text C:\windows\System32\svchost.exe[1104] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\System32\svchost.exe[1104] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\System32\svchost.exe[1104] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\System32\svchost.exe[1104] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00350A08
.text C:\windows\System32\svchost.exe[1104] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 003503FC
.text C:\windows\System32\svchost.exe[1104] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00350804
.text C:\windows\System32\svchost.exe[1104] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 003501F8
.text C:\windows\System32\svchost.exe[1104] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00350600
.text C:\windows\system32\svchost.exe[1156] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\svchost.exe[1156] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\svchost.exe[1156] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\svchost.exe[1156] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00A00A08
.text C:\windows\system32\svchost.exe[1156] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 00A003FC
.text C:\windows\system32\svchost.exe[1156] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00A00804
.text C:\windows\system32\svchost.exe[1156] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 00A001F8
.text C:\windows\system32\svchost.exe[1156] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00A00600
.text C:\windows\system32\AUDIODG.EXE[1240] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\svchost.exe[1288] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\svchost.exe[1288] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\svchost.exe[1288] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\svchost.exe[1288] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 003F0A08
.text C:\windows\system32\svchost.exe[1288] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 003F03FC
.text C:\windows\system32\svchost.exe[1288] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 003F0804
.text C:\windows\system32\svchost.exe[1288] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 003F01F8
.text C:\windows\system32\svchost.exe[1288] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 003F0600
.text C:\windows\system32\svchost.exe[1440] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\svchost.exe[1440] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\svchost.exe[1440] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\svchost.exe[1440] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 009E0A08
.text C:\windows\system32\svchost.exe[1440] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 009E03FC
.text C:\windows\system32\svchost.exe[1440] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 009E0804
.text C:\windows\system32\svchost.exe[1440] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 009E01F8
.text C:\windows\system32\svchost.exe[1440] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 009E0600
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE[1524] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000503FC
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE[1524] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000501F8
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE[1524] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE[1524] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 000F0A08
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE[1524] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 000F03FC
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE[1524] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 000F0804
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE[1524] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 000F01F8
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE[1524] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 000F0600
.text C:\Program Files\Lenovo\ReadyComm\common\IGRS.exe[1560] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001503FC
.text C:\Program Files\Lenovo\ReadyComm\common\IGRS.exe[1560] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001501F8
.text C:\Program Files\Lenovo\ReadyComm\common\IGRS.exe[1560] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Lenovo\ReadyComm\common\IGRS.exe[1560] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001E0A08
.text C:\Program Files\Lenovo\ReadyComm\common\IGRS.exe[1560] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001E03FC
.text C:\Program Files\Lenovo\ReadyComm\common\IGRS.exe[1560] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001E0804
.text C:\Program Files\Lenovo\ReadyComm\common\IGRS.exe[1560] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001E01F8
.text C:\Program Files\Lenovo\ReadyComm\common\IGRS.exe[1560] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001E0600
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1592] kernel32.dll!SetUnhandledExceptionFilter 75E430E2 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1592] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\WLANExt.exe[1600] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\WLANExt.exe[1600] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\WLANExt.exe[1600] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\WLANExt.exe[1600] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00110A08
.text C:\windows\system32\WLANExt.exe[1600] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001103FC
.text C:\windows\system32\WLANExt.exe[1600] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00110804
.text C:\windows\system32\WLANExt.exe[1600] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001101F8
.text C:\windows\system32\WLANExt.exe[1600] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00110600
.text C:\windows\system32\conhost.exe[1608] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000303FC
.text C:\windows\system32\conhost.exe[1608] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000301F8
.text C:\windows\system32\conhost.exe[1608] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\conhost.exe[1608] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 000C0A08
.text C:\windows\system32\conhost.exe[1608] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 000C03FC
.text C:\windows\system32\conhost.exe[1608] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 000C0804
.text C:\windows\system32\conhost.exe[1608] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 000C01F8
.text C:\windows\system32\conhost.exe[1608] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 000C0600
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE[1712] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000503FC
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE[1712] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000501F8
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE[1712] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE[1712] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001F0A08
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE[1712] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001F03FC
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE[1712] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001F0804
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE[1712] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001F01F8
.text C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE[1712] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001F0600
.text C:\windows\system32\svchost.exe[1896] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\svchost.exe[1896] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\svchost.exe[1896] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\svchost.exe[1896] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 008F0A08
.text C:\windows\system32\svchost.exe[1896] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 008F03FC
.text C:\windows\system32\svchost.exe[1896] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 008F0804
.text C:\windows\system32\svchost.exe[1896] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 008F01F8
.text C:\windows\system32\svchost.exe[1896] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 008F0600
.text C:\windows\System32\spoolsv.exe[1944] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\System32\spoolsv.exe[1944] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\System32\spoolsv.exe[1944] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\System32\spoolsv.exe[1944] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00140A08
.text C:\windows\System32\spoolsv.exe[1944] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001403FC
.text C:\windows\System32\spoolsv.exe[1944] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00140804
.text C:\windows\System32\spoolsv.exe[1944] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001401F8
.text C:\windows\System32\spoolsv.exe[1944] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00140600
.text C:\windows\system32\svchost.exe[1976] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\svchost.exe[1976] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\svchost.exe[1976] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\svchost.exe[1976] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00500A08
.text C:\windows\system32\svchost.exe[1976] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 005003FC
.text C:\windows\system32\svchost.exe[1976] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00500804
.text C:\windows\system32\svchost.exe[1976] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 005001F8
.text C:\windows\system32\svchost.exe[1976] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00500600
.text C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe[2084] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001503FC
.text C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe[2084] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001501F8
.text C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe[2084] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe[2084] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001E0A08
.text C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe[2084] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001E03FC
.text C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe[2084] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001E0804
.text C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe[2084] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001E01F8
.text C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe[2084] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001E0600
.text C:\windows\system32\taskhost.exe[2124] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000903FC
.text C:\windows\system32\taskhost.exe[2124] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000901F8
.text C:\windows\system32\taskhost.exe[2124] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\taskhost.exe[2124] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00120A08
.text C:\windows\system32\taskhost.exe[2124] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001203FC
.text C:\windows\system32\taskhost.exe[2124] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00120804
.text C:\windows\system32\taskhost.exe[2124] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001201F8
.text C:\windows\system32\taskhost.exe[2124] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00120600
.text C:\Program Files\Nuance\PDF Professional 6\PDFProFiltSrv.exe[2192] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Program Files\Nuance\PDF Professional 6\PDFProFiltSrv.exe[2192] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Program Files\Nuance\PDF Professional 6\PDFProFiltSrv.exe[2192] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Nuance\PDF Professional 6\PDFProFiltSrv.exe[2192] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001F0A08
.text C:\Program Files\Nuance\PDF Professional 6\PDFProFiltSrv.exe[2192] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001F03FC
.text C:\Program Files\Nuance\PDF Professional 6\PDFProFiltSrv.exe[2192] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001F0804
.text C:\Program Files\Nuance\PDF Professional 6\PDFProFiltSrv.exe[2192] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001F01F8
.text C:\Program Files\Nuance\PDF Professional 6\PDFProFiltSrv.exe[2192] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001F0600
.text C:\Program Files\Apoint2K\Apntex.exe[2264] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001503FC
.text C:\Program Files\Apoint2K\Apntex.exe[2264] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001501F8
.text C:\Program Files\Apoint2K\Apntex.exe[2264] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Apoint2K\Apntex.exe[2264] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001E0A08
.text C:\Program Files\Apoint2K\Apntex.exe[2264] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001E03FC
.text C:\Program Files\Apoint2K\Apntex.exe[2264] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001E0804
.text C:\Program Files\Apoint2K\Apntex.exe[2264] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001E01F8
.text C:\Program Files\Apoint2K\Apntex.exe[2264] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001E0600
.text C:\windows\System32\svchost.exe[2336] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\System32\svchost.exe[2336] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\System32\svchost.exe[2336] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe[2392] KERNEL32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\System32\IgrsSvcs.exe[2672] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\System32\IgrsSvcs.exe[2672] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\System32\IgrsSvcs.exe[2672] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe[2712] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe[2712] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe[2712] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe[2712] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00200A08
.text C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe[2712] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 002003FC
.text C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe[2712] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00200804
.text C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe[2712] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 002001F8
.text C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe[2712] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00200600
.text C:\windows\system32\svchost.exe[2780] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\svchost.exe[2780] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\svchost.exe[2780] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Brother\BRAgent\BRAgtSrv.exe[2852] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001503FC
.text C:\Program Files\Brother\BRAgent\BRAgtSrv.exe[2852] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001501F8
.text C:\Program Files\Brother\BRAgent\BRAgtSrv.exe[2852] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Brother\BRAgent\BRAgtSrv.exe[2852] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00170A08
.text C:\Program Files\Brother\BRAgent\BRAgtSrv.exe[2852] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001703FC
.text C:\Program Files\Brother\BRAgent\BRAgtSrv.exe[2852] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00170804
.text C:\Program Files\Brother\BRAgent\BRAgtSrv.exe[2852] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001701F8
.text C:\Program Files\Brother\BRAgent\BRAgtSrv.exe[2852] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00170600
.text C:\windows\System32\svchost.exe[2884] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\System32\svchost.exe[2884] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\System32\svchost.exe[2884] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\System32\svchost.exe[2884] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00190A08
.text C:\windows\System32\svchost.exe[2884] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001903FC
.text C:\windows\System32\svchost.exe[2884] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00190804
.text C:\windows\System32\svchost.exe[2884] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001901F8
.text C:\windows\System32\svchost.exe[2884] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00190600
.text C:\windows\system32\wbem\wmiprvse.exe[2892] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\wbem\wmiprvse.exe[2892] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\wbem\wmiprvse.exe[2892] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\wbem\wmiprvse.exe[2892] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00110A08
.text C:\windows\system32\wbem\wmiprvse.exe[2892] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001103FC
.text C:\windows\system32\wbem\wmiprvse.exe[2892] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00110804
.text C:\windows\system32\wbem\wmiprvse.exe[2892] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001101F8
.text C:\windows\system32\wbem\wmiprvse.exe[2892] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00110600
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3000] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3000] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3000] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3000] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 002F0A08
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3000] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 002F03FC
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3000] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 002F0804
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3000] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 002F01F8
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3000] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 002F0600
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3196] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3196] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3196] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3196] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00100A08
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3196] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001003FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3196] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00100804
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3196] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001001F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3196] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00100600
.text C:\windows\system32\wbem\wmiprvse.exe[3272] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\wbem\wmiprvse.exe[3272] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\wbem\wmiprvse.exe[3272] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\wbem\wmiprvse.exe[3272] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00090A08
.text C:\windows\system32\wbem\wmiprvse.exe[3272] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 000903FC
.text C:\windows\system32\wbem\wmiprvse.exe[3272] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00090804
.text C:\windows\system32\wbem\wmiprvse.exe[3272] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 000901F8
.text C:\windows\system32\wbem\wmiprvse.exe[3272] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00090600
.text C:\windows\Explorer.EXE[3324] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\Explorer.EXE[3324] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\Explorer.EXE[3324] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\Explorer.EXE[3324] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00110A08
.text C:\windows\Explorer.EXE[3324] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001103FC
.text C:\windows\Explorer.EXE[3324] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00110804
.text C:\windows\Explorer.EXE[3324] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001101F8
.text C:\windows\Explorer.EXE[3324] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00110600
.text C:\windows\system32\Dwm.exe[3368] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\Dwm.exe[3368] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\Dwm.exe[3368] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\Dwm.exe[3368] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 000F0A08
.text C:\windows\system32\Dwm.exe[3368] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 000F03FC
.text C:\windows\system32\Dwm.exe[3368] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 000F0804
.text C:\windows\system32\Dwm.exe[3368] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 000F01F8
.text C:\windows\system32\Dwm.exe[3368] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 000F0600
.text C:\windows\system32\svchost.exe[3460] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\system32\svchost.exe[3460] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\system32\svchost.exe[3460] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\svchost.exe[3460] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001B0A08
.text C:\windows\system32\svchost.exe[3460] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001B03FC
.text C:\windows\system32\svchost.exe[3460] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001B0804
.text C:\windows\system32\svchost.exe[3460] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001B01F8
.text C:\windows\system32\svchost.exe[3460] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001B0600
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3608] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3608] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3608] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3608] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001F0A08
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3608] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001F03FC
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3608] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001F0804
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3608] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001F01F8
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3608] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001F0600
.text C:\Program Files\Apoint2K\Apoint.exe[3652] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001503FC
.text C:\Program Files\Apoint2K\Apoint.exe[3652] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001501F8
.text C:\Program Files\Apoint2K\Apoint.exe[3652] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Apoint2K\Apoint.exe[3652] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00170A08
.text C:\Program Files\Apoint2K\Apoint.exe[3652] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001703FC
.text C:\Program Files\Apoint2K\Apoint.exe[3652] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00170804
.text C:\Program Files\Apoint2K\Apoint.exe[3652] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001701F8
.text C:\Program Files\Apoint2K\Apoint.exe[3652] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00170600
.text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3664] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3664] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3664] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3664] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001F0A08
.text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3664] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001F03FC
.text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3664] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001F0804
.text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3664] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001F01F8
.text C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3664] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001F0600
.text C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe[3676] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe[3676] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe[3676] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe[3676] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00200A08
.text C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe[3676] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 002003FC
.text C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe[3676] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00200804
.text C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe[3676] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 002001F8
.text C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe[3676] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00200600
.text C:\Program Files\Lenovo\Energy Management\utility.exe[3692] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Program Files\Lenovo\Energy Management\utility.exe[3692] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Program Files\Lenovo\Energy Management\utility.exe[3692] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Lenovo\Energy Management\utility.exe[3692] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001F0A08
.text C:\Program Files\Lenovo\Energy Management\utility.exe[3692] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001F03FC
.text C:\Program Files\Lenovo\Energy Management\utility.exe[3692] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001F0804
.text C:\Program Files\Lenovo\Energy Management\utility.exe[3692] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001F01F8
.text C:\Program Files\Lenovo\Energy Management\utility.exe[3692] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001F0600
.text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3724] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3724] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3724] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3724] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00300A08
.text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3724] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 003003FC
.text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3724] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00300804
.text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3724] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 003001F8
.text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3724] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00300600
.text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3764] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001503FC
.text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3764] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001501F8
.text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3764] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3764] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00200A08
.text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3764] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 002003FC
.text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3764] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00200804
.text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3764] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 002001F8
.text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3764] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00200600
.text C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001F0A08
.text C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001F03FC
.text C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001F0804
.text C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001F01F8
.text C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001F0600
.text C:\Windows\System32\igfxtray.exe[3796] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Windows\System32\igfxtray.exe[3796] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Windows\System32\igfxtray.exe[3796] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Windows\System32\igfxtray.exe[3796] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00200A08
.text C:\Windows\System32\igfxtray.exe[3796] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 002003FC
.text C:\Windows\System32\igfxtray.exe[3796] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00200804
.text C:\Windows\System32\igfxtray.exe[3796] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 002001F8
.text C:\Windows\System32\igfxtray.exe[3796] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00200600
.text C:\Windows\System32\hkcmd.exe[3804] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Windows\System32\hkcmd.exe[3804] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Windows\System32\hkcmd.exe[3804] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Windows\System32\hkcmd.exe[3804] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00300A08
.text C:\Windows\System32\hkcmd.exe[3804] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 003003FC
.text C:\Windows\System32\hkcmd.exe[3804] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00300804
.text C:\Windows\System32\hkcmd.exe[3804] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 003001F8
.text C:\Windows\System32\hkcmd.exe[3804] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00300600
.text C:\Windows\System32\igfxpers.exe[3812] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Windows\System32\igfxpers.exe[3812] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Windows\System32\igfxpers.exe[3812] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Windows\System32\igfxpers.exe[3812] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00210A08
.text C:\Windows\System32\igfxpers.exe[3812] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 002103FC
.text C:\Windows\System32\igfxpers.exe[3812] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00210804
.text C:\Windows\System32\igfxpers.exe[3812] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 002101F8
.text C:\Windows\System32\igfxpers.exe[3812] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00210600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3820] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001703FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3820] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001701F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3820] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3820] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001A0A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3820] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001A03FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3820] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001A0804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3820] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001A01F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3820] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001A0600
.text C:\Windows\V0230Mon.exe[3832] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001503FC
.text C:\Windows\V0230Mon.exe[3832] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001501F8
.text C:\Windows\V0230Mon.exe[3832] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Windows\V0230Mon.exe[3832] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001E0A08
.text C:\Windows\V0230Mon.exe[3832] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001E03FC
.text C:\Windows\V0230Mon.exe[3832] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001E0804
.text C:\Windows\V0230Mon.exe[3832] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001E01F8
.text C:\Windows\V0230Mon.exe[3832] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001E0600
.text C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe[3852] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe[3852] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe[3852] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe[3852] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00200A08
.text C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe[3852] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 002003FC
.text C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe[3852] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00200804
.text C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe[3852] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 002001F8
.text C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe[3852] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00200600
.text C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe[3860] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe[3860] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe[3860] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe[3860] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00200A08
.text C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe[3860] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 002003FC
.text C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe[3860] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00200804
.text C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe[3860] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 002001F8
.text C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe[3860] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00200600
.text C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe[3868] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe[3868] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe[3868] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe[3868] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00190A08
.text C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe[3868] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001903FC
.text C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe[3868] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00190804
.text C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe[3868] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001901F8
.text C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe[3868] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00190600
.text C:\Program Files\Epson Software\Event Manager\EEventManager.exe[3876] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\Program Files\Epson Software\Event Manager\EEventManager.exe[3876] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\Program Files\Epson Software\Event Manager\EEventManager.exe[3876] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Program Files\Epson Software\Event Manager\EEventManager.exe[3876] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00100A08
.text C:\Program Files\Epson Software\Event Manager\EEventManager.exe[3876] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001003FC
.text C:\Program Files\Epson Software\Event Manager\EEventManager.exe[3876] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00100804
.text C:\Program Files\Epson Software\Event Manager\EEventManager.exe[3876] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001001F8
.text C:\Program Files\Epson Software\Event Manager\EEventManager.exe[3876] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00100600
.text C:\windows\system32\conhost.exe[3884] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000303FC
.text C:\windows\system32\conhost.exe[3884] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000301F8
.text C:\windows\system32\conhost.exe[3884] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\conhost.exe[3884] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 000C0A08
.text C:\windows\system32\conhost.exe[3884] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 000C03FC
.text C:\windows\system32\conhost.exe[3884] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 000C0804
.text C:\windows\system32\conhost.exe[3884] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 000C01F8
.text C:\windows\system32\conhost.exe[3884] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 000C0600
.text C:\windows\system32\igfxsrvc.exe[4032] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\windows\system32\igfxsrvc.exe[4032] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\windows\system32\igfxsrvc.exe[4032] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\system32\igfxsrvc.exe[4032] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 001F0A08
.text C:\windows\system32\igfxsrvc.exe[4032] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 001F03FC
.text C:\windows\system32\igfxsrvc.exe[4032] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 001F0804
.text C:\windows\system32\igfxsrvc.exe[4032] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 001F01F8
.text C:\windows\system32\igfxsrvc.exe[4032] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 001F0600
.text C:\windows\System32\svchost.exe[4140] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 000603FC
.text C:\windows\System32\svchost.exe[4140] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 000601F8
.text C:\windows\System32\svchost.exe[4140] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\windows\System32\svchost.exe[4140] user32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 003C0A08
.text C:\windows\System32\svchost.exe[4140] user32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 003C03FC
.text C:\windows\System32\svchost.exe[4140] user32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 003C0804
.text C:\windows\System32\svchost.exe[4140] user32.dll!SetWinEventHook 765B507E 5 Bytes JMP 003C01F8
.text C:\windows\System32\svchost.exe[4140] user32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 003C0600
.text C:\Users\Jun C\Downloads\4y6tsekr.exe[4924] ntdll.dll!LdrUnloadDll 779ABEAF 5 Bytes JMP 001603FC
.text C:\Users\Jun C\Downloads\4y6tsekr.exe[4924] ntdll.dll!LdrLoadDll 779AF5B5 5 Bytes JMP 001601F8
.text C:\Users\Jun C\Downloads\4y6tsekr.exe[4924] kernel32.dll!GetBinaryTypeW + 70 75E578FC 1 Byte [62]
.text C:\Users\Jun C\Downloads\4y6tsekr.exe[4924] USER32.dll!UnhookWindowsHookEx 765ACC7B 5 Bytes JMP 00210A08
.text C:\Users\Jun C\Downloads\4y6tsekr.exe[4924] USER32.dll!UnhookWinEvent 765AD924 5 Bytes JMP 002103FC
.text C:\Users\Jun C\Downloads\4y6tsekr.exe[4924] USER32.dll!SetWindowsHookExW 765B210A 5 Bytes JMP 00210804
.text C:\Users\Jun C\Downloads\4y6tsekr.exe[4924] USER32.dll!SetWinEventHook 765B507E 5 Bytes JMP 002101F8
.text C:\Users\Jun C\Downloads\4y6tsekr.exe[4924] USER32.dll!SetWindowsHookExA 765D6DFA 5 Bytes JMP 00210600

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [746E2494] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746C5624] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [746C56E2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [746E250F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [746D8573] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746D4D27] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [746D50CE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [746D51A3] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [746D66D0] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [746D82CA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [746D8819] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [746D907A] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [746DE21D] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\windows\Explorer.EXE[3324] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [746D4C59] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] @ C:\windows\system32\ole32.dll [USER32.dll!LoadCursorW] 0163FC20
IAT C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] @ C:\windows\system32\ole32.dll [USER32.dll!LoadIconW] 0163FC80
IAT C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] @ C:\windows\system32\ole32.dll [USER32.dll!CreateDialogParamW] 0163FE70
IAT C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] @ C:\windows\system32\ole32.dll [USER32.dll!DialogBoxParamW] 0163FF10
IAT C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] @ C:\windows\system32\ole32.dll [KERNEL32.dll!GlobalLock] 0163E880
IAT C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] @ C:\windows\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 0163E840
IAT C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] @ C:\windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 01639460
IAT C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] @ C:\windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 01638EB0
IAT C:\Program Files\Nuance\PDF Professional 6\PdfPro6Hook.exe[3780] @ C:\windows\system32\ole32.dll [KERNEL32.dll!GetVersion] 0163F9B0

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 snman380.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 snman380.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 snman380.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 snman380.sys (Acronis Snapshot API/Acronis)

Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:05 AM

Posted 13 November 2011 - 08:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/426984 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 PM

Posted 14 November 2011 - 12:15 PM

Hi, if you still need help with this issue, please post the requested logs.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 acgtek

acgtek
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 14 November 2011 - 03:42 PM

Hi, logs have been posted with the post and 1st reply. Nothing changed since logs.

Edited by acgtek, 14 November 2011 - 03:43 PM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 PM

Posted 14 November 2011 - 03:47 PM

It looks like you also ran combofix. Can you post me the log at c:\combofix.txt?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 acgtek

acgtek
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 14 November 2011 - 04:59 PM

Hi, here is the last log for combofix. Thanks.

ComboFix 11-11-03.03 - Jun C 11/03/2011 14:33:21.11.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3033.1923 [GMT -6:00]
Running from: c:\users\Jun C\Downloads\ComboFix.exe
Command switches used :: c:\users\Jun C\Downloads\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\icon.png
c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\install.rdf
c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\preview.png
.
.
((((((((((((((((((((((((( Files Created from 2011-10-03 to 2011-11-03 )))))))))))))))))))))))))))))))
.
.
2011-11-03 20:44 . 2011-11-03 20:44 -------- d-----w- c:\users\Jun C\AppData\Local\temp
2011-11-03 20:44 . 2011-11-03 20:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-03 19:10 . 2011-11-03 19:23 -------- d-----w- c:\programdata\360safe
2011-11-03 19:03 . 2011-11-03 19:27 -------- d-----w- c:\program files\360
2011-11-03 03:40 . 2011-11-03 03:40 -------- d-----w- c:\users\Jun C\AppData\Roaming\PC Cleaners
2011-11-03 03:40 . 2011-11-03 03:40 5359888 ----a-w- c:\windows\uninst.exe
2011-11-03 03:40 . 2011-11-03 03:40 -------- d-----w- c:\programdata\PC1Data
2011-11-02 20:19 . 2011-11-02 20:19 -------- d-----w- c:\windows\system32\Wat
2011-11-02 17:09 . 2011-11-02 17:09 294912 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-11-02 17:09 . 2011-11-02 17:09 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2011-11-02 17:09 . 2011-11-02 17:09 666624 ----a-w- c:\windows\system32\mssvp.dll
2011-11-02 17:09 . 2011-11-02 17:09 59392 ----a-w- c:\windows\system32\msscntrs.dll
2011-11-02 17:09 . 2011-11-02 17:09 428032 ----a-w- c:\windows\system32\SearchIndexer.exe
2011-11-02 17:09 . 2011-11-02 17:09 337408 ----a-w- c:\windows\system32\mssph.dll
2011-11-02 17:09 . 2011-11-02 17:09 197120 ----a-w- c:\windows\system32\mssphtb.dll
2011-11-02 17:09 . 2011-11-02 17:09 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2011-11-02 17:09 . 2011-11-02 17:09 1553920 ----a-w- c:\windows\system32\tquery.dll
2011-11-02 17:09 . 2011-11-02 17:09 1401856 ----a-w- c:\windows\system32\mssrch.dll
2011-11-02 17:09 . 2011-11-02 17:09 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-11-02 17:08 . 2011-11-02 17:08 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-11-02 17:08 . 2011-11-02 17:08 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-11-02 17:08 . 2011-11-02 17:08 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-11-02 17:08 . 2011-11-02 17:08 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-11-02 17:08 . 2011-11-02 17:08 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-02 17:08 . 2011-11-02 17:08 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-02 17:03 . 2011-11-02 17:03 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-11-02 17:03 . 2011-11-02 17:03 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-11-02 17:02 . 2011-11-02 17:02 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-11-02 17:02 . 2011-11-02 17:02 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-11-02 17:02 . 2011-11-02 17:02 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-11-02 17:02 . 2011-11-02 17:02 2614784 ----a-w- c:\windows\explorer.exe
2011-11-02 17:01 . 2011-11-02 17:01 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-11-02 17:01 . 2011-11-02 17:01 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-11-02 17:01 . 2011-11-02 17:01 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-11-02 17:01 . 2011-11-02 17:01 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-11-02 17:01 . 2011-11-02 17:01 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-11-02 17:00 . 2011-11-02 17:00 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-11-02 17:00 . 2011-11-02 17:00 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-11-02 17:00 . 2011-11-02 17:00 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-11-02 17:00 . 2011-11-02 17:00 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-11-02 16:59 . 2011-11-02 16:59 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-11-02 16:59 . 2011-11-02 16:59 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-11-02 16:59 . 2011-11-02 16:59 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-11-02 16:59 . 2011-11-02 16:59 2690560 ----a-w- c:\windows\system32\mstscax.dll
2011-11-02 16:59 . 2011-11-02 16:59 1034240 ----a-w- c:\windows\system32\mstsc.exe
2011-11-02 16:59 . 2011-11-02 16:59 850432 ----a-w- c:\windows\system32\sbe.dll
2011-11-02 16:59 . 2011-11-02 16:59 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-11-02 16:59 . 2011-11-02 16:59 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-11-02 16:59 . 2011-11-02 16:59 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-11-02 16:59 . 2011-11-02 16:59 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-11-02 16:59 . 2011-11-02 16:59 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-11-02 16:59 . 2011-11-02 16:59 1289536 ----a-w- c:\windows\system32\ntdll.dll
2011-11-02 16:58 . 2011-11-02 16:58 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-11-02 16:58 . 2011-11-02 16:58 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-11-02 16:58 . 2011-11-02 16:58 107520 ----a-w- c:\windows\system32\cdd.dll
2011-11-02 16:56 . 2011-11-02 16:56 109056 ----a-w- c:\windows\system32\t2embed.dll
2011-11-02 16:56 . 2011-11-02 16:56 4247040 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2011-11-02 16:56 . 2011-11-02 16:56 1413632 ----a-w- c:\windows\system32\ole32.dll
2011-11-02 16:56 . 2011-11-02 16:56 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-11-02 16:56 . 2011-11-02 16:56 954288 ----a-w- c:\windows\system32\mfc40u.dll
2011-11-02 16:56 . 2011-11-02 16:56 530432 ----a-w- c:\windows\system32\comctl32.dll
2011-11-02 16:56 . 2011-11-02 16:56 738816 ----a-w- c:\windows\system32\wmpmde.dll
2011-11-02 16:55 . 2011-11-02 16:55 224256 ----a-w- c:\windows\system32\schannel.dll
2011-11-02 16:55 . 2011-11-02 16:55 101760 ----a-w- c:\windows\system32\consent.exe
2011-11-02 16:55 . 2011-11-02 16:55 516096 ----a-w- c:\program files\Windows Mail\wab.exe
2011-11-02 16:55 . 2011-11-02 16:55 314368 ----a-w- c:\windows\system32\webio.dll
2011-11-02 16:55 . 2011-11-02 16:55 749056 ----a-w- c:\windows\system32\schedsvc.dll
2011-11-02 16:55 . 2011-11-02 16:55 496128 ----a-w- c:\windows\system32\taskschd.dll
2011-11-02 16:55 . 2011-11-02 16:55 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-11-02 16:55 . 2011-11-02 16:55 305152 ----a-w- c:\windows\system32\taskcomp.dll
2011-11-02 16:55 . 2011-11-02 16:55 192000 ----a-w- c:\windows\system32\taskeng.exe
2011-11-02 16:55 . 2011-11-02 16:55 179712 ----a-w- c:\windows\system32\schtasks.exe
2011-11-02 16:54 . 2011-11-02 16:54 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-11-02 16:54 . 2011-11-02 16:54 417792 ----a-w- c:\windows\system32\msdri.dll
2011-11-02 16:54 . 2011-11-02 16:54 204288 ----a-w- c:\windows\system32\MSNP.ax
2011-11-02 16:54 . 2011-11-02 16:54 164864 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2011-11-02 16:54 . 2011-11-02 16:54 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2011-11-02 16:54 . 2011-11-02 16:54 168448 ----a-w- c:\windows\system32\srvsvc.dll
2011-11-02 16:54 . 2011-11-02 16:54 363520 ----a-w- c:\windows\system32\StructuredQuery.dll
2011-11-02 16:54 . 2011-11-02 16:54 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2011-11-02 16:54 . 2011-11-02 16:54 146304 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2011-11-02 16:53 . 2011-11-02 16:53 316928 ----a-w- c:\windows\system32\spoolsv.exe
2011-11-02 16:53 . 2011-11-02 16:53 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2011-11-02 16:53 . 2011-11-02 16:53 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2011-11-02 16:53 . 2011-11-02 16:53 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2011-11-02 16:53 . 2011-11-02 16:53 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2011-11-02 16:53 . 2011-11-02 16:53 369152 ----a-w- c:\windows\system32\secproc.dll
2011-11-02 16:53 . 2011-11-02 16:53 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2011-11-02 16:53 . 2011-11-02 16:53 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2011-11-02 16:53 . 2011-11-02 16:53 320512 ----a-w- c:\windows\system32\RMActivate.exe
2011-11-02 16:53 . 2011-11-02 16:53 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2011-11-02 16:53 . 2011-11-02 16:53 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2011-11-02 16:37 . 2011-11-02 16:37 -------- d-----w- c:\users\Jun C\AppData\Roaming\IObit
2011-11-02 16:37 . 2011-11-02 16:37 -------- d-----w- c:\program files\IObit
2011-11-02 16:18 . 2006-06-19 19:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2011-11-02 16:18 . 2006-05-25 21:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2011-11-02 16:18 . 2005-08-26 07:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2011-11-02 16:18 . 2003-02-03 02:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2011-11-02 16:18 . 2002-03-06 07:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2011-11-02 16:18 . 2011-11-02 16:18 -------- d-----w- c:\program files\Trojan Remover
2011-11-02 16:18 . 2011-11-02 16:18 -------- d-----w- c:\users\Jun C\AppData\Roaming\Simply Super Software
2011-11-02 16:18 . 2011-11-02 16:18 -------- d-----w- c:\programdata\Simply Super Software
2011-10-30 04:31 . 2011-10-30 04:31 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-10-30 04:31 . 2011-10-30 04:31 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-10-30 04:31 . 2011-10-30 04:31 -------- d-----w- c:\programdata\Hitman Pro
2011-10-28 22:37 . 2011-11-01 21:00 -------- d-----w- c:\programdata\STOPzilla!
2011-10-28 21:00 . 2011-10-28 21:00 -------- d-----w- c:\users\Jun C\AppData\Roaming\SUPERAntiSpyware.com
2011-10-28 20:59 . 2011-10-28 21:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-28 20:59 . 2011-10-28 20:59 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-10-10 06:17 . 2009-07-14 01:15 90624 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPWN7.DLL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-06 20:45 . 2010-09-26 22:16 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:45 . 2009-10-30 20:36 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-06 20:38 . 2011-09-24 13:48 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:37 . 2009-10-30 20:36 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-06 20:36 . 2009-10-30 20:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-06 20:36 . 2009-10-30 20:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-06 20:36 . 2009-10-30 20:36 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-09-06 20:36 . 2009-10-30 20:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-31 23:00 . 2009-11-03 20:33 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-03_03.12.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-25 08:20 . 2011-11-03 19:30 51924 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2011-11-03 19:31 53056 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-10-30 19:06 . 2011-11-03 19:31 14464 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3483884435-3618858825-917667471-1004_UserData.bin
- 2009-10-30 10:33 . 2011-11-03 00:23 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-30 10:33 . 2011-11-03 19:29 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-30 10:33 . 2011-11-03 00:23 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-30 10:33 . 2011-11-03 19:29 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:41 . 2011-11-03 19:29 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:41 . 2011-11-03 00:23 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:34 . 2011-11-03 03:37 78720 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2011-11-02 20:20 . 2011-11-02 20:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-03 19:29 . 2011-11-03 19:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-03 19:29 . 2011-11-03 19:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-11-02 20:20 . 2011-11-02 20:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-30 02:43 . 2011-11-03 20:19 358848 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 04:47 . 2011-11-03 19:26 419776 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 02:03 . 2011-11-02 23:50 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:03 . 2011-11-03 19:42 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2010-11-04 22:24 . 2011-11-03 19:26 3912170 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3483884435-3618858825-917667471-1004-8192.dat
+ 2011-04-22 20:43 . 2011-11-03 19:26 1438732 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3483884435-3618858825-917667471-1004-12288.dat
+ 2011-04-04 22:21 . 2011-11-03 19:26 43618024 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3483884435-3618858825-917667471-1004-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\Jun C\AppData\Roaming\mjusbsp\cdloader2.exe" [2011-08-23 50592]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-17 4615552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-12-03 35184]
"IdeaNotesUser"="c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe" [2009-06-10 221872]
"EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2009-07-15 4081480]
"Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2009-06-25 5064520]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"PDFHook"="c:\program files\Nuance\PDF Professional 6\pdfpro6hook.exe" [2009-07-01 1273856]
"PDF6 Registry Controller"="c:\program files\Nuance\PDF Professional 6\RegistryController.exe" [2009-06-30 111904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-12 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-12 150552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"BlackArmorBackupMonitor.exe"="c:\program files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe" [2009-11-20 4352976]
"AcronisTimounterMonitor"="c:\program files\Seagate\BlackArmorBackup\TimounterMonitor.exe" [2009-11-20 963784]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2009-11-20 376288]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2011-05-19 1233856]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-30 113664]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-7-16 984352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [x]
R0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [x]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 WBA_Agent_Client;Brother BRAgent;c:\program files\Brother\BRAgent\BRAgtSrv.exe [2009-01-28 86016]
R3 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
R3 Bridge0;Bridge0;c:\windows\system32\drivers\WDBridge.sys [2009-07-28 63240]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-07-13 229888]
R3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\Lenovo\ReadyComm\AppSvc.exe [2009-07-28 414984]
R3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\Lenovo\ReadyComm\ConnSvc.exe [2009-07-28 472328]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 PS_MDP;ReadyComm Presentation Space Helper Service;c:\windows\System32\IgrsSvcs.exe [2009-07-14 20992]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-30 171520]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 V0230Vfx;V0230Vfx;c:\windows\system32\DRIVERS\V0230Vfx.sys [2006-03-24 6272]
R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\DRIVERS\V0230VID.sys [2007-08-07 509760]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-02 1343400]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 81704]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 funfrm;funfrm; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-09-06 54616]
S2 DDNIMSGService;DDNIMSGService;c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2009-06-23 172720]
S2 DDNIService;DDNIService;c:\program files\DDNI\DIBS\DDNIService.exe [2009-06-23 156336]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [2009-09-14 153600]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [2009-09-14 121856]
S2 IGRS;IGRS;c:\program files\Lenovo\ReadyComm\common\IGRS.exe [2009-07-14 38152]
S2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 6\PDFProFiltSrv.exe [2009-06-30 134944]
S2 ReadyComm.DirectRouter;ReadyComm.DirectRouter;c:\windows\System32\IgrsSvcs.exe [2009-07-14 20992]
S2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [2009-11-20 617984]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 21520]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [2009-07-16 11792]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
IgrsSvcs REG_MULTI_SZ ReadyComm.DirectRouter PS_MDP
Akamai REG_MULTI_SZ Akamai
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2010-09-12 c:\windows\Tasks\backup.job
- c:\program files\MySQL\MySQL Tools for 5.0\MySQLAdministrator.exe [2007-05-09 02:43]
.
2010-09-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 15:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.marsonsourcing.com/
mStart Page = hxxp://lenovo.live.com/
uInternet Settings,ProxyOverride = <local>
IE: Open with Nuance PDF Converter 6.0 - c:\program files\Nuance\PDF Professional 6\cnvres_eng.dll /100
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Jun C\AppData\Roaming\Mozilla\Firefox\Profiles\t7bpiwg5.default\
FF - prefs.js: browser.startup.homepage - www.marsonsourcing.com
FF - prefs.js: network.proxy.type - 0
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-11-03 15:11:39
ComboFix-quarantined-files.txt 2011-11-03 21:11
ComboFix2.txt 2011-11-03 20:01
ComboFix3.txt 2011-11-03 18:07
ComboFix4.txt 2011-11-03 17:33
ComboFix5.txt 2011-11-03 20:32
.
Pre-Run: 158,585,856,000 bytes free
Post-Run: 158,528,536,576 bytes free
.
- - End Of File - - 9058932201379F86BF695E2C6F63C0E4

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 PM

Posted 15 November 2011 - 02:53 AM

If you connect to the internet through a router, please reset it. You can do so typically by pushing the Reset button on your router for approx. 10 seconds with the router powered off.

When done, let me know if you still encounter the redirects.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 acgtek

acgtek
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 15 November 2011 - 09:30 AM

Do I lose all router setup if I reset it? The google redirect usually is activated after connecting to google.com. Thanks.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 PM

Posted 15 November 2011 - 09:43 AM

Yes, you will need to reconfigure your router after this. If you have any other computers connected through this same router, verify if they have the same problem.

Also, are all browsers on your computer giving you this same problem?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 acgtek

acgtek
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 15 November 2011 - 09:47 AM

I used the laptop at two locations. One location with 3 other computers and another with 2 other computers. None of the other computers has the redirect virus. Sometimes I use other computer to search google. Thanks.

#12 acgtek

acgtek
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 15 November 2011 - 09:49 AM

BTW the virus will redirect to gd118114.cn for URL which is not an existing one.

Edited by acgtek, 15 November 2011 - 09:49 AM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 PM

Posted 15 November 2011 - 09:52 AM

I used the laptop at two locations. One location with 3 other computers and another with 2 other computers. None of the other computers has the redirect virus. Sometimes I use other computer to search google. Thanks.

You mean, using different connections?

Also, are all browsers on your computer giving you this same problem?

What about this question? :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 acgtek

acgtek
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 15 November 2011 - 10:01 AM

All computers are connected to the same router which the infected laptop is connected to. All computers are on the same LAN.
Both firefox and IE were infected on the laptop.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 PM

Posted 15 November 2011 - 10:27 AM

Can you please reboot your laptop in safe mode with networking and let me know if the redirects occurs there too.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users