Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pendrive, Harddisk, Recycled&Autorun.inf&many scr. files


  • This topic is locked This topic is locked
30 replies to this topic

#1 chew yee jian

chew yee jian

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 11 May 2012 - 11:51 PM

i'm chew,
i have already tried many solution through google, but nothing works for me...

INFORMATION~
windows XP SP2
hp mini

PROBLEM~
harddisk which contain
Recycler,
Autorun.inf,
many scr files with 166kb.

BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:14 PM

Posted 14 May 2012 - 01:36 PM

Hello and welcome to Bleeping Computer

I am oneof4, and I am here to help you!

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scans:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

Best Regards,
oneof4.


#3 chew yee jian

chew yee jian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 15 May 2012 - 08:59 AM

hmm....
please let me know whether to post logs as attachment or straight on the forum,
because some of the moderator wrote post on the forum so it's easier for them to read,
and sorry for didn't posting the logs previously,
because i though it written there not to post logs unless upon requested.

first of all,
i doesn't have any windows xp original cd,
since i used 'ghost' to a fake windows xp & genuine it by registry editor from nets,

my problem,
all my drives including my internal & external harddisks contain a recycler folder,
my external drives contain autorun.inf,
and alots of .scr files inside,
i doesn't know how to clean it all.

steps that i have made,
i used usbscan, avast scan & command prompt deleting files but nothing of them works

Defogger done,
fully avast antivirus disconnected,
internet connected disconnect while DDS
connected while in GMER
firewall disabled,


DDS log

DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by Yee Heng at 21:46:55 on 2012-05-15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1012.478 [GMT -7:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\IPMsg\ipmsg.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ѸFLVƵ֧̽: {0ea37b17-6b8b-4085-8257-f3a4aa69c27a} - c:\program files\thunder network\thunder\bho\XlBrowserAddin1.0.6.69.dll
BHO: Ѹ֧: {889d2feb-5411-4565-8998-1dd2c5261283} - c:\program files\thunder network\thunder\bho\XunleiBHO7.2.5.3364.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [USBScan.exe] c:\program files\usbscan\USBScan.exe -Hide
StartupFolder: c:\docume~1\yeehen~1\startm~1\programs\startup\ipmsgf~1.lnk - c:\program files\ipmsg\ipmsg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &ʹ&Ѹ - c:\program files\thunder network\thunder\bho\OfflineDownload.htm
IE: &ʹ&Ѹ - c:\program files\thunder network\thunder\bho\geturl.htm
IE: &ʹ&Ѹȫ - c:\program files\thunder network\thunder\bho\GetAllUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: ??????????? - c:\documents and settings\all users\application data\thunder network\xmp4\core\program\XmpIEMenu.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\yee heng\application data\mozilla\firefox\profiles\j3hyunew.default\
FF - plugin: c:\program files\common files\thunder network\kankan\npDapCtrl.3.1.0.1.(972).dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\thunder network\thunder\data\npxunlei1.0.0.1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-15 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-15 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-15 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-15 42184]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2011-2-10 113664]
S2 XLServicePlatform;XLServicePlatform;c:\windows\system32\svchost -k xlserviceplatform --> c:\windows\system32\svchost -k XLServicePlatform [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-2-10 186912]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [2012-3-13 129535]
.
=============== Created Last 30 ================
.
2012-04-28 08:36:11 -------- d-----w- c:\program files\USBScan
.
==================== Find3M ====================
.
2012-02-21 06:00:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 21:47:50.18 ===============


attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/10/2011 2:50:59 PM
System Uptime: 5/14/2012 9:45:25 PM (24 hours ago)
.
Motherboard: Hewlett-Packard | | 3660
Processor: Intel® Atom™ CPU N450 @ 1.66GHz | CPU | 997/667mhz
Processor: Intel® Atom™ CPU N450 @ 1.66GHz | CPU | 997/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 49 GiB total, 25.705 GiB free.
D: is FIXED (NTFS) - 98 GiB total, 0.614 GiB free.
E: is FIXED (NTFS) - 86 GiB total, 41.441 GiB free.
F: is CDROM ()
H: is FIXED (NTFS) - 98 GiB total, 30.862 GiB free.
I: is FIXED (NTFS) - 98 GiB total, 27.308 GiB free.
J: is FIXED (NTFS) - 103 GiB total, 63.701 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_3660103C&REV_02\4&192AC53F&0&00E0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_3660103C&REV_02\4&192AC53F&0&00E0
Service:
.
==== System Restore Points ===================
.
RP61: 3/23/2012 3:54:18 PM - System Checkpoint
RP62: 3/24/2012 5:34:19 PM - System Checkpoint
RP63: 3/27/2012 2:33:25 PM - System Checkpoint
RP64: 3/28/2012 8:19:24 PM - System Checkpoint
RP65: 3/30/2012 9:02:24 AM - System Checkpoint
RP66: 3/31/2012 2:42:06 PM - System Checkpoint
RP67: 4/2/2012 6:43:11 PM - Installed Connect Service
RP68: 4/3/2012 10:23:18 PM - System Checkpoint
RP69: 4/4/2012 11:20:08 PM - System Checkpoint
RP70: 4/6/2012 4:22:59 PM - System Checkpoint
RP71: 4/8/2012 1:39:04 AM - System Checkpoint
RP72: 4/9/2012 6:03:08 PM - System Checkpoint
RP73: 4/10/2012 6:20:35 PM - System Checkpoint
RP74: 4/12/2012 7:42:58 AM - System Checkpoint
RP75: 4/13/2012 3:30:51 PM - System Checkpoint
RP76: 4/14/2012 6:16:23 PM - System Checkpoint
RP77: 4/17/2012 1:40:11 PM - System Checkpoint
RP78: 4/18/2012 2:19:39 PM - System Checkpoint
RP79: 4/19/2012 4:42:14 PM - System Checkpoint
RP80: 4/20/2012 5:38:30 PM - System Checkpoint
RP81: 4/21/2012 8:35:23 PM - System Checkpoint
RP82: 4/23/2012 9:59:58 PM - System Checkpoint
RP83: 4/27/2012 8:07:23 PM - System Checkpoint
RP84: 4/28/2012 9:09:48 PM - System Checkpoint
RP85: 4/29/2012 9:25:36 PM - System Checkpoint
RP86: 5/1/2012 12:40:26 AM - System Checkpoint
RP87: 5/2/2012 2:07:45 AM - System Checkpoint
RP88: 5/3/2012 2:10:19 AM - System Checkpoint
RP89: 5/4/2012 9:30:32 PM - System Checkpoint
RP90: 5/8/2012 4:55:49 PM - System Checkpoint
RP91: 5/10/2012 7:13:11 AM - System Checkpoint
RP92: 5/11/2012 8:00:37 AM - System Checkpoint
RP93: 5/12/2012 3:44:14 PM - System Checkpoint
RP94: 5/13/2012 4:16:40 PM - System Checkpoint
RP95: 5/14/2012 7:56:14 PM - System Checkpoint
.
==== Installed Programs ======================
.
???????
??????????
Ѹ7
1400
1400_Help
1400Trb
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8
Adobe Shockwave Player 11.6
AiO_Scan
AiOSoftware
ArcSoft WebCam Companion 3
Audacity 1.2.6
avast! Free Antivirus
BCM Wireless Network Adapter
Broadcom 802.11 Wireless LAN Adapter
BufferChm
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
Destinations
DeviceManagementQFolder
DocProc
eSupportQFolder
Fax
Flash Player Pro V4.4
HI-TECH C PRO for the PIC10/12/16 MCU Family V9.60PL5
High Definition Audio Driver Package - KB888111
HP Image Zone Express
HP Imaging Device Functions 5.3
HP Integrated Module with Bluetooth wireless technology
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
IDT Audio
Intel® Graphics Media Accelerator Driver
IP Messenger for Win
K-Lite Mega Codec Pack 4.9.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.28)
MPLAB Tools v8.30
MyPhoneExplorer
NewCopy
PowerISO
ProductContext
Proteus 7 Professional
Readme
Realtek USB 2.0 Card Reader
Scan
ScannerCopy
SolutionCenter
Status
swMSM
Synaptics Pointing Device Driver
TrayApp
tsDemux 1.0
Unload
USB Virus Scan 2.3
WebFldrs XP
WebReg
Windows Media Format Runtime
WinRAR archiver
WLAN
WLAN 802.11g mini-PCI Module
.
==== Event Viewer Messages From Past Week ========
.
5/9/2012 3:20:04 PM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
5/8/2012 3:28:43 PM, error: Service Control Manager [7034] - The XLServicePlatform service terminated unexpectedly. It has done this 3 time(s).
5/8/2012 3:27:42 PM, error: Service Control Manager [7031] - The XLServicePlatform service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
5/8/2012 3:26:41 PM, error: Service Control Manager [7031] - The XLServicePlatform service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
5/8/2012 2:27:57 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference error message: The referenced assembly is not installed on your system. .
5/8/2012 2:27:57 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Thunder Network\Thunder\addins\TranscodeAddin\report_fp.dll. Reference error message: The operation completed successfully. .
5/8/2012 2:27:57 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.DebugCRT could not be found and Last Error was The referenced assembly is not installed on your system.
5/15/2012 9:44:51 PM, error: Service Control Manager [7016] - The SmartLinkService service has reported an invalid current state 0.
5/15/2012 2:16:19 AM, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.0.158. The machine with the IP address 192.168.0.1 did not allow the name to be claimed by this machine.
5/14/2012 7:35:00 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -59116 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.0.178:123->65.55.21.13:123) is working properly.
5/14/2012 7:31:29 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
5/11/2012 4:01:40 PM, error: Dhcp [1002] - The IP address lease 192.168.0.216 for the Network Card with network address 78E40080E285 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
5/10/2012 6:12:56 AM, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.0.216. The machine with the IP address 192.168.0.1 did not allow the name to be claimed by this machine.
.
==== End Of File ===========================


GMER


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-15 23:20:54
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST925041 rev.0006
Running: ncjyfp4k.exe; Driver: C:\DOCUME~1\YEEHEN~1\LOCALS~1\Temp\uxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA29BA202]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA2C6CCB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA29DE6C1]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA29BC81C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA29BC874]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA29BC98A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA29DE075]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA29BC772]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA29BC8C4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA29BC7C6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA29BC938]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA29BA226]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA29DED87]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA29DF03D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA29BCC0E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA29DEBF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA29DEA5D]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA2C6CD62]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA29B9FF0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA29BA24A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA29BCD82]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA29BACDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA29BC84C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA29BC89C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA29BC9B4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA29DE3D1]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA29BC79E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA29BCA46]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA29BC904]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA29BC7F4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA29BCB2A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA29BC962]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA2C6CDFA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA29DE8D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA29BABA0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA29DE72A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA2C75E48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA29DD6E8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA29BA26E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA29BA292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA29BA04A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA29BA186]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA29DEE8E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA29BA162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA29BA1AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA29BA2B6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA2C82902]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C58 80503858 4 Bytes [5D, EA, 9D, A2]
.text ntkrnlpa.exe!ZwCallbackReturn + 2DB4 805039B4 4 Bytes CALL 9266DC56
.text ntkrnlpa.exe!ZwCallbackReturn + 2E64 80503A64 4 Bytes CALL E6F2D83F
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4ECC 4 Bytes CALL A29BB335 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BAEDA 5 Bytes JMP A2C7E2BE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C1810 5 Bytes JMP A2C7FD5C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CF966 7 Bytes JMP A2C82906 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text win32k.sys!EngFreeUserMem + 674 BF80BA4F 5 Bytes JMP A29BDCCE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSurface + 45 BF810175 5 Bytes JMP A29BDBDA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngBitBlt + 92C BF827A40 2 Bytes JMP A29BCF60 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngBitBlt + 92F BF827A43 2 Bytes [19, E3] {SBB EBX, ESP}
.text win32k.sys!EngUnmapFontFileFD + D80 BF83331E 5 Bytes JMP A29BDE38 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 7717 BF839CB5 5 Bytes JMP A29BE040 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 112EA BF843888 5 Bytes JMP A29BCE9C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMulDiv + 5509 BF849B03 5 Bytes JMP A29BD06A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTextOut + 1437 BF854BF4 5 Bytes JMP A29BDB4A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1036 BF857AD0 5 Bytes JMP A29BDD80 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 62A3 BF87FFC9 5 Bytes JMP A29BD1AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 632C BF880052 5 Bytes JMP A29BD352 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 70B0 BF880DD6 5 Bytes JMP A29BCE84 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 245E BF884C65 5 Bytes JMP A29BDF9E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!BRUSHOBJ_hGetColorTransform + AFDD BF89F83F 5 Bytes JMP A29BD32A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 4E4C BF8CEEE3 5 Bytes JMP A29BCDB8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bCloseFigure + A434 BF8DAA77 5 Bytes JMP A29BDC04 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + 77D BF8FAF04 5 Bytes JMP A29BCFD0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 58C BF908B12 5 Bytes JMP A29BD0DA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 80C BF908D92 5 Bytes JMP A29BD114 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 1993 BF911AD9 5 Bytes JMP A29BCF1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 2567 BF9126AD 5 Bytes JMP A29BD034 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4EC1 BF915007 5 Bytes JMP A29BD46C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 191E BF94290C 5 Bytes JMP A29BDEF6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
? C:\DOCUME~1\YEEHEN~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
.text ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[136] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\spoolsv.exe[136] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[136] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\spoolsv.exe[136] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[136] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\spoolsv.exe[136] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\spoolsv.exe[136] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\spoolsv.exe[136] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\spoolsv.exe[136] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\spoolsv.exe[136] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\spoolsv.exe[136] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\spoolsv.exe[136] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\spoolsv.exe[136] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\spoolsv.exe[136] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\spoolsv.exe[136] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\spoolsv.exe[136] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\spoolsv.exe[136] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 004F1014
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 004F0804
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 004F0A08
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 004F0C0C
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 004F0E10
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 004F01F8
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 004F03FC
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 004F0600
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 005001F8
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 005003FC
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00500804
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00500A08
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[444] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00500600
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003701F8
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003703FC
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00370804
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00370A08
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00370600
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00381014
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00380804
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00380A08
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00380C0C
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00380E10
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003801F8
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003803FC
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[456] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00380600
.text C:\Program Files\IPMsg\ipmsg.exe[468] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Program Files\IPMsg\ipmsg.exe[468] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\IPMsg\ipmsg.exe[468] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Program Files\IPMsg\ipmsg.exe[468] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\IPMsg\ipmsg.exe[468] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00381014
.text C:\Program Files\IPMsg\ipmsg.exe[468] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00380804
.text C:\Program Files\IPMsg\ipmsg.exe[468] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00380A08
.text C:\Program Files\IPMsg\ipmsg.exe[468] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00380C0C
.text C:\Program Files\IPMsg\ipmsg.exe[468] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00380E10
.text C:\Program Files\IPMsg\ipmsg.exe[468] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003801F8
.text C:\Program Files\IPMsg\ipmsg.exe[468] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003803FC
.text C:\Program Files\IPMsg\ipmsg.exe[468] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00380600
.text C:\Program Files\IPMsg\ipmsg.exe[468] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003901F8
.text C:\Program Files\IPMsg\ipmsg.exe[468] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003903FC
.text C:\Program Files\IPMsg\ipmsg.exe[468] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00390804
.text C:\Program Files\IPMsg\ipmsg.exe[468] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00390A08
.text C:\Program Files\IPMsg\ipmsg.exe[468] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\igfxsrvc.exe[760] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\igfxsrvc.exe[760] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\igfxsrvc.exe[760] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\igfxsrvc.exe[760] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\igfxsrvc.exe[760] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\igfxsrvc.exe[760] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\igfxsrvc.exe[760] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\igfxsrvc.exe[760] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\igfxsrvc.exe[760] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\igfxsrvc.exe[760] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\igfxsrvc.exe[760] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\igfxsrvc.exe[760] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\igfxsrvc.exe[760] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\igfxsrvc.exe[760] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\igfxsrvc.exe[760] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\igfxsrvc.exe[760] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\igfxsrvc.exe[760] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\WINDOWS\System32\smss.exe[780] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[832] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[832] KERNEL32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000701F8
.text C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[856] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000703FC
.text C:\WINDOWS\system32\winlogon.exe[856] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[856] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\winlogon.exe[856] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\winlogon.exe[856] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\winlogon.exe[856] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\winlogon.exe[856] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\winlogon.exe[856] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\winlogon.exe[856] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\winlogon.exe[856] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\winlogon.exe[856] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\winlogon.exe[856] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\winlogon.exe[856] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\winlogon.exe[856] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\winlogon.exe[856] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\services.exe[900] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\services.exe[900] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[900] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\services.exe[900] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\services.exe[900] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\services.exe[900] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\services.exe[900] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\services.exe[900] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[912] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\lsass.exe[912] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\lsass.exe[912] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\lsass.exe[912] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\lsass.exe[912] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\lsass.exe[912] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 006A1014
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 006A0804
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 006A0A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 006A0C0C
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 006A0E10
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 006A01F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 006A03FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 006A0600
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 006B01F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 006B03FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 006B0804
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 006B0A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[1156] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 006B0600
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\svchost.exe[1168] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1268] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[1268] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\svchost.exe[1268] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[1268] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[1268] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[1300] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1300] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1300] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1300] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1300] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00381014
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00380804
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00380A08
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00380C0C
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00380E10
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003801F8
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003803FC
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00380600
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003901F8
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003903FC
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00390804
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00390A08
.text C:\Program Files\IDT\WDM\STacSV.exe[1360] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00390600
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1600] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1600] kernel32.dll!SetUnhandledExceptionFilter 7C810386 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1600] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Documents and Settings\Yee Heng\My Documents\Downloads\ncjyfp4k.exe[1628] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Documents and Settings\Yee Heng\My Documents\Downloads\ncjyfp4k.exe[1628] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1756] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\Explorer.EXE[1756] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1756] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\Explorer.EXE[1756] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1756] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\Explorer.EXE[1756] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\Explorer.EXE[1756] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\Explorer.EXE[1756] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\Explorer.EXE[1756] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\Explorer.EXE[1756] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\Explorer.EXE[1756] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\Explorer.EXE[1756] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\Explorer.EXE[1756] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\Explorer.EXE[1756] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\Explorer.EXE[1756] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\Explorer.EXE[1756] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\Explorer.EXE[1756] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\igfxtray.exe[1936] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\igfxtray.exe[1936] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\igfxtray.exe[1936] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\igfxtray.exe[1936] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\igfxtray.exe[1936] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\igfxtray.exe[1936] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\igfxtray.exe[1936] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\igfxtray.exe[1936] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\igfxtray.exe[1936] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\igfxtray.exe[1936] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 003A1014
.text C:\WINDOWS\system32\igfxtray.exe[1936] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 003A0804
.text C:\WINDOWS\system32\igfxtray.exe[1936] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 003A0A08
.text C:\WINDOWS\system32\igfxtray.exe[1936] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 003A0C0C
.text C:\WINDOWS\system32\igfxtray.exe[1936] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 003A0E10
.text C:\WINDOWS\system32\igfxtray.exe[1936] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003A01F8
.text C:\WINDOWS\system32\igfxtray.exe[1936] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003A03FC
.text C:\WINDOWS\system32\igfxtray.exe[1936] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 003A0600
.text C:\WINDOWS\system32\hkcmd.exe[1944] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\hkcmd.exe[1944] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[1944] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\hkcmd.exe[1944] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[1944] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\hkcmd.exe[1944] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\hkcmd.exe[1944] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\hkcmd.exe[1944] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\hkcmd.exe[1944] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\hkcmd.exe[1944] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 003A1014
.text C:\WINDOWS\system32\hkcmd.exe[1944] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 003A0804
.text C:\WINDOWS\system32\hkcmd.exe[1944] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 003A0A08
.text C:\WINDOWS\system32\hkcmd.exe[1944] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 003A0C0C
.text C:\WINDOWS\system32\hkcmd.exe[1944] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 003A0E10
.text C:\WINDOWS\system32\hkcmd.exe[1944] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003A01F8
.text C:\WINDOWS\system32\hkcmd.exe[1944] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003A03FC
.text C:\WINDOWS\system32\hkcmd.exe[1944] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 003A0600
.text C:\WINDOWS\system32\igfxpers.exe[1952] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\igfxpers.exe[1952] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[1952] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\igfxpers.exe[1952] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[1952] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\igfxpers.exe[1952] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\igfxpers.exe[1952] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\igfxpers.exe[1952] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\igfxpers.exe[1952] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\igfxpers.exe[1952] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\igfxpers.exe[1952] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\igfxpers.exe[1952] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\igfxpers.exe[1952] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\igfxpers.exe[1952] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\igfxpers.exe[1952] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\igfxpers.exe[1952] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\igfxpers.exe[1952] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\AESTFltr.exe[1960] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\AESTFltr.exe[1960] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\AESTFltr.exe[1960] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\AESTFltr.exe[1960] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\AESTFltr.exe[1960] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\AESTFltr.exe[1960] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\AESTFltr.exe[1960] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\AESTFltr.exe[1960] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\AESTFltr.exe[1960] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\AESTFltr.exe[1960] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\AESTFltr.exe[1960] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\AESTFltr.exe[1960] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\AESTFltr.exe[1960] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\AESTFltr.exe[1960] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\AESTFltr.exe[1960] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\AESTFltr.exe[1960] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\AESTFltr.exe[1960] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\IDT\WDM\sttray.exe[1968] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Program Files\IDT\WDM\sttray.exe[1968] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\IDT\WDM\sttray.exe[1968] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Program Files\IDT\WDM\sttray.exe[1968] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\IDT\WDM\sttray.exe[1968] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003801F8
.text C:\Program Files\IDT\WDM\sttray.exe[1968] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003803FC
.text C:\Program Files\IDT\WDM\sttray.exe[1968] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00380804
.text C:\Program Files\IDT\WDM\sttray.exe[1968] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00380A08
.text C:\Program Files\IDT\WDM\sttray.exe[1968] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00380600
.text C:\Program Files\IDT\WDM\sttray.exe[1968] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\Program Files\IDT\WDM\sttray.exe[1968] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\Program Files\IDT\WDM\sttray.exe[1968] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\Program Files\IDT\WDM\sttray.exe[1968] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\Program Files\IDT\WDM\sttray.exe[1968] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\Program Files\IDT\WDM\sttray.exe[1968] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\Program Files\IDT\WDM\sttray.exe[1968] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\Program Files\IDT\WDM\sttray.exe[1968] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003801F8
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003803FC
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00380804
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00380A08
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00380600
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1976] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1984] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1984] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003701F8
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003703FC
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00370804
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00370A08
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00370600
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00381014
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00380804
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00380A08
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00380C0C
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00380E10
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003801F8
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003803FC
.text C:\Program Files\PowerISO\PWRISOVM.EXE[1992] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00380600
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003701F8
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003703FC
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00370804
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00370A08
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00370600
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00381014
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00380804
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00380A08
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00380C0C
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00380E10
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003801F8
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003803FC
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2000] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\ctfmon.exe[2016] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\ctfmon.exe[2016] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[2016] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\ctfmon.exe[2016] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[2016] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\ctfmon.exe[2016] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\ctfmon.exe[2016] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\ctfmon.exe[2016] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\ctfmon.exe[2016] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\ctfmon.exe[2016] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\ctfmon.exe[2016] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\ctfmon.exe[2016] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\ctfmon.exe[2016] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\ctfmon.exe[2016] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\ctfmon.exe[2016] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\ctfmon.exe[2016] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\ctfmon.exe[2016] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\Program Files\Messenger\msmsgs.exe[2024] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\Program Files\Messenger\msmsgs.exe[2024] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Messenger\msmsgs.exe[2024] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\Program Files\Messenger\msmsgs.exe[2024] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Messenger\msmsgs.exe[2024] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002C1014
.text C:\Program Files\Messenger\msmsgs.exe[2024] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002C0804
.text C:\Program Files\Messenger\msmsgs.exe[2024] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002C0A08
.text C:\Program Files\Messenger\msmsgs.exe[2024] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002C0C0C
.text C:\Program Files\Messenger\msmsgs.exe[2024] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002C0E10
.text C:\Program Files\Messenger\msmsgs.exe[2024] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002C01F8
.text C:\Program Files\Messenger\msmsgs.exe[2024] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002C03FC
.text C:\Program Files\Messenger\msmsgs.exe[2024] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002C0600
.text C:\Program Files\Messenger\msmsgs.exe[2024] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002D01F8
.text C:\Program Files\Messenger\msmsgs.exe[2024] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002D03FC
.text C:\Program Files\Messenger\msmsgs.exe[2024] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002D0804
.text C:\Program Files\Messenger\msmsgs.exe[2024] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002D0A08
.text C:\Program Files\Messenger\msmsgs.exe[2024] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002D0600
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 00469CE0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] kernel32.dll!DeviceIoControl 7C801625 7 Bytes JMP 00469FB0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00469D70 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00469EC0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] kernel32.dll!IsDebuggerPresent 7C812E03 6 Bytes JMP 0054BB50 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 00473CC0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003801F8
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003803FC
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00380804
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00380A08
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00380600
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 00473CF0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0041F130 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegCloseKey 77DD6BF0 5 Bytes JMP 0041EE60 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegQueryValueExW 77DD6FC8 5 Bytes JMP 0041F250 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0041EF20 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0041F100 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0041F0E0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegQueryValueExA 77DD7883 5 Bytes JMP 0041F220 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegEnumKeyExW 77DD79A1 5 Bytes JMP 0041F030 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegEnumValueW 77DD8081 5 Bytes JMP 0041F090 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegSetValueExW 77DDD7CC 7 Bytes JMP 0041F310 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegQueryValueW 77DDD8E2 5 Bytes JMP 0041F1F0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0041EF00 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegSetValueExA 77DDEBE7 7 Bytes JMP 0041F2E0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegDeleteValueA 77DDEDE5 5 Bytes JMP 0041EFA0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegDeleteValueW 77DDEEF1 5 Bytes JMP 0041EFD0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegSetValueA 77DE6F49 5 Bytes JMP 0041F280 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegFlushKey 77DEB908 5 Bytes JMP 0041EE90 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegEnumValueA 77DECF4A 5 Bytes JMP 0041F060 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0041EEE0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegDeleteKeyW 77DF9884 5 Bytes JMP 0041EF70 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegDeleteKeyA 77DFC123 5 Bytes JMP 0041EF40 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegQueryInfoKeyA 77DFC1B5 5 Bytes JMP 0041F160 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0041F0C0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegEnumKeyExA 77DFC8C1 5 Bytes JMP 0041F000 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegQueryValueA 77DFCC10 5 Bytes JMP 0041F1C0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegQueryInfoKeyW 77DFCCEF 5 Bytes JMP 0041F190 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0041EEC0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!RegSetValueW 77E35FC2 5 Bytes JMP 0041F2B0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe[2228] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 0041F4F0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 003D1014
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 003D0804
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 003D0A08
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 003D0C0C
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 003D0E10
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003D01F8
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003D03FC
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 003D0600
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003E01F8
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003E03FC
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 003E0804
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 003E0A08
.text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[2408] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 003E0600
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003701F8
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003703FC
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00370804
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00370A08
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00370600
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00381014
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00380804
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00380A08
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00380C0C
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00380E10
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003801F8
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003803FC
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2676] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00380600
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00371014
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00370804
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00370A08
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00370C0C
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00370E10
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003701F8
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003703FC
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00370600
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003801F8
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003803FC
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00380804
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00380A08
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2872] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00380600
.text C:\Documents and Settings\Yee Heng\My Documents\Downloads\Defogger.exe[3028] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Documents and Settings\Yee Heng\My Documents\Downloads\Defogger.exe[3028] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\NOTEPAD.EXE[3032] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\NOTEPAD.EXE[3032] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[3176] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[3176] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[3176] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[3176] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[3176] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[3176] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[3176] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[3176] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[3176] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[3176] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[3176] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[3176] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[3176] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[3176] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[3176] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[3176] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[3176] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\wdfmgr.exe[3228] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000801F8
.text C:\WINDOWS\system32\wdfmgr.exe[3228] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\wdfmgr.exe[3228] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000803FC
.text C:\WINDOWS\system32\wdfmgr.exe[3228] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\wdfmgr.exe[3228] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\wdfmgr.exe[3228] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\wdfmgr.exe[3228] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\wdfmgr.exe[3228] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\wdfmgr.exe[3228] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\wdfmgr.exe[3228] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\wdfmgr.exe[3228] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\wdfmgr.exe[3228] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\wdfmgr.exe[3228] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\wdfmgr.exe[3228] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\wdfmgr.exe[3228] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\wdfmgr.exe[3228] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\wdfmgr.exe[3228] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\wltrysvc.exe[3268] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\wltrysvc.exe[3268] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\wltrysvc.exe[3268] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\wltrysvc.exe[3268] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\wltrysvc.exe[3268] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003701F8
.text C:\WINDOWS\system32\wltrysvc.exe[3268] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003703FC
.text C:\WINDOWS\system32\wltrysvc.exe[3268] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00370804
.text C:\WINDOWS\system32\wltrysvc.exe[3268] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00370A08
.text C:\WINDOWS\system32\wltrysvc.exe[3268] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00370600
.text C:\WINDOWS\system32\wltrysvc.exe[3268] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00381014
.text C:\WINDOWS\system32\wltrysvc.exe[3268] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\wltrysvc.exe[3268] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\wltrysvc.exe[3268] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00380C0C
.text C:\WINDOWS\system32\wltrysvc.exe[3268] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00380E10
.text C:\WINDOWS\system32\wltrysvc.exe[3268] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\wltrysvc.exe[3268] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\wltrysvc.exe[3268] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00380600
.text C:\WINDOWS\System32\svchost.exe[3284] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[3284] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[3284] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[3284] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[3284] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\System32\svchost.exe[3284] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\System32\svchost.exe[3284] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\System32\svchost.exe[3284] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\System32\svchost.exe[3284] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\System32\svchost.exe[3284] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\System32\svchost.exe[3284] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\System32\svchost.exe[3284] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\System32\svchost.exe[3284] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\svchost.exe[3284] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\svchost.exe[3284] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\svchost.exe[3284] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\svchost.exe[3284] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\bcmwltry.exe[3312] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\bcmwltry.exe[3312] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\bcmwltry.exe[3312] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\bcmwltry.exe[3312] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\bcmwltry.exe[3312] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00381014
.text C:\WINDOWS\system32\bcmwltry.exe[3312] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\bcmwltry.exe[3312] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\bcmwltry.exe[3312] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00380C0C
.text C:\WINDOWS\system32\bcmwltry.exe[3312] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00380E10
.text C:\WINDOWS\system32\bcmwltry.exe[3312] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\bcmwltry.exe[3312] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\bcmwltry.exe[3312] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\bcmwltry.exe[3312] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\bcmwltry.exe[3312] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\bcmwltry.exe[3312] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\bcmwltry.exe[3312] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\bcmwltry.exe[3312] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\NOTEPAD.EXE[3660] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\NOTEPAD.EXE[3660] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00371014
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00370804
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00370A08
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00370C0C
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00370E10
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003701F8
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003703FC
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00370600
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003801F8
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003803FC
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00380804
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00380A08
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[3672] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00380600
.text C:\WINDOWS\System32\alg.exe[4028] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\alg.exe[4028] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[4028] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\alg.exe[4028] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[4028] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002A01F8
.text C:\WINDOWS\System32\alg.exe[4028] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002A03FC
.text C:\WINDOWS\System32\alg.exe[4028] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002A0804
.text C:\WINDOWS\System32\alg.exe[4028] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002A0A08
.text C:\WINDOWS\System32\alg.exe[4028] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002A0600
.text C:\WINDOWS\System32\alg.exe[4028] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\System32\alg.exe[4028] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\alg.exe[4028] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\alg.exe[4028] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\System32\alg.exe[4028] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\System32\alg.exe[4028] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\alg.exe[4028] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\alg.exe[4028] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\wscntfy.exe[4076] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\wscntfy.exe[4076] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[4076] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\wscntfy.exe[4076] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[4076] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\wscntfy.exe[4076] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\wscntfy.exe[4076] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\wscntfy.exe[4076] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\wscntfy.exe[4076] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\wscntfy.exe[4076] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002D1014
.text C:\WINDOWS\system32\wscntfy.exe[4076] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wscntfy.exe[4076] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wscntfy.exe[4076] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002D0C0C
.text C:\WINDOWS\system32\wscntfy.exe[4076] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002D0E10
.text C:\WINDOWS\system32\wscntfy.exe[4076] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wscntfy.exe[4076] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\wscntfy.exe[4076] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002D0600

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 19 May 2012 - 01:59 AM

Hello, as oneof4 is busy, I am taking over this topic and will help you from here.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 chew yee jian

chew yee jian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 19 May 2012 - 05:25 AM

**NOTES:
thank you for your respond :)
the major infection of the virus is on my external hd..
my current harddisk is full with scr. files / autorun.inf / recycled,
my computer currenlly is clean of all these type of files




COMBOFIX LOG

sdComboFix 12-05-19.01 - Yee Heng 05/19/2012 19:00:10.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1012.477 [GMT -7:00]
Running from: c:\documents and settings\Yee Heng\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-04-20 to 2012-05-20 )))))))))))))))))))))))))))))))
.
.
2012-05-19 22:07 . 2012-05-19 22:07 -------- d-----w- c:\program files\Google
2012-05-19 22:07 . 2012-05-19 22:07 -------- d-----w- c:\documents and settings\Yee Heng\Local Settings\Application Data\Google
2012-04-28 08:36 . 2012-05-12 20:24 -------- d-----w- c:\program files\USBScan
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-21 06:00 . 2011-05-15 22:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-07-24 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AAADesktopTips]
@="{4562B511-62E9-4533-B7B2-56A8BB10B482}"
[HKEY_CLASSES_ROOT\CLSID\{4562B511-62E9-4533-B7B2-56A8BB10B482}]
2011-12-30 05:37 247408 ----a-w- c:\program files\Common Files\Thunder Network\Kankan\xappex.1.1.1.38.(972).dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-30 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-30 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-30 141336]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-08-12 753664]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-05-14 495708]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-27 1721640]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"USBScan.exe"="c:\program files\USBScan\USBScan.exe" [2012-04-08 1811968]
.
c:\documents and settings\Yee Heng\Start Menu\Programs\Startup\
IPMSG for Win32.lnk - c:\program files\IPMsg\ipmsg.exe [2012-1-22 540672]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-29 607584]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\IPMsg\\ipmsg.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\NetMon\\net_monitor_i.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\NetMon\\lsp_check.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderBhoStat.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderLiveUD.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\FCMiniDownloader\\MiniDownloader.exe"=
"c:\\Program Files\\Thunder Network\\Xmp\\Program\\ThunderLiveUD.exe"=
"c:\\Program Files\\Thunder Network\\Xmp\\Program\\XMP.exe"=
"c:\\Program Files\\Thunder Network\\Xmp\\Program\\XLBugReport.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\Kankan\\xmp.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\Kankan\\ThunderServiceLite.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.99_1111\\ThunderPlatform.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.99_1111\\ThunderLiveUD.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.99_1111\\XLBugReport.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"33674:UDP"= 33674:UDP:ThunderLAN(UDP)
"33673:TCP"= 33673:TCP:ThunderLAN(TCP)
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/15/2011 9:10 AM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/15/2011 9:10 AM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/15/2011 9:10 AM 19544]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2/10/2011 4:02 PM 113664]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/19/2012 3:07 PM 116648]
S2 XLServicePlatform;XLServicePlatform;c:\windows\system32\svchost -k XLServicePlatform --> c:\windows\system32\svchost -k XLServicePlatform [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/19/2012 3:07 PM 116648]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2/10/2011 4:05 PM 186912]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [3/13/2012 11:41 AM 129535]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BITS
*NewlyCreated* - GUPDATE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
XLServicePlatform REG_MULTI_SZ XLServicePlatform
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-19 22:07]
.
2012-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-19 22:07]
.
.
------- Supplementary Scan -------
.
IE: &ʹ&Ѹ - c:\program files\Thunder Network\Thunder\BHO\OfflineDownload.htm
IE: &ʹ&Ѹ - c:\program files\Thunder Network\Thunder\BHO\geturl.htm
IE: &ʹ&Ѹȫ - c:\program files\Thunder Network\Thunder\BHO\GetAllUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: ??????????? - c:\documents and settings\All Users\Application Data\Thunder Network\XMP4\core\program\XmpIEMenu.htm
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Yee Heng\Application Data\Mozilla\Firefox\Profiles\j3hyunew.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-19 19:12
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(2076)
c:\program files\Common Files\Thunder Network\KanKan\xappex.1.1.1.38.(972).dll
c:\windows\system32\btmmhook.dll
.
Completion time: 2012-05-19 19:17:22
ComboFix-quarantined-files.txt 2012-05-20 02:17
.
Pre-Run: 27,198,468,096 bytes free
Post-Run: 27,658,338,304 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - BFE48D731F1F7AF4A66E7D1FF8A028F2

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 19 May 2012 - 05:46 AM

I recommend you to use Panda USB vaccine to make sure infections cannot spread and scan the external disk with MBAM. Its eitehr that or reformatting the disk.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 chew yee jian

chew yee jian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 19 May 2012 - 12:48 PM

sorry but i still need help, because i havent back up my external hd,
panda usb vaccine can't vaccine my external hd,
and i've done MBAM,
and successfully removed the scr. virus from the harddisks,
but some weird files still exist at the folder,


and all the files are still hidden....
recycler, $recycle.bin, autorun.inf
9c9e957a2497566c39a21d3009
97d520550d5ef57f8601906a88
ecb1feef2cfcd04e979dc5b1f1
fc799f5e2fab42dc1ae7ea1b5a

and here's the malware log
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.19.03

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Yee Heng :: ELITE [administrator]

Protection: Enabled

5/20/2012 12:41:27 AM
mbam-log-2012-05-20 (00-41-27).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 302039
Time elapsed: 1 hour(s), 57 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 14
H:\System Volume Information\_restore{2FE3A9C0-FDE9-4742-AF84-B67F9B1F6DF9}\RP97\A0082273.dll (Trojan.Agent) -> Quarantined and deleted successfully.
I:\Botting\WPE\WPE PRO - modified.exe (HackTool.Sniffer.WpePro) -> Quarantined and deleted successfully.
I:\Botting\WPE\WPE PRO.exe (HackTool.Sniffer.WpePro) -> Quarantined and deleted successfully.
i:\botting\wpe\wpespy.dll (HackTool.Sniffer.WpePro) -> Quarantined and deleted successfully.
i:\system volume information\_restore{2fe3a9c0-fde9-4742-af84-b67f9b1f6df9}\rp97\a0082286.dll (HackTool.Sniffer.WpePro) -> Quarantined and deleted successfully.
j:\thumbs .db (Backdoor.Senna) -> Quarantined and deleted successfully.
J:\yh software\browser software\Win XP Validator\keyfinder.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
J:\yh software\media software\FunshionInstall_C108312.exe (Adware.Funshion) -> Quarantined and deleted successfully.
J:\yh software\media software\gtp5.2\Keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
J:\yh software\media software\MP3 Cutter Plus\MP3CutterPlusSetup.exe (PUP.Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
J:\yh software\media software\Sony Vegas Pro 9.0 + Crack (as usual) [ContagiuosSF]\Keygen\Keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
J:\yh software\media software\Sony Vegas Pro 9.0 + Crack (as usual) [ContagiuosSF]\Keygen\Sony_VegasPro8_DVDArchitect45_SoundForge9_CRACK.exe (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
J:\yh software\media software\Sony Vegas Pro 9.0 64-bit +Keygen+patch (as usual) [ContagiuosSF]\Keygen\Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
J:\yh software\media software\WinX.DVD.Ripper.Platinum.6.5.0.20111031-CORE\CORE\CORE10k.EXE (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.

(end)

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 19 May 2012 - 01:07 PM

It really shouldn't surprise you to get infected with the cracks and keygens you are storing there; not only is this illegal, it is also a sure way to get your computer infected with all latest nasties. The only thing you can do about this is reformatting the whole thing. Most likely backing up the data will only reinfect you. If you insist on backing up data, only back up the files you are sure are safe (for example pictures, documents and such you created yourself).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 chew yee jian

chew yee jian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 19 May 2012 - 10:54 PM

hmmm.... ok....
so the files that i can backup was all those files which i have made myself??
and formatting the harddisk will solve the issue??

thank you so much...
and for the cracks, i have really no ideas,
because some of it were directed copy from my bro software..

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 20 May 2012 - 02:19 AM

In that case I really recommend to just wipe the drive, not doing so will risk any computer this drive is connected to, which in my opinion is not worth the trouble.

To be sure any autorun entries are gone, run the following scan.

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 chew yee jian

chew yee jian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 22 May 2012 - 05:58 AM

here is it...
sorry for late reply~

OTL


OTL logfile created on: 5/22/2012 4:30:57 PM - Run 1
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Documents and Settings\Yee Heng\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1012.12 Mb Total Physical Memory | 473.06 Mb Available Physical Memory | 46.74% Memory free
2.37 Gb Paging File | 1.95 Gb Available in Paging File | 82.34% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48.83 Gb Total Space | 25.42 Gb Free Space | 52.06% Space Free | Partition Type: NTFS
Drive D: | 97.66 Gb Total Space | 0.61 Gb Free Space | 0.63% Space Free | Partition Type: NTFS
Drive E: | 86.40 Gb Total Space | 44.77 Gb Free Space | 51.82% Space Free | Partition Type: NTFS
Drive H: | 97.66 Gb Total Space | 30.86 Gb Free Space | 31.61% Space Free | Partition Type: NTFS
Drive I: | 97.66 Gb Total Space | 27.31 Gb Free Space | 27.97% Space Free | Partition Type: NTFS
Drive J: | 102.78 Gb Total Space | 63.70 Gb Free Space | 61.98% Space Free | Partition Type: NTFS

Computer Name: ELITE | User Name: Yee Heng | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/22 16:29:21 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Yee Heng\My Documents\Downloads\OTL.exe
PRC - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/04/04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/03/14 16:27:38 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/01/22 04:19:11 | 000,540,672 | ---- | M] (H.Shirouzu) -- C:\Program Files\IPMsg\ipmsg.exe
PRC - [2011/05/10 05:10:58 | 003,459,712 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/05/10 05:10:57 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2010/05/14 01:50:00 | 000,495,708 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2010/05/14 01:50:00 | 000,237,650 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\stacsv.exe
PRC - [2010/04/12 01:40:16 | 000,180,224 | ---- | M] (PowerISO Computing, Inc.) -- C:\Program Files\PowerISO\PWRISOVM.EXE
PRC - [2009/09/23 16:45:50 | 001,287,176 | ---- | M] (Panda Security) -- C:\Program Files\Panda USB Vaccine\USBVaccine.exe
PRC - [2009/08/11 20:37:44 | 000,753,664 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\AESTFltr.exe
PRC - [2009/07/29 15:29:48 | 001,455,480 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2009/07/29 15:29:48 | 000,607,584 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2004/08/04 01:56:58 | 000,073,796 | ---- | M] (Smart Link) -- C:\WINDOWS\system32\slserv.exe
PRC - [2004/08/03 09:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/21 11:18:48 | 001,761,792 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12052101\algo.dll
MOD - [2012/01/04 02:28:20 | 000,063,152 | ---- | M] () -- c:\Program Files\Common Files\Thunder Network\ServicePlatform\XLBugHandler.dll
MOD - [2011/12/29 22:37:32 | 000,177,776 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\Pusher\xappdrv.1.0.0.11.dll
MOD - [2009/07/29 15:28:46 | 002,854,976 | ---- | M] () -- C:\WINDOWS\system32\btwicons.dll
MOD - [2009/07/29 15:26:46 | 000,069,697 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/01/04 02:28:56 | 000,087,728 | ---- | M] (ShenZhen Xunlei Networking Technologies,LTD) [Auto | Running] -- C:\Program Files\Common Files\Thunder Network\ServicePlatform\XLSP.dll -- (XLServicePlatform)
SRV - [2011/05/10 05:10:57 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/05/14 01:50:00 | 000,237,650 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
SRV - [2010/03/18 12:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2004/09/29 13:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2004/08/04 01:56:58 | 000,073,796 | ---- | M] (Smart Link) [Auto | Running] -- C:\WINDOWS\System32\slserv.exe -- (SLService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\ZDPSp50.sys -- (ZDPSp50)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\YEEHEN~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/05/10 05:03:54 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/05/10 05:03:44 | 000,307,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/05/10 05:02:37 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/05/10 05:02:25 | 000,102,616 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/05/10 04:59:56 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/05/10 04:59:37 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/05/10 04:59:35 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/02/10 16:03:42 | 002,696,448 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2010/05/14 01:50:00 | 001,660,499 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2010/04/12 01:44:34 | 000,059,388 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2010/02/08 22:57:16 | 000,186,912 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV - [2009/08/24 13:02:18 | 000,045,984 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2009/08/24 13:02:06 | 000,156,816 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2009/08/24 13:02:02 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2009/08/24 13:01:58 | 000,991,264 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2009/08/24 13:01:54 | 000,533,024 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2009/04/21 23:13:34 | 000,113,664 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2008/01/15 00:44:12 | 000,109,568 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zebrmdmc.sys -- (zebrmdmc) Sony Ericsson mRouter Port (WDM)
DRV - [2008/01/15 00:44:12 | 000,109,568 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zebrmdm.sys -- (zebrmdm) Sony Ericsson Port (WDM)
DRV - [2008/01/15 00:44:10 | 000,014,848 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zebrmdfl.sys -- (zebrmdfl)
DRV - [2008/01/15 00:44:08 | 000,083,200 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zebrbus.sys -- (zebrbus)
DRV - [2005/11/09 20:54:56 | 000,402,944 | ---- | M] (Belkin Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BLKWGU.sys -- (BLKWGU(Belkin)) Belkin Wireless G USB Network Adapter(Belkin)
DRV - [2004/08/03 23:41:46 | 000,095,424 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slnthal.sys -- (SlNtHal)
DRV - [2004/08/03 23:41:46 | 000,013,240 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slwdmsup.sys -- (SlWdmSup)
DRV - [2004/08/03 23:41:42 | 000,129,535 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slnt7554.sys -- (Slnt7554)
DRV - [2004/08/03 23:41:40 | 000,180,360 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ntmtlfax.sys -- (NtMtlFax)
DRV - [2004/08/03 23:41:40 | 000,126,686 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlmnt5.sys -- (Mtlmnt5)
DRV - [2004/08/03 23:41:40 | 000,013,776 | ---- | M] (Smart Link) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\RecAgent.sys -- (RecAgent)
DRV - [2004/08/03 23:41:38 | 001,309,184 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlstrm.sys -- (Mtlstrm)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-602162358-1606980848-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.4
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@xunlei.com/DapCtrl: C:\Program Files\Common Files\Thunder Network\KanKan\npDapCtrl.3.1.0.1.(972).dll (ShenZhen Thunder Networking Technologies Ltd.)
FF - HKLM\Software\MozillaPlugins\@xunlei.com/npxunlei;version=1.0.0.1: C:\Program Files\Thunder Network\Thunder\data\npxunlei1.0.0.1.dll ( )
FF - HKCU\Software\MozillaPlugins\@xunlei.com/npxunlei;version=1.0.0.1: C:\Program Files\Thunder Network\Thunder\data\npxunlei1.0.0.1.dll ( )

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/05/15 09:09:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/16 19:40:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/03/14 16:27:41 | 000,000,000 | ---D | M]

[2011/02/10 16:11:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Yee Heng\Application Data\Mozilla\Extensions
[2012/05/22 00:19:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Yee Heng\Application Data\Mozilla\Firefox\Profiles\j3hyunew.default\extensions
[2012/03/08 14:39:52 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Yee Heng\Application Data\Mozilla\Firefox\Profiles\j3hyunew.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2012/02/14 01:06:21 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Yee Heng\Application Data\Mozilla\Firefox\Profiles\j3hyunew.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/02/10 16:11:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2001/08/23 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Ѹ֧) - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\BHO\XunleiBHO7.2.5.3364.dll (深圳市迅雷网络技术有限公司)
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [USBScan.exe] C:\Program Files\USBScan\USBScan.exe -Hide File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\Yee Heng\Start Menu\Programs\Startup\IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe (H.Shirouzu)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-602162358-1606980848-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-602162358-1606980848-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-602162358-1606980848-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-602162358-1606980848-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &ʹ&Ѹ - C:\Program Files\Thunder Network\Thunder\BHO\OfflineDownload.htm ()
O8 - Extra context menu item: &ʹ&Ѹ - C:\Program Files\Thunder Network\Thunder\BHO\geturl.htm ()
O8 - Extra context menu item: &ʹ&Ѹȫ - C:\Program Files\Thunder Network\Thunder\BHO\getAllurl.htm ()
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O8 - Extra context menu item: 使用迅雷看看播放器播放 - C:\Documents and Settings\All Users\Application Data\Thunder Network\XMP4\core\program\XmpIEMenu.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B4C5CFD0-6ED8-4A9F-8F6E-534183B397D1}: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Yee Heng\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Yee Heng\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/02/10 15:48:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/11/02 09:29:42 | 000,000,000 | ---D | M] - H:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/11/02 09:29:47 | 000,000,000 | RH-D | M] - I:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/11/02 09:29:50 | 000,000,000 | RH-D | M] - J:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/22 00:24:17 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Yee Heng\Recent
[2012/05/19 21:55:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/05/19 21:54:59 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/05/19 21:54:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/05/19 21:14:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yee Heng\Application Data\Malwarebytes
[2012/05/19 21:13:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/05/19 21:10:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2012/05/19 21:10:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Panda Security
[2012/05/19 21:10:54 | 000,000,000 | ---D | C] -- C:\Program Files\Panda USB Vaccine
[2012/05/19 19:17:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/05/19 18:58:28 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/05/19 18:50:46 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/05/19 18:50:46 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/05/19 18:50:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/05/19 18:50:46 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/05/19 18:45:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/05/19 18:45:29 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/05/19 15:07:47 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2012/05/19 15:07:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yee Heng\Local Settings\Application Data\Google
[2012/05/15 21:44:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Yee Heng\My Documents\My Videos
[2012/05/15 21:44:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Yee Heng\Start Menu\Programs\Administrative Tools
[2012/05/08 01:44:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yee Heng\Desktop\Moral clip 1
[2012/04/28 01:36:11 | 000,000,000 | ---D | C] -- C:\Program Files\USBScan
[2012/04/28 01:03:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yee Heng\Desktop\teknik jawab soalan 2011
[2012/04/28 01:03:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yee Heng\Desktop\Revision 2007
[2012/04/28 01:03:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yee Heng\Desktop\old
[2012/04/24 01:45:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yee Heng\Desktop\Bejeweled 2
[2012/04/24 01:44:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yee Heng\Desktop\Zuma's Revenge!
[2012/04/24 01:41:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yee Heng\Desktop\desktop
[2012/04/24 01:40:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yee Heng\Desktop\rubbish
[2012/04/24 01:40:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yee Heng\Desktop\youtube song
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/22 16:32:31 | 000,312,172 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/05/22 16:32:31 | 000,040,394 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/05/22 16:27:18 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/05/22 16:27:17 | 000,000,530 | ---- | M] () -- C:\WINDOWS\tasks\PandaUSBVaccine.job
[2012/05/22 16:26:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/22 07:12:00 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/05/22 00:03:16 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/19 21:55:05 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/19 18:58:34 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/05/19 15:03:40 | 000,046,080 | ---- | M] () -- C:\Documents and Settings\Yee Heng\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/05/12 13:55:41 | 000,051,407 | ---- | M] () -- C:\Documents and Settings\Yee Heng\My Documents\how-to-use-combofix.htm
[2012/04/24 01:46:36 | 000,000,016 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2012/04/24 01:46:21 | 000,000,652 | ---- | M] () -- C:\Documents and Settings\Yee Heng\Desktop\Shortcut to ZumasRevenge.exe.lnk
[2012/04/24 01:46:12 | 000,000,614 | ---- | M] () -- C:\Documents and Settings\Yee Heng\Desktop\Shortcut to Bejeweled2.exe.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/19 21:55:05 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/19 21:10:56 | 000,000,530 | ---- | C] () -- C:\WINDOWS\tasks\PandaUSBVaccine.job
[2012/05/19 18:58:34 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/05/19 18:58:32 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/05/19 18:50:46 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/05/19 18:50:46 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/05/19 18:50:46 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/05/19 18:50:46 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/05/19 18:50:46 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/05/19 15:07:50 | 000,000,890 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/05/19 15:07:50 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/05/12 13:55:39 | 000,051,407 | ---- | C] () -- C:\Documents and Settings\Yee Heng\My Documents\how-to-use-combofix.htm
[2012/04/28 01:02:50 | 138,519,787 | ---- | C] () -- C:\Documents and Settings\Yee Heng\Desktop\Brice-RO Installer01.exe
[2012/04/24 01:46:21 | 000,000,652 | ---- | C] () -- C:\Documents and Settings\Yee Heng\Desktop\Shortcut to ZumasRevenge.exe.lnk
[2012/04/24 01:46:12 | 000,000,614 | ---- | C] () -- C:\Documents and Settings\Yee Heng\Desktop\Shortcut to Bejeweled2.exe.lnk
[2012/04/24 01:45:36 | 000,000,016 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2012/03/15 21:04:13 | 000,113,163 | ---- | C] () -- C:\WINDOWS\hpoins07.dat
[2012/03/15 21:04:12 | 000,021,124 | ---- | C] () -- C:\WINDOWS\hpomdl07.dat
[2012/02/28 00:12:45 | 000,000,048 | ---- | C] () -- C:\WINDOWS\CTWave32.ini
[2012/02/23 00:05:00 | 001,836,464 | ---- | C] () -- C:\WINDOWS\System32\ltmm16.dll
[2012/02/22 19:02:01 | 000,000,061 | ---- | C] () -- C:\WINDOWS\sbwin.ini
[2012/02/13 01:16:51 | 000,000,020 | ---- | C] () -- C:\WINDOWS\System32\pub_store.dat
[2011/05/15 14:49:18 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/05/15 14:49:17 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2011/05/15 14:49:08 | 002,402,304 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2011/05/15 14:49:07 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/05/15 14:49:07 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/05/15 14:49:06 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2011/05/15 14:49:00 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/05/15 14:17:33 | 000,046,080 | ---- | C] () -- C:\Documents and Settings\Yee Heng\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/10 16:11:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/02/10 15:51:07 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/02/10 15:45:06 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/02/10 07:33:25 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/02/10 07:32:02 | 000,267,800 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== Files - Unicode (All) ==========
[2012/04/21 02:06:46 | 000,000,000 | ---D | M](C:\Documents and Settings\Yee Heng\Desktop\???) -- C:\Documents and Settings\Yee Heng\Desktop\大丫鬟
[2012/04/21 00:39:09 | 000,000,000 | ---D | C](C:\Documents and Settings\Yee Heng\Desktop\???) -- C:\Documents and Settings\Yee Heng\Desktop\大丫鬟
[2012/04/03 01:22:33 | 000,011,278 | ---- | M] ()(C:\Documents and Settings\Yee Heng\My Documents\?????????????.docx) -- C:\Documents and Settings\Yee Heng\My Documents\写信告诉我今天海是什么颜色.docx
[2012/04/03 01:22:32 | 000,011,278 | ---- | C] ()(C:\Documents and Settings\Yee Heng\My Documents\?????????????.docx) -- C:\Documents and Settings\Yee Heng\My Documents\写信告诉我今天海是什么颜色.docx
[2012/02/11 21:30:18 | 000,027,648 | ---- | C] ()(C:\Documents and Settings\Yee Heng\My Documents\????.doc) -- C:\Documents and Settings\Yee Heng\My Documents\个人资料.doc
[2012/02/11 21:14:44 | 000,011,359 | ---- | M] ()(C:\Documents and Settings\Yee Heng\My Documents\????.docx) -- C:\Documents and Settings\Yee Heng\My Documents\个人资料.docx
[2012/02/11 21:14:15 | 000,027,648 | ---- | M] ()(C:\Documents and Settings\Yee Heng\My Documents\????.doc) -- C:\Documents and Settings\Yee Heng\My Documents\个人资料.doc
[2012/02/11 21:06:31 | 000,011,359 | ---- | C] ()(C:\Documents and Settings\Yee Heng\My Documents\????.docx) -- C:\Documents and Settings\Yee Heng\My Documents\个人资料.docx
[2012/02/08 03:04:22 | 004,368,173 | ---- | C] ()(C:\Documents and Settings\Yee Heng\Desktop\09 ???????(?42-5).wma) -- C:\Documents and Settings\Yee Heng\Desktop\09 祢的笑臉幫助我(詩42-5).wma
[2012/01/03 13:26:10 | 326,575,449 | ---- | C] ()(C:\Documents and Settings\Yee Heng\Desktop\???????-???????.rmvb) -- C:\Documents and Settings\Yee Heng\Desktop\蜡笔小新剧场版-布里王国的宝藏.rmvb
[2011/12/05 13:06:32 | 004,368,173 | ---- | M] ()(C:\Documents and Settings\Yee Heng\Desktop\09 ???????(?42-5).wma) -- C:\Documents and Settings\Yee Heng\Desktop\09 祢的笑臉幫助我(詩42-5).wma
[2008/06/05 13:37:08 | 326,575,449 | ---- | M] ()(C:\Documents and Settings\Yee Heng\Desktop\???????-???????.rmvb) -- C:\Documents and Settings\Yee Heng\Desktop\蜡笔小新剧场版-布里王国的宝藏.rmvb
(C:\Documents and Settings\All Users\Start Menu\Programs\????) -- C:\Documents and Settings\All Users\Start Menu\Programs\迅雷软件

< End of report >


EXtras.txt


OTL Extras logfile created on: 5/22/2012 4:30:57 PM - Run 1
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Documents and Settings\Yee Heng\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1012.12 Mb Total Physical Memory | 473.06 Mb Available Physical Memory | 46.74% Memory free
2.37 Gb Paging File | 1.95 Gb Available in Paging File | 82.34% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48.83 Gb Total Space | 25.42 Gb Free Space | 52.06% Space Free | Partition Type: NTFS
Drive D: | 97.66 Gb Total Space | 0.61 Gb Free Space | 0.63% Space Free | Partition Type: NTFS
Drive E: | 86.40 Gb Total Space | 44.77 Gb Free Space | 51.82% Space Free | Partition Type: NTFS
Drive H: | 97.66 Gb Total Space | 30.86 Gb Free Space | 31.61% Space Free | Partition Type: NTFS
Drive I: | 97.66 Gb Total Space | 27.31 Gb Free Space | 27.97% Space Free | Partition Type: NTFS
Drive J: | 102.78 Gb Total Space | 63.70 Gb Free Space | 61.98% Space Free | Partition Type: NTFS

Computer Name: ELITE | User Name: Yee Heng | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-602162358-1606980848-1801674531-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"33674:UDP" = 33674:UDP:*:Enabled:ThunderLAN(UDP)
"33673:TCP" = 33673:TCP:*:Enabled:ThunderLAN(TCP)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\NetMeeting\conf.exe" = C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows NetMeeting -- (Microsoft Corporation)
"C:\Program Files\IPMsg\ipmsg.exe" = C:\Program Files\IPMsg\ipmsg.exe:*:Enabled:IPMsg -- (H.Shirouzu)
"C:\Program Files\Thunder Network\Thunder\NetMon\net_monitor_i.exe" = C:\Program Files\Thunder Network\Thunder\NetMon\net_monitor_i.exe:*:Enabled:NetMonI7.2.5.3364 -- (Thunder Networking Technologies,LTD)
"C:\Program Files\Thunder Network\Thunder\NetMon\lsp_check.exe" = C:\Program Files\Thunder Network\Thunder\NetMon\lsp_check.exe:*:Enabled:LspCheck7.2.5.3364 -- (Thunder Networking Technologies,LTD)
"C:\Program Files\Thunder Network\Thunder\Program\Thunder.exe" = C:\Program Files\Thunder Network\Thunder\Program\Thunder.exe:*:Enabled:Thunder7.2.5.3364 -- ()
"C:\Program Files\Thunder Network\Thunder\Program\ThunderBhoStat.exe" = C:\Program Files\Thunder Network\Thunder\Program\ThunderBhoStat.exe:*:Enabled:ThunderBhoStat7.2.5.3364 -- (深圳市迅雷网络技术有限公司)
"C:\Program Files\Thunder Network\Thunder\Program\ThunderLiveUD.exe" = C:\Program Files\Thunder Network\Thunder\Program\ThunderLiveUD.exe:*:Enabled:Thunder LiveUpdate7.2.5.3364 -- ()
"C:\Program Files\Thunder Network\Thunder\FCMiniDownloader\MiniDownloader.exe" = C:\Program Files\Thunder Network\Thunder\FCMiniDownloader\MiniDownloader.exe:*:Enabled:FCMiniDownloader7.2.5.3364 -- (深圳市迅雷网络技术有限公司)
"C:\Program Files\Thunder Network\Xmp\Program\ThunderLiveUD.exe" = C:\Program Files\Thunder Network\Xmp\Program\ThunderLiveUD.exe:*:Enabled:ThunderLiveUD -- ()
"C:\Program Files\Thunder Network\Xmp\Program\XMP.exe" = C:\Program Files\Thunder Network\Xmp\Program\XMP.exe:*:Enabled:??????? -- (深圳市迅雷网络技术有限公司)
"C:\Program Files\Thunder Network\Xmp\Program\XLBugReport.exe" = C:\Program Files\Thunder Network\Xmp\Program\XLBugReport.exe:*:Enabled:XLBugReport -- ()
"C:\Program Files\Common Files\Thunder Network\Kankan\xmp.exe" = C:\Program Files\Common Files\Thunder Network\Kankan\xmp.exe:*:Enabled:??????? -- (深圳市迅雷网络技术有限公司)
"C:\Program Files\Common Files\Thunder Network\Kankan\ThunderServiceLite.exe" = C:\Program Files\Common Files\Thunder Network\Kankan\ThunderServiceLite.exe:*:Enabled:?????? -- (ShenZhen Thunder Networking Technologies,Ltd.)
"C:\Program Files\Common Files\Thunder Network\TP\Ver1\1.1.2.99_1111\ThunderPlatform.exe" = C:\Program Files\Common Files\Thunder Network\TP\Ver1\1.1.2.99_1111\ThunderPlatform.exe:*:Enabled:ThunderPlatform1.1.2.99 -- (ShenZhen Xunlei Networking Technologies,LTD)
"C:\Program Files\Common Files\Thunder Network\TP\Ver1\1.1.2.99_1111\ThunderLiveUD.exe" = C:\Program Files\Common Files\Thunder Network\TP\Ver1\1.1.2.99_1111\ThunderLiveUD.exe:*:Enabled:ThunderLiveUD1.1.2.99 -- ()
"C:\Program Files\Common Files\Thunder Network\TP\Ver1\1.1.2.99_1111\XLBugReport.exe" = C:\Program Files\Common Files\Thunder Network\TP\Ver1\1.1.2.99_1111\XLBugReport.exe:*:Enabled:XLBugReport1.1.2.99 -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan
"{13C4E8F0-B747-4C7C-9090-884832F9F90A}" = Proteus 7 Professional
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{193DB24F-9A66-4896-8404-22D53EA89075}" = 1400_Help
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{266959FA-0AEE-41D0-A88E-F1EAC10A7C14}" = 1400
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{34985F59-8F6F-46F4-9AD5-53E2714294D2}" = ArcSoft WebCam Companion 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{44564479-0533-4542-8D5A-4937EA4BFBAC}" = MPLAB Tools v8.30
"{487BC3B8-7BD9-4860-8F52-2F7E8C65B75E}" = WLAN
"{54E3707F-808E-4fd4-95C9-15D1AB077E5D}" = NewCopy
"{55A41219-9B22-4098-BAE7-AE289B3C569A}_is1" = Panda USB Vaccine 1.0.1.4
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}" = HP PSC & OfficeJet 5.3.B
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
"{7850A6D2-CBEA-4728-9877-F1BEDEA9F619}" = AiOSoftware
"{7C9B95B7-B598-4398-B30F-7F6827192E6C}" = ProductContext
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = HP Integrated Module with Bluetooth wireless technology
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{C510CA36-98D6-4F07-8AFF-81E7399A075B}" = 1400Trb
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = Fax
"{CF57D7D1-FC88-4024-AEDE-1F965FD12A5E}_is1" = tsDemux 1.0
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{FE64AE29-0883-4C70-8388-DC026019C900}" = HP Image Zone Express
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Audacity_is1" = Audacity 1.2.6
"avast" = avast! Free Antivirus
"Broadcom 802.11 Wireless LAN Adapter" = Broadcom 802.11 Wireless LAN Adapter
"Broadcom 802.11b Network Adapter" = BCM Wireless Network Adapter
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Flash Player Pro_is1" = Flash Player Pro V4.4
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"InstallShield_{44564479-0533-4542-8D5A-4937EA4BFBAC}" = MPLAB Tools v8.30
"IPMSG for Win32" = IP Messenger for Win
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 4.9.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Mozilla Firefox (3.6.28)" = Mozilla Firefox (3.6.28)
"MPE" = MyPhoneExplorer
"PICC 9.60PL5" = HI-TECH C PRO for the PIC10/12/16 MCU Family V9.60PL5
"PowerISO" = PowerISO
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"thunder_is1" = Ѹ7
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinRAR archiver" = WinRAR archiver
"WLAN 802.11g mini-PCI Module" = WLAN 802.11g mini-PCI Module
"迅雷看看播放器" = 迅雷看看播放器
"迅雷看看高清播放组件" = 迅雷看看高清播放组件

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/29/2012 10:59:15 AM | Computer Name = ELITE | Source = WLTRYSVC | ID = 2
Description =

Error - 3/30/2012 2:52:02 PM | Computer Name = ELITE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.4448, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/19/2012 4:00:18 AM | Computer Name = ELITE | Source = WLTRYSVC | ID = 2
Description =

Error - 4/21/2012 8:20:07 AM | Computer Name = ELITE | Source = WLTRYSVC | ID = 2
Description =

Error - 4/22/2012 3:48:25 AM | Computer Name = ELITE | Source = WLTRYSVC | ID = 2
Description =

Error - 4/23/2012 5:24:35 AM | Computer Name = ELITE | Source = Application Hang | ID = 1002
Description = Hanging application mplayerc.exe, version 1.2.1008.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/29/2012 9:02:11 AM | Computer Name = ELITE | Source = WLTRYSVC | ID = 2
Description =

Error - 5/9/2012 6:19:59 PM | Computer Name = ELITE | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module wiaservc.dll, version 5.1.2600.2180, fault address 0x000222e0.

Error - 5/13/2012 5:47:25 AM | Computer Name = ELITE | Source = WLTRYSVC | ID = 2
Description =

Error - 5/20/2012 3:37:27 AM | Computer Name = ELITE | Source = WLTRYSVC | ID = 2
Description =

[ System Events ]
Error - 5/22/2012 4:17:35 AM | Computer Name = ELITE | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.DebugCRT could not be found and
Last Error was The referenced assembly is not installed on your system.

Error - 5/22/2012 4:17:35 AM | Computer Name = ELITE | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference
error message: The referenced assembly is not installed on your system. .

Error - 5/22/2012 4:17:35 AM | Computer Name = ELITE | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Thunder Network\Thunder\addins\TranscodeAddin\report_fp.dll.
Reference
error message: The operation completed successfully. .

Error - 5/22/2012 5:16:13 AM | Computer Name = ELITE | Source = Service Control Manager | ID = 7031
Description = The XLServicePlatform service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 5/22/2012 5:17:15 AM | Computer Name = ELITE | Source = Service Control Manager | ID = 7031
Description = The XLServicePlatform service terminated unexpectedly. It has done
this 2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 5/22/2012 5:18:17 AM | Computer Name = ELITE | Source = Service Control Manager | ID = 7034
Description = The XLServicePlatform service terminated unexpectedly. It has done
this 3 time(s).

Error - 5/22/2012 5:30:46 AM | Computer Name = ELITE | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{B4C5CFD0-6ED8-4A9F-8F6E-534183B397D1}. The
backup browser is stopping.

Error - 5/22/2012 7:29:05 PM | Computer Name = ELITE | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.DebugCRT could not be found and
Last Error was The referenced assembly is not installed on your system.

Error - 5/22/2012 7:29:05 PM | Computer Name = ELITE | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference
error message: The referenced assembly is not installed on your system. .

Error - 5/22/2012 7:29:05 PM | Computer Name = ELITE | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Thunder Network\Thunder\addins\TranscodeAddin\report_fp.dll.
Reference
error message: The operation completed successfully. .


< End of report >

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 22 May 2012 - 07:09 AM

Please let me know if there is any problem left after the following fix.

OTL FIX
------------
We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :otl
    O32 - AutoRun File - [2010/11/02 09:29:42 | 000,000,000 | ---D | M] - H:\autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2010/11/02 09:29:47 | 000,000,000 | RH-D | M] - I:\autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2010/11/02 09:29:50 | 000,000,000 | RH-D | M] - J:\autorun.inf -- [ NTFS ]
    
    :commands
    [reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 chew yee jian

chew yee jian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 24 May 2012 - 03:44 AM

A question here....
does the process takes a long time??

i let it go for around 2 times,
and it was running about 2-3hours before my computer autostandby,
and the process OTL.exe written
Killing Process.... Please do not interupt....

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,980 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 24 May 2012 - 05:24 AM

I adapted the script, can you try it again?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 chew yee jian

chew yee jian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 24 May 2012 - 09:10 AM

tried... done...
but autorun.inf & recycled are still found in the harddisks~
all files are still hidden....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users