Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Thunderbird won't send/receive


  • This topic is locked This topic is locked
13 replies to this topic

#1 Darwinboy

Darwinboy

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 20 July 2012 - 10:14 PM

This is a referral from my original post here : http://www.bleepingcomputer.com/forums/topic461149.html


Windows XP Pro on Asus notebook.

Inadvertently opened an emailed *exe that AVG appeared to 'quarantine'??

Since then, Thunderbird won't send or receive emails (times out).

Downloaded Spybot, but it wouldn't run - just 'flashes up' & disappears.

Ran HijackThis scan, but 'Analyzer' button fails to open browser page.

It appears that Thunderbird has been 'disabled' (MS Outlook Express WILL send & receive however), and 'something' is blocking various security software??

After advice from Broni in the above original thread, downloaded MBAM - this will not run.

My firefox browser on the infected laptop will not connect to this site (bleepingcomputer.com)nor http://www.malwarebytes.org/

On startup, AVG reports Trojan horse Hider.MPR which I elect to quarantine.

Left laptop on overnight & awoke this morning to windows 'blue screen of death' as follows:-
A problem has been detected and windows has been shutdown to prevent damage to your computer.
The problem seems to be caused by the following file: ati2dvag


Not sure if this is relevant??

Below are logs as requested in Preparation Guide :-

DDS.TXT
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Run by Administrator at 10:30:53 on 2012-07-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.1860 [GMT 9.5:30]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe
C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files\ASUS\ATK Hotkey\HControl.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUS\ASUS Data Security Manager\ADSMTray.exe
C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\WINDOWS\ASScrPro.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\ASUS\ATK Hotkey\WDC.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Kyocera\FS-720 Utilities\KMGLNC.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: uTorrentControl Toolbar: {e9df9360-97f8-4690-afe6-996c80790da4} - c:\program files\utorrentcontrol\prxtbuTor.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\documents and settings\administrator\local settings\application data\wowuqhvx\fuohehfo.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: uTorrentControl Toolbar: {e9df9360-97f8-4690-afe6-996c80790da4} - c:\program files\utorrentcontrol\prxtbuTor.dll
TB: uTorrentControl Toolbar: {e9df9360-97f8-4690-afe6-996c80790da4} - c:\program files\utorrentcontrol\prxtbuTor.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SybaseCentral43] "c:\program files\sybase\shared\sybase central 4.3\win32\scjview.exe" -preload
uRun: [DBISQL9] "c:\program files\sybase\sql anywhere 9\win32\dbisqlg.exe" -preload
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe" /Startup
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [FuoHehfo] c:\documents and settings\administrator\local settings\application data\wowuqhvx\fuohehfo.exe
mRun: [MsgTranAgt] c:\program files\asus\atk hotkey\MsgTranAgt.exe
mRun: [HControlUser] c:\program files\asus\atk hotkey\HControlUser.exe
mRun: [ATKHOTKEY] c:\program files\asus\atk hotkey\HControl.exe
mRun: [ATKOSD2] "c:\program files\atkosd2\ATKOSD2.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMedia.exe
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [Wireless Console 2] "c:\program files\wireless console 2\wcourier.exe"
mRun: [ASUS Live Update] c:\program files\asus\asus live update\ALU.exe
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [ADSMTray] c:\program files\asus\asus data security manager\ADSMTray.exe
mRun: [ACMON] "c:\program files\asus\splendid\ACMON.exe"
mRun: [ASUS Camera ScreenSaver] c:\windows\AsScrProlog.exe
mRun: [ASUS Screen Saver Protector] c:\windows\ASScrPro.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" update "software\cyberlink\powerproducer\4.0"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Launcher] c:\program files\kyocera\fs-720 utilities\KMGLNC.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239850588999
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239851190437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.100.1
TCP: Interfaces\{18C833AA-C1DA-4E00-A5E8-3F6DF92D5744} : DhcpNameServer = 192.168.100.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: Aspwdflt - c:\program files\asus\asus data security manager\ASPWDFLT.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli c:\program files\asus\asus data security manager\ASPWDFLT
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\an06yj98.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\an06yj98.default\extensions\{e9df9360-97f8-4690-afe6-996c80790da4}\plugins\np-mswmp.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-16 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-16 29712]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-16 243152]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-25 308136]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-9 135664]
S2 wvoip;Image Time;c:\windows\system32\svchost.exe -k netsvcs [2006-8-17 14336]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 253600]
S3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2012-7-10 245760]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-9 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-7-18 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-9 113120]
.
=============== Created Last 30 ================
.
2012-07-20 03:01:32 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-20 03:01:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-18 10:15:45 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-07-18 10:15:44 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-07-18 10:15:14 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-07-17 09:28:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-07-17 09:28:04 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-07-16 03:17:04 -------- d-----w- c:\documents and settings\administrator\local settings\application data\wowuqhvx
2012-07-16 03:17:00 92500 ----a-w- c:\documents and settings\administrator\ms.exe
2012-07-16 03:16:58 92500 ----a-w- c:\documents and settings\administrator\0.5478867098232126.exe
2012-07-09 22:38:24 -------- d-----w- C:\Brother
2012-07-09 22:38:19 -------- d-----w- c:\program files\Browny02
2012-07-09 22:38:16 45056 ----a-w- c:\windows\system32\BRTCPCON.DLL
2012-07-09 22:38:16 103736 ----a-w- c:\windows\system32\BRRBTOOL.EXE
2012-07-09 22:38:15 77824 ----a-w- c:\windows\system32\BRLMW03A.DLL
2012-07-09 22:38:15 25299 ----a-w- c:\windows\system32\BRLM03A.DLL
2012-07-09 22:38:13 73728 ------w- c:\windows\system32\BrDctF2.dll
2012-07-09 22:38:13 5120 ------w- c:\windows\system32\BrDctF2L.dll
2012-07-09 22:38:13 2560 ------w- c:\windows\system32\BrDctF2S.dll
2012-07-09 22:38:13 217088 ------w- c:\windows\system32\NSSearch.dll
2012-07-09 22:38:13 -------- d-----w- c:\program files\Brother
2012-07-09 22:38:09 180224 ----a-w- c:\windows\system32\BROSNMP.DLL
2012-07-09 22:36:57 -------- d-----w- c:\documents and settings\all users\application data\Brother
2012-07-09 21:33:17 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-07-09 21:33:17 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-07-03 12:17:19 -------- d-----w- c:\documents and settings\administrator\local settings\application data\etax2012
2012-06-27 10:18:24 -------- d-----w- c:\documents and settings\all users\application data\CoffeeCup Software
2012-06-27 10:18:23 -------- d-----w- c:\documents and settings\administrator\application data\CoffeeCup Software
2012-06-27 10:09:51 715776 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{66f43dbe-6d46-4bce-831d-0d4c13639be8}\Icon66F43DBE.exe
2012-06-27 10:09:48 -------- d-----w- c:\program files\CoffeeCup Software
2012-06-27 10:09:27 -------- d-----w- c:\program files\common files\Wise Installation Wizard
.
==================== Find3M ====================
.
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:49:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 05:49:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 05:49:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 05:49:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 05:49:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 05:48:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 05:48:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 05:48:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 15:39:54 832512 ----a-w- c:\windows\system32\wininet.dll
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 14:46:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-04-23 14:46:47 1830912 ------w- c:\windows\system32\inetcpl.cpl
2012-04-23 14:46:47 17408 ----a-w- c:\windows\system32\corpol.dll
2010-08-20 15:03:26 530432 ----a-w- c:\program files\common files\comctl32.dll
2009-07-13 10:45:08 486912 ----a-w- c:\program files\common files\comdlg32.dll
.
============= FINISH: 10:32:27.54 ===============

ARK.TXT
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-21 12:48:12
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST9250320AS rev.0303
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxldrpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF5DBE000, 0x189F82, 0xE8000020]
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe[188] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe[188] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe[188] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe[188] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[244] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[244] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[244] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\Program Files\ATKGFNEX\GFNEXSrv.exe[244] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[352] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[352] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[352] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[352] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\WINDOWS\system32\spoolsv.exe[364] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\system32\spoolsv.exe[364] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\system32\spoolsv.exe[364] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\system32\spoolsv.exe[364] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\WINDOWS\system32\spoolsv.exe[364] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\WINDOWS\system32\spoolsv.exe[364] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\WINDOWS\system32\spoolsv.exe[364] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\WINDOWS\system32\spoolsv.exe[364] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\WINDOWS\system32\spoolsv.exe[364] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\WINDOWS\system32\spoolsv.exe[364] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\WINDOWS\system32\spoolsv.exe[364] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\WINDOWS\system32\spoolsv.exe[364] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\WINDOWS\system32\spoolsv.exe[364] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\WINDOWS\system32\acs.exe[408] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\system32\acs.exe[408] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\system32\acs.exe[408] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\system32\acs.exe[408] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\WINDOWS\system32\acs.exe[408] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\WINDOWS\system32\acs.exe[408] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\WINDOWS\system32\acs.exe[408] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\WINDOWS\system32\acs.exe[408] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\WINDOWS\system32\acs.exe[408] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\WINDOWS\system32\acs.exe[408] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\WINDOWS\system32\acs.exe[408] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\WINDOWS\system32\acs.exe[408] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\WINDOWS\system32\acs.exe[408] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!InternetCloseHandle 3D944269 5 Bytes JMP 200C3E97
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!HttpOpenRequestA 3D94AA63 5 Bytes JMP 200C42C7
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!HttpOpenRequestW 3D94C482 5 Bytes JMP 200C42F4
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!InternetReadFile 3D9513DC 5 Bytes JMP 200C420C
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!InternetQueryDataAvailable 3D95161D 5 Bytes JMP 200C3EED
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!HttpSendRequestA 3D953560 5 Bytes JMP 200C369E
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!InternetOpenUrlA 3D956F62 5 Bytes JMP 200C4321
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!HttpSendRequestExW 3D958C51 5 Bytes JMP 200C3548
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!InternetWriteFile 3D958D64 5 Bytes JMP 200C3760
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!HttpSendRequestW 3D95FE09 5 Bytes JMP 200C36FF
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!InternetReadFileExW 3D963380 5 Bytes JMP 200C40F1
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!InternetReadFileExA 3D9633B8 5 Bytes JMP 200C404A
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!InternetOpenUrlW 3D998529 5 Bytes JMP 200C4348
.text C:\WINDOWS\system32\acs.exe[408] WININET.dll!HttpSendRequestExA 3D9AAA1E 5 Bytes JMP 200C35F3
? C:\WINDOWS\system32\svchost.exe[464] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[464] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\system32\svchost.exe[464] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\system32\svchost.exe[464] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\system32\svchost.exe[464] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!InternetCloseHandle 3D944269 5 Bytes JMP 200C3E97
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!HttpOpenRequestA 3D94AA63 5 Bytes JMP 200C42C7
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!HttpOpenRequestW 3D94C482 5 Bytes JMP 200C42F4
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!InternetReadFile 3D9513DC 5 Bytes JMP 200C420C
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!InternetQueryDataAvailable 3D95161D 5 Bytes JMP 200C3EED
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!HttpSendRequestA 3D953560 5 Bytes JMP 200C369E
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!InternetOpenUrlA 3D956F62 5 Bytes JMP 200C4321
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!HttpSendRequestExW 3D958C51 5 Bytes JMP 200C3548
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!InternetWriteFile 3D958D64 5 Bytes JMP 200C3760
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!HttpSendRequestW 3D95FE09 5 Bytes JMP 200C36FF
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!InternetReadFileExW 3D963380 5 Bytes JMP 200C40F1
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!InternetReadFileExA 3D9633B8 5 Bytes JMP 200C404A
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!InternetOpenUrlW 3D998529 5 Bytes JMP 200C4348
.text C:\WINDOWS\system32\svchost.exe[464] WININET.dll!HttpSendRequestExA 3D9AAA1E 5 Bytes JMP 200C35F3
.text C:\WINDOWS\system32\svchost.exe[464] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\WINDOWS\system32\svchost.exe[464] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\WINDOWS\system32\svchost.exe[464] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\WINDOWS\system32\svchost.exe[464] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\WINDOWS\system32\svchost.exe[464] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\WINDOWS\system32\svchost.exe[464] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\WINDOWS\system32\svchost.exe[464] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\WINDOWS\system32\svchost.exe[464] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\WINDOWS\system32\svchost.exe[464] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[472] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20027764
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[472] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001AC05
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[472] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200275E0
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[472] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200214A3
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!InternetCloseHandle 3D944269 5 Bytes JMP 200C3E97
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!HttpOpenRequestA 3D94AA63 5 Bytes JMP 200C42C7
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!HttpOpenRequestW 3D94C482 5 Bytes JMP 200C42F4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!InternetReadFile 3D9513DC 5 Bytes JMP 200C420C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!InternetQueryDataAvailable 3D95161D 5 Bytes JMP 200C3EED
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!HttpSendRequestA 3D953560 5 Bytes JMP 200C369E
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!InternetOpenUrlA 3D956F62 5 Bytes JMP 200C4321
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!HttpSendRequestExW 3D958C51 5 Bytes JMP 200C3548
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!InternetWriteFile 3D958D64 5 Bytes JMP 200C3760
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!HttpSendRequestW 3D95FE09 5 Bytes JMP 200C36FF
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!InternetReadFileExW 3D963380 5 Bytes JMP 200C40F1
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!InternetReadFileExA 3D9633B8 5 Bytes JMP 200C404A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!InternetOpenUrlW 3D998529 5 Bytes JMP 200C4348
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] WININET.dll!HttpSendRequestExA 3D9AAA1E 5 Bytes JMP 200C35F3
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[600] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[600] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[600] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[600] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[600] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[600] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[600] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[600] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[600] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[600] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[600] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[600] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[600] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\Program Files\Bonjour\mDNSResponder.exe[608] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\Program Files\Bonjour\mDNSResponder.exe[608] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\Program Files\Bonjour\mDNSResponder.exe[608] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\Program Files\Bonjour\mDNSResponder.exe[608] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\Program Files\Bonjour\mDNSResponder.exe[608] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\Program Files\Bonjour\mDNSResponder.exe[608] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\Program Files\Bonjour\mDNSResponder.exe[608] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\Program Files\Bonjour\mDNSResponder.exe[608] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\Program Files\Bonjour\mDNSResponder.exe[608] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\Program Files\Bonjour\mDNSResponder.exe[608] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\Program Files\Bonjour\mDNSResponder.exe[608] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\Program Files\Bonjour\mDNSResponder.exe[608] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\Program Files\Bonjour\mDNSResponder.exe[608] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe[648] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20027764
.text C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe[648] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001AC05
.text C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe[648] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200275E0
.text C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe[648] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200214A3
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[724] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[724] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[724] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\ATKOSD2\ATKOSD2.exe[724] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Java\jre6\bin\jqs.exe[824] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\Program Files\Java\jre6\bin\jqs.exe[824] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\Program Files\Java\jre6\bin\jqs.exe[824] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\Program Files\Java\jre6\bin\jqs.exe[824] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\Program Files\Java\jre6\bin\jqs.exe[824] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\Program Files\Java\jre6\bin\jqs.exe[824] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\Program Files\Java\jre6\bin\jqs.exe[824] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\Program Files\Java\jre6\bin\jqs.exe[824] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\Program Files\Java\jre6\bin\jqs.exe[824] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\Program Files\Java\jre6\bin\jqs.exe[824] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\Program Files\Java\jre6\bin\jqs.exe[824] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\Program Files\Java\jre6\bin\jqs.exe[824] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\Program Files\Java\jre6\bin\jqs.exe[824] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[852] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[852] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[852] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[852] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[900] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[900] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[900] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[900] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
? C:\WINDOWS\system32\svchost.exe[980] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\system32\svchost.exe[980] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
? C:\WINDOWS\system32\services.exe[1132] time/date stamp mismatch; unknown module: NTDSAPI.dllunknown module: NCObjAPI.DLLunknown module: SCESRV.dllunknown module: umpnpmgr.dll
.text C:\WINDOWS\system32\services.exe[1132] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\system32\services.exe[1132] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\system32\services.exe[1132] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\system32\services.exe[1132] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\WINDOWS\system32\services.exe[1132] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\WINDOWS\system32\services.exe[1132] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\WINDOWS\system32\services.exe[1132] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\WINDOWS\system32\services.exe[1132] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\WINDOWS\system32\services.exe[1132] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\WINDOWS\system32\services.exe[1132] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\WINDOWS\system32\services.exe[1132] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\WINDOWS\system32\services.exe[1132] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\WINDOWS\system32\services.exe[1132] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\system32\lsass.exe[1160] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\WINDOWS\system32\Ati2evxx.exe[1308] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\system32\Ati2evxx.exe[1308] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\system32\Ati2evxx.exe[1308] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\system32\Ati2evxx.exe[1308] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\WINDOWS\system32\Ati2evxx.exe[1308] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\WINDOWS\system32\Ati2evxx.exe[1308] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\WINDOWS\system32\Ati2evxx.exe[1308] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\WINDOWS\system32\Ati2evxx.exe[1308] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\WINDOWS\system32\Ati2evxx.exe[1308] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\WINDOWS\system32\Ati2evxx.exe[1308] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\WINDOWS\system32\Ati2evxx.exe[1308] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\WINDOWS\system32\Ati2evxx.exe[1308] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\WINDOWS\system32\Ati2evxx.exe[1308] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
? C:\WINDOWS\system32\svchost.exe[1328] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\system32\svchost.exe[1328] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
? C:\WINDOWS\system32\svchost.exe[1424] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1424] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\system32\svchost.exe[1424] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\system32\svchost.exe[1424] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\system32\svchost.exe[1424] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\WINDOWS\system32\svchost.exe[1424] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\WINDOWS\system32\svchost.exe[1424] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\WINDOWS\system32\svchost.exe[1424] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\WINDOWS\system32\svchost.exe[1424] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\WINDOWS\system32\svchost.exe[1424] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\WINDOWS\system32\svchost.exe[1424] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\WINDOWS\system32\svchost.exe[1424] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\WINDOWS\system32\svchost.exe[1424] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\WINDOWS\system32\svchost.exe[1424] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
? C:\WINDOWS\System32\svchost.exe[1464] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\System32\svchost.exe[1464] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\System32\svchost.exe[1464] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\WINDOWS\System32\svchost.exe[1464] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\WINDOWS\System32\svchost.exe[1464] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\WINDOWS\System32\svchost.exe[1464] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\WINDOWS\System32\svchost.exe[1464] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\WINDOWS\System32\svchost.exe[1464] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\WINDOWS\System32\svchost.exe[1464] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\WINDOWS\System32\svchost.exe[1464] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\WINDOWS\System32\svchost.exe[1464] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\WINDOWS\System32\svchost.exe[1464] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!InternetCloseHandle 3D944269 5 Bytes JMP 200C3E97
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!HttpOpenRequestA 3D94AA63 5 Bytes JMP 200C42C7
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!HttpOpenRequestW 3D94C482 5 Bytes JMP 200C42F4
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!InternetReadFile 3D9513DC 5 Bytes JMP 200C420C
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!InternetQueryDataAvailable 3D95161D 5 Bytes JMP 200C3EED
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!HttpSendRequestA 3D953560 5 Bytes JMP 200C369E
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!InternetOpenUrlA 3D956F62 5 Bytes JMP 200C4321
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!HttpSendRequestExW 3D958C51 5 Bytes JMP 200C3548
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!InternetWriteFile 3D958D64 5 Bytes JMP 200C3760
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!HttpSendRequestW 3D95FE09 5 Bytes JMP 200C36FF
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!InternetReadFileExW 3D963380 5 Bytes JMP 200C40F1
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!InternetReadFileExA 3D9633B8 5 Bytes JMP 200C404A
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!InternetOpenUrlW 3D998529 5 Bytes JMP 200C4348
.text C:\WINDOWS\System32\svchost.exe[1464] WININET.dll!HttpSendRequestExA 3D9AAA1E 5 Bytes JMP 200C35F3
? C:\WINDOWS\system32\svchost.exe[1564] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1564] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\system32\svchost.exe[1564] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\system32\svchost.exe[1564] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\system32\svchost.exe[1564] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\WINDOWS\system32\svchost.exe[1564] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\WINDOWS\system32\svchost.exe[1564] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\WINDOWS\system32\svchost.exe[1564] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\WINDOWS\system32\svchost.exe[1564] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\WINDOWS\system32\svchost.exe[1564] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\WINDOWS\system32\svchost.exe[1564] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\WINDOWS\system32\svchost.exe[1564] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\WINDOWS\system32\svchost.exe[1564] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\WINDOWS\system32\svchost.exe[1564] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\WINDOWS\system32\Ati2evxx.exe[1604] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\system32\Ati2evxx.exe[1604] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\system32\Ati2evxx.exe[1604] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\system32\Ati2evxx.exe[1604] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\WINDOWS\system32\Ati2evxx.exe[1604] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\WINDOWS\system32\Ati2evxx.exe[1604] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\WINDOWS\system32\Ati2evxx.exe[1604] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\WINDOWS\system32\Ati2evxx.exe[1604] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\WINDOWS\system32\Ati2evxx.exe[1604] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\WINDOWS\system32\Ati2evxx.exe[1604] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\WINDOWS\system32\Ati2evxx.exe[1604] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\WINDOWS\system32\Ati2evxx.exe[1604] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\WINDOWS\system32\Ati2evxx.exe[1604] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1612] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1612] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1612] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1612] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1620] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1620] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1620] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1620] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
? C:\WINDOWS\system32\svchost.exe[1740] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1740] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\system32\svchost.exe[1740] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\system32\svchost.exe[1740] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\system32\svchost.exe[1740] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[1752] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[1752] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[1752] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[1752] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1804] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1804] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1804] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\Program Files\AVG\AVG9\avgnsx.exe[1804] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\ASUS\ATK Media\DMedia.exe[2168] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\ASUS\ATK Media\DMedia.exe[2168] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\ASUS\ATK Media\DMedia.exe[2168] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\ASUS\ATK Media\DMedia.exe[2168] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!InternetCloseHandle 3D944269 5 Bytes JMP 20063E97
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!HttpOpenRequestA 3D94AA63 5 Bytes JMP 200642C7
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!HttpOpenRequestW 3D94C482 5 Bytes JMP 200642F4
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!InternetReadFile 3D9513DC 5 Bytes JMP 2006420C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!InternetQueryDataAvailable 3D95161D 5 Bytes JMP 20063EED
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!HttpSendRequestA 3D953560 5 Bytes JMP 2006369E
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!InternetOpenUrlA 3D956F62 5 Bytes JMP 20064321
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!HttpSendRequestExW 3D958C51 5 Bytes JMP 20063548
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!InternetWriteFile 3D958D64 5 Bytes JMP 20063760
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!HttpSendRequestW 3D95FE09 5 Bytes JMP 200636FF
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!InternetReadFileExW 3D963380 5 Bytes JMP 200640F1
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!InternetReadFileExA 3D9633B8 5 Bytes JMP 2006404A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!InternetOpenUrlW 3D998529 5 Bytes JMP 20064348
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2260] WININET.dll!HttpSendRequestExA 3D9AAA1E 5 Bytes JMP 200635F3
.text C:\Program Files\Atheros\ACU.exe[2272] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\Atheros\ACU.exe[2272] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\Atheros\ACU.exe[2272] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\Atheros\ACU.exe[2272] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Atheros\ACU.exe[2272] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20062363
.text C:\Program Files\Atheros\ACU.exe[2272] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2006268D
.text C:\Program Files\Atheros\ACU.exe[2272] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200629A6
.text C:\Program Files\Atheros\ACU.exe[2272] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20062315
.text C:\Program Files\Atheros\ACU.exe[2272] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200627EA
.text C:\Program Files\Atheros\ACU.exe[2272] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2006261E
.text C:\Program Files\Atheros\ACU.exe[2272] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20062702
.text C:\Program Files\Atheros\ACU.exe[2272] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200628C5
.text C:\Program Files\Atheros\ACU.exe[2272] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 20062773
.text C:\WINDOWS\system32\ACEngSvr.exe[2392] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20027764
.text C:\WINDOWS\system32\ACEngSvr.exe[2392] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001AC05
.text C:\WINDOWS\system32\ACEngSvr.exe[2392] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200275E0
.text C:\WINDOWS\system32\ACEngSvr.exe[2392] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200214A3
.text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2396] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20027764
.text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2396] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001AC05
.text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2396] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200275E0
.text C:\Program Files\ASUS\ATK Hotkey\WDC.exe[2396] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200214A3
.text C:\Program Files\Wireless Console 2\wcourier.exe[2416] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\Wireless Console 2\wcourier.exe[2416] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\Wireless Console 2\wcourier.exe[2416] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\Wireless Console 2\wcourier.exe[2416] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\ASUS\ASUS Live Update\ALU.exe[2464] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\ASUS\ASUS Live Update\ALU.exe[2464] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\ASUS\ASUS Live Update\ALU.exe[2464] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\ASUS\ASUS Live Update\ALU.exe[2464] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\ASUS\ASUS Live Update\ALU.exe[2464] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20062363
.text C:\Program Files\ASUS\ASUS Live Update\ALU.exe[2464] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2006268D
.text C:\Program Files\ASUS\ASUS Live Update\ALU.exe[2464] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200629A6
.text C:\Program Files\ASUS\ASUS Live Update\ALU.exe[2464] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20062315
.text C:\Program Files\ASUS\ASUS Live Update\ALU.exe[2464] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200627EA
.text C:\Program Files\ASUS\ASUS Live Update\ALU.exe[2464] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2006261E
.text C:\Program Files\ASUS\ASUS Live Update\ALU.exe[2464] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20062702
.text C:\Program Files\ASUS\ASUS Live Update\ALU.exe[2464] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200628C5
.text C:\Program Files\ASUS\ASUS Live Update\ALU.exe[2464] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 20062773
.text C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe[2536] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe[2536] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe[2536] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe[2536] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\ASUS\ASUS Data Security Manager\ADSMTray.exe[2596] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\ASUS\ASUS Data Security Manager\ADSMTray.exe[2596] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\ASUS\ASUS Data Security Manager\ADSMTray.exe[2596] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\ASUS\ASUS Data Security Manager\ADSMTray.exe[2596] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2692] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20027764
.text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2692] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001AC05
.text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2692] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200275E0
.text C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe[2692] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200214A3
.text C:\WINDOWS\system32\wuauclt.exe[2912] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20027764
.text C:\WINDOWS\system32\wuauclt.exe[2912] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001AC05
.text C:\WINDOWS\system32\wuauclt.exe[2912] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200275E0
.text C:\WINDOWS\system32\wuauclt.exe[2912] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200214A3
.text C:\WINDOWS\system32\svchost.exe[2932] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 20031610
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 200368E0
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 20036860
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 200368A0
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 20036050
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 20036110
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 20035FF0
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 20037DF0
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 20037EB0
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 20037A80
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 20037B00
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 20037BA0
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 200360B0
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 20037F10
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 20037B20
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 20036750
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 200367C0
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 20035DA0
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 20035D70
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 20037D20
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 20036170
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!GetUpdateRect 7E42A8C9 5 Bytes JMP 20036920
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 20037D60
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 20037B60
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 20035E30
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 20035F40
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 20036800
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 20037E50
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 200369C0
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 20037C20
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 20037CA0
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 20037BE0
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 20037C60
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 20037CE0
.text C:\WINDOWS\system32\svchost.exe[2932] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 20035DF0
? C:\WINDOWS\system32\svchost.exe[2968] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[2968] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200C7764
.text C:\WINDOWS\system32\svchost.exe[2968] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200BAC05
.text C:\WINDOWS\system32\svchost.exe[2968] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200C75E0
.text C:\WINDOWS\system32\svchost.exe[2968] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200C14A3
.text C:\WINDOWS\system32\svchost.exe[2968] ws2_32.dll!sendto 71AB2F51 5 Bytes JMP 200C2363
.text C:\WINDOWS\system32\svchost.exe[2968] ws2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200C268D
.text C:\WINDOWS\system32\svchost.exe[2968] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200C29A6
.text C:\WINDOWS\system32\svchost.exe[2968] ws2_32.dll!send 71AB4C27 5 Bytes JMP 200C2315
.text C:\WINDOWS\system32\svchost.exe[2968] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200C27EA
.text C:\WINDOWS\system32\svchost.exe[2968] ws2_32.dll!recv 71AB676F 5 Bytes JMP 200C261E
.text C:\WINDOWS\system32\svchost.exe[2968] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200C2702
.text C:\WINDOWS\system32\svchost.exe[2968] ws2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200C28C5
.text C:\WINDOWS\system32\svchost.exe[2968] ws2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200C2773
.text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[3292] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[3292] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[3292] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe[3292] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\ASUS\Splendid\ACMON.exe[3336] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\ASUS\Splendid\ACMON.exe[3336] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\ASUS\Splendid\ACMON.exe[3336] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\ASUS\Splendid\ACMON.exe[3336] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\WINDOWS\RTHDCPL.EXE[3520] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\WINDOWS\RTHDCPL.EXE[3520] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\WINDOWS\RTHDCPL.EXE[3520] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\WINDOWS\RTHDCPL.EXE[3520] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\WINDOWS\System32\alg.exe[3584] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20027764
.text C:\WINDOWS\System32\alg.exe[3584] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001AC05
.text C:\WINDOWS\System32\alg.exe[3584] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200275E0
.text C:\WINDOWS\System32\alg.exe[3584] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200214A3
.text C:\WINDOWS\System32\alg.exe[3584] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20022363
.text C:\WINDOWS\System32\alg.exe[3584] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2002268D
.text C:\WINDOWS\System32\alg.exe[3584] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200229A6
.text C:\WINDOWS\System32\alg.exe[3584] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20022315
.text C:\WINDOWS\System32\alg.exe[3584] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200227EA
.text C:\WINDOWS\System32\alg.exe[3584] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2002261E
.text C:\WINDOWS\System32\alg.exe[3584] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20022702
.text C:\WINDOWS\System32\alg.exe[3584] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200228C5
.text C:\WINDOWS\System32\alg.exe[3584] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 20022773
? C:\WINDOWS\Explorer.EXE[3680] time/date stamp mismatch; unknown module: WINMM.dllunknown module: SETUPAPI.dllunknown module: WINSTA.dllunknown module: OLEACC.dllunknown module: BROWSEUI.dllunknown module: OLEAUT32.dllunknown module: SHDOCVW.dllunknown module: UxTheme.dll
.text C:\WINDOWS\Explorer.EXE[3680] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20027764
.text C:\WINDOWS\Explorer.EXE[3680] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001AC05
.text C:\WINDOWS\Explorer.EXE[3680] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200275E0
.text C:\WINDOWS\Explorer.EXE[3680] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200214A3
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!InternetCloseHandle 3D944269 5 Bytes JMP 20023E97
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!HttpOpenRequestA 3D94AA63 5 Bytes JMP 200242C7
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!HttpOpenRequestW 3D94C482 5 Bytes JMP 200242F4
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!InternetReadFile 3D9513DC 5 Bytes JMP 2002420C
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!InternetQueryDataAvailable 3D95161D 5 Bytes JMP 20023EED
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!HttpSendRequestA 3D953560 5 Bytes JMP 2002369E
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!InternetOpenUrlA 3D956F62 5 Bytes JMP 20024321
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!HttpSendRequestExW 3D958C51 5 Bytes JMP 20023548
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!InternetWriteFile 3D958D64 5 Bytes JMP 20023760
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!HttpSendRequestW 3D95FE09 5 Bytes JMP 200236FF
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!InternetReadFileExW 3D963380 5 Bytes JMP 200240F1
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!InternetReadFileExA 3D9633B8 5 Bytes JMP 2002404A
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!InternetOpenUrlW 3D998529 5 Bytes JMP 20024348
.text C:\WINDOWS\Explorer.EXE[3680] WININET.dll!HttpSendRequestExA 3D9AAA1E 5 Bytes JMP 200235F3
.text C:\WINDOWS\system32\mstsc.exe[3768] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\WINDOWS\system32\mstsc.exe[3768] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\WINDOWS\system32\mstsc.exe[3768] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\WINDOWS\system32\mstsc.exe[3768] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!InternetCloseHandle 3D944269 5 Bytes JMP 20063E97
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!HttpOpenRequestA 3D94AA63 5 Bytes JMP 200642C7
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!HttpOpenRequestW 3D94C482 5 Bytes JMP 200642F4
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!InternetReadFile 3D9513DC 5 Bytes JMP 2006420C
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!InternetQueryDataAvailable 3D95161D 5 Bytes JMP 20063EED
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!HttpSendRequestA 3D953560 5 Bytes JMP 2006369E
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!InternetOpenUrlA 3D956F62 5 Bytes JMP 20064321
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!HttpSendRequestExW 3D958C51 5 Bytes JMP 20063548
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!InternetWriteFile 3D958D64 5 Bytes JMP 20063760
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!HttpSendRequestW 3D95FE09 5 Bytes JMP 200636FF
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!InternetReadFileExW 3D963380 5 Bytes JMP 200640F1
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!InternetReadFileExA 3D9633B8 5 Bytes JMP 2006404A
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!InternetOpenUrlW 3D998529 5 Bytes JMP 20064348
.text C:\WINDOWS\system32\mstsc.exe[3768] WININET.dll!HttpSendRequestExA 3D9AAA1E 5 Bytes JMP 200635F3
.text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[3788] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[3788] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[3788] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe[3788] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\WINDOWS\ASScrPro.exe[3820] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\WINDOWS\ASScrPro.exe[3820] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\WINDOWS\ASScrPro.exe[3820] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\WINDOWS\ASScrPro.exe[3820] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!InternetCloseHandle 3D944269 5 Bytes JMP 20063E97
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!HttpOpenRequestA 3D94AA63 5 Bytes JMP 200642C7
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!HttpOpenRequestW 3D94C482 5 Bytes JMP 200642F4
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!InternetReadFile 3D9513DC 5 Bytes JMP 2006420C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!InternetQueryDataAvailable 3D95161D 5 Bytes JMP 20063EED
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!HttpSendRequestA 3D953560 5 Bytes JMP 2006369E
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!InternetOpenUrlA 3D956F62 5 Bytes JMP 20064321
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!HttpSendRequestExW 3D958C51 5 Bytes JMP 20063548
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!InternetWriteFile 3D958D64 5 Bytes JMP 20063760
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!HttpSendRequestW 3D95FE09 5 Bytes JMP 200636FF
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!InternetReadFileExW 3D963380 5 Bytes JMP 200640F1
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!InternetReadFileExA 3D9633B8 5 Bytes JMP 2006404A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!InternetOpenUrlW 3D998529 5 Bytes JMP 20064348
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4072] WININET.dll!HttpSendRequestExA 3D9AAA1E 5 Bytes JMP 200635F3
.text C:\Program Files\Kyocera\FS-720 Utilities\KMGLNC.exe[4376] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\Kyocera\FS-720 Utilities\KMGLNC.exe[4376] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\Kyocera\FS-720 Utilities\KMGLNC.exe[4376] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\Kyocera\FS-720 Utilities\KMGLNC.exe[4376] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\iTunes\iTunesHelper.exe[4456] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\iTunes\iTunesHelper.exe[4456] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\iTunes\iTunesHelper.exe[4456] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\iTunes\iTunesHelper.exe[4456] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\iTunes\iTunesHelper.exe[4456] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20062363
.text C:\Program Files\iTunes\iTunesHelper.exe[4456] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2006268D
.text C:\Program Files\iTunes\iTunesHelper.exe[4456] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200629A6
.text C:\Program Files\iTunes\iTunesHelper.exe[4456] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20062315
.text C:\Program Files\iTunes\iTunesHelper.exe[4456] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200627EA
.text C:\Program Files\iTunes\iTunesHelper.exe[4456] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2006261E
.text C:\Program Files\iTunes\iTunesHelper.exe[4456] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20062702
.text C:\Program Files\iTunes\iTunesHelper.exe[4456] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200628C5
.text C:\Program Files\iTunes\iTunesHelper.exe[4456] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 20062773
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4528] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4528] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4528] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4528] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\MagicDisc\MagicDisc.exe[4636] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\MagicDisc\MagicDisc.exe[4636] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\MagicDisc\MagicDisc.exe[4636] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\MagicDisc\MagicDisc.exe[4636] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4676] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4676] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4676] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4676] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Skype\Phone\Skype.exe[4768] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\Skype\Phone\Skype.exe[4768] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\Skype\Phone\Skype.exe[4768] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\Skype\Phone\Skype.exe[4768] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!InternetCloseHandle 3D944269 5 Bytes JMP 20063E97
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!HttpOpenRequestA 3D94AA63 5 Bytes JMP 200642C7
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!HttpOpenRequestW 3D94C482 5 Bytes JMP 200642F4
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!InternetReadFile 3D9513DC 5 Bytes JMP 2006420C
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!InternetQueryDataAvailable 3D95161D 5 Bytes JMP 20063EED
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!HttpSendRequestA 3D953560 5 Bytes JMP 2006369E
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!InternetOpenUrlA 3D956F62 5 Bytes JMP 20064321
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!HttpSendRequestExW 3D958C51 5 Bytes JMP 20063548
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!InternetWriteFile 3D958D64 5 Bytes JMP 20063760
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!HttpSendRequestW 3D95FE09 5 Bytes JMP 200636FF
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!InternetReadFileExW 3D963380 5 Bytes JMP 200640F1
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!InternetReadFileExA 3D9633B8 5 Bytes JMP 2006404A
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!InternetOpenUrlW 3D998529 5 Bytes JMP 20064348
.text C:\Program Files\Skype\Phone\Skype.exe[4768] wininet.dll!HttpSendRequestExA 3D9AAA1E 5 Bytes JMP 200635F3
.text C:\Program Files\Skype\Phone\Skype.exe[4768] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20062363
.text C:\Program Files\Skype\Phone\Skype.exe[4768] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2006268D
.text C:\Program Files\Skype\Phone\Skype.exe[4768] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200629A6
.text C:\Program Files\Skype\Phone\Skype.exe[4768] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20062315
.text C:\Program Files\Skype\Phone\Skype.exe[4768] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200627EA
.text C:\Program Files\Skype\Phone\Skype.exe[4768] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2006261E
.text C:\Program Files\Skype\Phone\Skype.exe[4768] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20062702
.text C:\Program Files\Skype\Phone\Skype.exe[4768] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200628C5
.text C:\Program Files\Skype\Phone\Skype.exe[4768] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 20062773
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[4840] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[4840] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[4840] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[4840] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe[4872] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe[4872] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe[4872] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe[4872] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe[4872] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20062363
.text C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe[4872] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2006268D
.text C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe[4872] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200629A6
.text C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe[4872] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20062315
.text C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe[4872] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200627EA
.text C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe[4872] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2006261E
.text C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe[4872] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20062702
.text C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe[4872] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200628C5
.text C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe[4872] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 20062773
.text C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe[4916] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe[4916] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe[4916] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe[4916] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe[4916] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20062363
.text C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe[4916] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2006268D
.text C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe[4916] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200629A6
.text C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe[4916] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20062315
.text C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe[4916] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200627EA
.text C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe[4916] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2006261E
.text C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe[4916] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20062702
.text C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe[4916] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200628C5
.text C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe[4916] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 20062773
.text C:\WINDOWS\system32\ctfmon.exe[4996] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\WINDOWS\system32\ctfmon.exe[4996] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\WINDOWS\system32\ctfmon.exe[4996] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\WINDOWS\system32\ctfmon.exe[4996] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\iPod\bin\iPodService.exe[5032] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20027764
.text C:\Program Files\iPod\bin\iPodService.exe[5032] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001AC05
.text C:\Program Files\iPod\bin\iPodService.exe[5032] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200275E0
.text C:\Program Files\iPod\bin\iPodService.exe[5032] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200214A3
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!InternetCloseHandle 3D944269 5 Bytes JMP 20063E97
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!HttpOpenRequestA 3D94AA63 5 Bytes JMP 200642C7
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!HttpOpenRequestW 3D94C482 5 Bytes JMP 200642F4
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!InternetReadFile 3D9513DC 5 Bytes JMP 2006420C
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!InternetQueryDataAvailable 3D95161D 5 Bytes JMP 20063EED
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!HttpSendRequestA 3D953560 5 Bytes JMP 2006369E
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!InternetOpenUrlA 3D956F62 5 Bytes JMP 20064321
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!HttpSendRequestExW 3D958C51 5 Bytes JMP 20063548
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!InternetWriteFile 3D958D64 5 Bytes JMP 20063760
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!HttpSendRequestW 3D95FE09 5 Bytes JMP 200636FF
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!InternetReadFileExW 3D963380 5 Bytes JMP 200640F1
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!InternetReadFileExA 3D9633B8 5 Bytes JMP 2006404A
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!InternetOpenUrlW 3D998529 5 Bytes JMP 20064348
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[5088] WININET.dll!HttpSendRequestExA 3D9AAA1E 5 Bytes JMP 200635F3
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 017CFA35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 01A707C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] kernel32.dll!MapViewOfFile 7C80B9A5 5 Bytes JMP 01A7079E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 01A70728 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20062363
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2006268D
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200629A6
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20062315
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200627EA
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2006261E
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20062702
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200628C5
.text C:\Program Files\Mozilla Firefox\firefox.exe[5144] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 20062773
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[5152] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[5152] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[5152] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[5152] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[5152] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20062363
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[5152] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2006268D
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[5152] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200629A6
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[5152] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20062315
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[5152] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200627EA
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[5152] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2006261E
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[5152] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20062702
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[5152] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200628C5
.text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[5152] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 20062773
.text C:\Program Files\Messenger\msmsgs.exe[5364] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Program Files\Messenger\msmsgs.exe[5364] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Program Files\Messenger\msmsgs.exe[5364] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Program Files\Messenger\msmsgs.exe[5364] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Program Files\Messenger\msmsgs.exe[5364] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20062363
.text C:\Program Files\Messenger\msmsgs.exe[5364] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2006268D
.text C:\Program Files\Messenger\msmsgs.exe[5364] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200629A6
.text C:\Program Files\Messenger\msmsgs.exe[5364] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20062315
.text C:\Program Files\Messenger\msmsgs.exe[5364] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200627EA
.text C:\Program Files\Messenger\msmsgs.exe[5364] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2006261E
.text C:\Program Files\Messenger\msmsgs.exe[5364] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20062702
.text C:\Program Files\Messenger\msmsgs.exe[5364] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200628C5
.text C:\Program Files\Messenger\msmsgs.exe[5364] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 20062773
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!InternetCloseHandle 3D944269 5 Bytes JMP 20063E97
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!HttpOpenRequestA 3D94AA63 5 Bytes JMP 200642C7
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!HttpOpenRequestW 3D94C482 5 Bytes JMP 200642F4
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!InternetReadFile 3D9513DC 5 Bytes JMP 2006420C
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!InternetQueryDataAvailable 3D95161D 5 Bytes JMP 20063EED
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!HttpSendRequestA 3D953560 5 Bytes JMP 2006369E
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!InternetOpenUrlA 3D956F62 5 Bytes JMP 20064321
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!HttpSendRequestExW 3D958C51 5 Bytes JMP 20063548
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!InternetWriteFile 3D958D64 5 Bytes JMP 20063760
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!HttpSendRequestW 3D95FE09 5 Bytes JMP 200636FF
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!InternetReadFileExW 3D963380 5 Bytes JMP 200640F1
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!InternetReadFileExA 3D9633B8 5 Bytes JMP 2006404A
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!InternetOpenUrlW 3D998529 5 Bytes JMP 20064348
.text C:\Program Files\Messenger\msmsgs.exe[5364] WININET.dll!HttpSendRequestExA 3D9AAA1E 5 Bytes JMP 200635F3
? C:\WINDOWS\System32\svchost.exe[5544] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[5544] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20027764
.text C:\WINDOWS\System32\svchost.exe[5544] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001AC05
.text C:\WINDOWS\System32\svchost.exe[5544] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200275E0
.text C:\WINDOWS\System32\svchost.exe[5544] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200214A3
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20027764
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001AC05
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200275E0
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20022363
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2002268D
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200229A6
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20022315
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200227EA
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2002261E
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20022702
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200228C5
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 20022773
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200214A3
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 1066003B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 1065FFCA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1043AEF3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1043B50D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!InternetCloseHandle 3D944269 5 Bytes JMP 20023E97
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!HttpOpenRequestA 3D94AA63 5 Bytes JMP 200242C7
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!HttpOpenRequestW 3D94C482 5 Bytes JMP 200242F4
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!InternetReadFile 3D9513DC 5 Bytes JMP 2002420C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!InternetQueryDataAvailable 3D95161D 5 Bytes JMP 20023EED
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!HttpSendRequestA 3D953560 5 Bytes JMP 2002369E
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!InternetOpenUrlA 3D956F62 5 Bytes JMP 20024321
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!HttpSendRequestExW 3D958C51 5 Bytes JMP 20023548
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!InternetWriteFile 3D958D64 5 Bytes JMP 20023760
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!HttpSendRequestW 3D95FE09 5 Bytes JMP 200236FF
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!InternetReadFileExW 3D963380 5 Bytes JMP 200240F1
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!InternetReadFileExA 3D9633B8 5 Bytes JMP 2002404A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!InternetOpenUrlW 3D998529 5 Bytes JMP 20024348
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5820] WININET.dll!HttpSendRequestExA 3D9AAA1E 5 Bytes JMP 200235F3
.text C:\WINDOWS\system32\calc.exe[6060] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\WINDOWS\system32\calc.exe[6060] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\WINDOWS\system32\calc.exe[6060] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\WINDOWS\system32\calc.exe[6060] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[6224] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20067764
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[6224] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005AC05
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[6224] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200675E0
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[6224] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200614A3

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AsDsm.sys (Data Security Manager Driver/Windows ® Codename Longhorn DDK provider)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat AsDsm.sys (Data Security Manager Driver/Windows ® Codename Longhorn DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] wvoip <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\wvoip@DisplayName Image Time
Reg HKLM\SYSTEM\CurrentControlSet\Services\wvoip@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\wvoip@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\wvoip@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\wvoip@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\wvoip@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\wvoip@Description Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\wvoip\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\wvoip\Parameters@ServiceDll C:\WINDOWS\system32\clgjnxro.dll
Reg HKLM\SYSTEM\ControlSet003\Services\wvoip@DisplayName Image Time
Reg HKLM\SYSTEM\ControlSet003\Services\wvoip@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\wvoip@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\wvoip@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\wvoip@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\wvoip@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\wvoip@Description Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet003\Services\wvoip\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\wvoip\Parameters@ServiceDll C:\WINDOWS\system32\clgjnxro.dll

---- Files - GMER 1.0.15 ----

File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86 0 bytes
File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\AsDsm.sys 29752 bytes executable
File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\_avt 512 bytes
File C:\ADSM_PData_0150 0 bytes
File C:\ADSM_PData_0150\DB 0 bytes
File C:\ADSM_PData_0150\DB\SI.db 624 bytes
File C:\ADSM_PData_0150\DB\UL.db 16 bytes
File C:\ADSM_PData_0150\DB\VL.db 16 bytes
File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes
File C:\ADSM_PData_0150\DB\_avt 512 bytes
File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable
File C:\ADSM_PData_0150\_avt 512 bytes
File C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\an06yj98.default\Cache\E\37\AB886d01 18812 bytes
File C:\Documents and Settings\Administrator\Local Settings\Application Data\wowuqhvx\fuohehfo.exe 92500 bytes executable
File C:\Documents and Settings\Administrator\Local Settings\Temp\fla112.tmp 14116057 bytes
File C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\fuohehfo.exe 92500 bytes executable

---- EOF - GMER 1.0.15 ----





Attached attach.txt

BC AdBot (Login to Remove)

 


#2 Darwinboy

Darwinboy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 20 July 2012 - 10:26 PM

Try again - here is Attach.txt

Attached Files



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:00 AM

Posted 25 July 2012 - 10:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/461685 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:00 AM

Posted 26 July 2012 - 10:17 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs and let me know if the problem persists.

#5 Darwinboy

Darwinboy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 26 July 2012 - 07:31 PM

Here are the logs as requested :

ComboFix:-
ComboFix 12-07-27.02 - Administrator 27/07/2012 9:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2182 [GMT 9.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\0.5478867098232126.exe
c:\documents and settings\Administrator\Local Settings\Application Data\gvrycjnk.log
c:\documents and settings\Administrator\Local Settings\Application Data\hmvmxgrk.log
c:\documents and settings\Administrator\Local Settings\Application Data\ibdlojgv.log
c:\documents and settings\Administrator\Local Settings\Application Data\ijlfvnub.log
c:\documents and settings\Administrator\Local Settings\Application Data\kspjwhbp.log
c:\documents and settings\Administrator\Local Settings\Application Data\lfmwhcef.log
c:\documents and settings\Administrator\Local Settings\Application Data\slpdvyvb.log
c:\documents and settings\Administrator\Local Settings\Application Data\uegaixae.log
c:\documents and settings\Administrator\Local Settings\Application Data\wowuqhvx\fuohehfo.exe
c:\documents and settings\Administrator\Local Settings\Application Data\ysypnhac.log
c:\documents and settings\Administrator\ms.exe
c:\documents and settings\Administrator\WINDOWS
c:\windows\dasetup.log
c:\windows\msvcr71.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\setup.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-06-27 to 2012-07-27 )))))))))))))))))))))))))))))))
.
.
2012-07-20 03:01 . 2012-07-20 03:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-20 03:01 . 2012-07-03 04:16 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-18 10:15 . 2012-07-20 03:02 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-07-18 10:15 . 2012-07-18 10:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-07-18 10:15 . 2012-07-18 10:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-07-17 09:28 . 2012-07-17 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-07-17 09:28 . 2012-07-17 10:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-07-16 03:17 . 2012-07-27 00:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\wowuqhvx
2012-07-09 21:33 . 2012-07-09 21:33 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-07-09 21:33 . 2012-07-09 21:33 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-07-03 12:17 . 2012-07-03 12:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\etax2012
2012-06-27 10:18 . 2012-06-27 10:18 -------- d-----w- c:\documents and settings\All Users\Application Data\CoffeeCup Software
2012-06-27 10:18 . 2012-06-27 10:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\CoffeeCup Software
2012-06-27 10:09 . 2012-06-27 10:09 715776 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{66F43DBE-6D46-4BCE-831D-0D4C13639BE8}\Icon66F43DBE.exe
2012-06-27 10:09 . 2012-06-27 10:09 -------- d-----w- c:\program files\CoffeeCup Software
2012-06-27 10:09 . 2012-06-27 10:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-13 13:19 . 2006-08-17 01:24 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-14 00:12 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2006-08-17 01:24 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2006-08-17 01:24 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:49 . 2009-04-16 02:57 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 05:49 . 2009-04-16 02:57 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 05:49 . 2009-03-26 23:16 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 05:49 . 2009-03-26 23:16 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 05:49 . 2009-03-26 23:16 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 05:49 . 2009-04-16 02:57 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 05:49 . 2009-04-16 02:57 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 05:49 . 2009-03-26 23:16 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 05:49 . 2009-03-26 23:16 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 05:49 . 2006-08-17 01:24 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 05:49 . 2009-04-16 02:57 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 05:49 . 2009-03-26 23:16 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 05:49 . 2009-03-26 23:16 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 05:48 . 2009-04-16 10:15 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 05:48 . 2009-04-16 10:15 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 05:48 . 2008-10-16 04:37 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2006-08-17 01:24 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 15:39 . 2006-08-17 01:24 832512 ----a-w- c:\windows\system32\wininet.dll
2012-05-04 13:16 . 2004-08-03 13:48 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 13:29 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2009-03-26 23:15 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2010-08-20 15:03 . 2010-08-20 15:03 530432 ----a-w- c:\program files\Common Files\comctl32.dll
2009-07-13 10:45 . 2009-07-13 10:45 486912 ----a-w- c:\program files\Common Files\comdlg32.dll
2012-07-09 21:33 . 2012-02-14 09:25 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9df9360-97f8-4690-afe6-996c80790da4}]
2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E9DF9360-97F8-4690-AFE6-996C80790DA4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 07:38 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]
"SybaseCentral43"="c:\program files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [2004-10-13 102400]
"DBISQL9"="c:\program files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2004-10-19 131072]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2008-03-18 2508072]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-03-17 2289664]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-08 17021440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-30 1343488]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMedia.exe" [2008-06-24 159744]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-09-26 450648]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2007-11-30 51768]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"ADSMTray"="c:\program files\ASUS\ASUS Data Security Manager\ADSMTray.exe" [2008-03-31 266240]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2008-01-15 851968]
"ASUS Camera ScreenSaver"="c:\windows\AsScrProlog.exe" [2009-03-26 47672]
"ASUS Screen Saver Protector"="c:\windows\ASScrPro.exe" [2009-03-26 33136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-04-02 87336]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2008-02-22 62760]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2012-01-27 2077536]
"Launcher"="c:\program files\Kyocera\FS-720 Utilities\KMGLNC.exe" [2005-04-15 53248]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\Peter\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Administrator\Local Settings\Application Data\wowuqhvx\fuohehfo.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Aspwdflt]
2008-04-19 13:41 1556480 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-25 08:50 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe"=
"c:\\Program Files\\Sybase\\Shared\\Sybase Central 4.3\\win32\\scjview.exe"=
"c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/04/2009 8:26 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/04/2009 8:26 PM 243152]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [25/07/2010 6:20 PM 308136]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\mgpoehbb.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\mgpoehbb.sys [?]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/03/2010 11:40 AM 135664]
S2 wvoip;Image Time;c:\windows\system32\svchost.exe -k netsvcs [17/08/2006 10:54 AM 14336]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2/04/2012 8:34 PM 253600]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [10/07/2012 8:08 AM 245760]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/03/2010 11:40 AM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [18/07/2012 7:45 PM 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [9/05/2012 6:36 AM 113120]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
*NewlyCreated* - WS2IFSL
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wvoip
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-03-17 08:26 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 11:04]
.
2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 02:10]
.
2012-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 02:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.100.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\an06yj98.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-FuoHehfo - c:\documents and settings\Administrator\Local Settings\Application Data\wowuqhvx\fuohehfo.exe
HKU-Default-RunOnce-AutoLaunch - c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-27 09:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\fuohehfo.exe 92500 bytes executable
C:\ADSM_PData_0150
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wvoip]
"ServiceDll"="c:\windows\system32\clgjnxro.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1104)
c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(1160)
c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
.
- - - - - - - > 'explorer.exe'(2440)
c:\windows\system32\WININET.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ASUS\ATK Hotkey\ATKOSD.exe
c:\windows\system32\ACEngSvr.exe
c:\program files\ASUS\ATK Hotkey\KBFiltr.exe
c:\program files\ASUS\ATK Hotkey\WDC.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-07-27 09:53:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-27 00:23
.
Pre-Run: 90,292,215,808 bytes free
Post-Run: 92,845,297,664 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - 05EB33B83B32E296FAB3F4AB7FA342B9



Security Check:
Results of screen317's Security Check version 0.99.43
Windows XP Service Pack 3 x86 (UAC is disabled!)
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.62.0.1300
Java™ 6 Update 20
Java version out of Date!
Adobe Flash Player 9 Flash Player out of Date!
Adobe Flash Player 11.2.202.228
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox 13.0.1 Firefox out of Date!
Mozilla Thunderbird 13.0.1 Thunderbird out of Date!
````````Process Check: objlist.exe by Laurent````````
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 10%
````````````````````End of Log``````````````````````

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:00 AM

Posted 27 July 2012 - 10:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

I need more information before proceeding with the next step.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please run ComboFix again and post a fresh log also.


Please let me know what problem persists.

#7 Darwinboy

Darwinboy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 27 July 2012 - 04:32 PM

Here are the logs requested :-

TDSS.txt:

06:47:01.0031 8028 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
06:47:02.0031 8028 ============================================================
06:47:02.0031 8028 Current date / time: 2012/07/28 06:47:02.0031
06:47:02.0031 8028 SystemInfo:
06:47:02.0031 8028
06:47:02.0031 8028 OS Version: 5.1.2600 ServicePack: 3.0
06:47:02.0031 8028 Product type: Workstation
06:47:02.0031 8028 ComputerName: ASUS_NB
06:47:02.0031 8028 UserName: Administrator
06:47:02.0031 8028 Windows directory: C:\WINDOWS
06:47:02.0031 8028 System windows directory: C:\WINDOWS
06:47:02.0031 8028 Processor architecture: Intel x86
06:47:02.0031 8028 Number of processors: 2
06:47:02.0031 8028 Page size: 0x1000
06:47:02.0031 8028 Boot type: Normal boot
06:47:02.0031 8028 ============================================================
06:47:05.0921 8028 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
06:47:05.0921 8028 Drive \Device\Harddisk1\DR3 - Size: 0xFA00000 (0.24 Gb), SectorSize: 0x200, Cylinders: 0x1F, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
06:47:05.0937 8028 ============================================================
06:47:05.0937 8028 \Device\Harddisk0\DR0:
06:47:05.0937 8028 MBR partitions:
06:47:05.0937 8028 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1770D7A, BlocksNum 0x1BA53807
06:47:05.0937 8028 \Device\Harddisk1\DR3:
06:47:05.0937 8028 MBR partitions:
06:47:05.0937 8028 \Device\Harddisk1\DR3\Partition0: MBR, Type 0x6, StartLBA 0x3F, BlocksNum 0x79920
06:47:05.0937 8028 ============================================================
06:47:06.0015 8028 C: <-> \Device\Harddisk0\DR0\Partition0
06:47:06.0015 8028 ============================================================
06:47:06.0015 8028 Initialize success
06:47:06.0015 8028 ============================================================
06:47:10.0156 11964 ============================================================
06:47:10.0156 11964 Scan started
06:47:10.0156 11964 Mode: Manual;
06:47:10.0156 11964 ============================================================
06:47:12.0750 11964 Abiosdsk - ok
06:47:12.0750 11964 abp480n5 - ok
06:47:12.0875 11964 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
06:47:12.0953 11964 ACPI - ok
06:47:12.0968 11964 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
06:47:12.0984 11964 ACPIEC - ok
06:47:13.0250 11964 ACS (007e768dda852d0037817e5c415b883a) C:\WINDOWS\system32\acs.exe
06:47:13.0421 11964 ACS - ok
06:47:13.0781 11964 AdobeFlashPlayerUpdateSvc (0d4c486a24a711a45fd83acdf4d18506) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
06:47:13.0875 11964 AdobeFlashPlayerUpdateSvc - ok
06:47:13.0875 11964 adpu160m - ok
06:47:14.0171 11964 ADSMService (c0bf554d2277f7a4c735d475ade2e3b2) C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
06:47:14.0250 11964 ADSMService - ok
06:47:14.0312 11964 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
06:47:14.0375 11964 aec - ok
06:47:14.0515 11964 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
06:47:14.0562 11964 AFD - ok
06:47:14.0578 11964 Aha154x - ok
06:47:14.0578 11964 aic78u2 - ok
06:47:14.0593 11964 aic78xx - ok
06:47:14.0687 11964 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
06:47:14.0687 11964 Alerter - ok
06:47:14.0734 11964 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
06:47:14.0750 11964 ALG - ok
06:47:14.0750 11964 AliIde - ok
06:47:14.0765 11964 amsint - ok
06:47:14.0906 11964 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
06:47:14.0921 11964 Apple Mobile Device - ok
06:47:15.0031 11964 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
06:47:15.0093 11964 AppMgmt - ok
06:47:15.0640 11964 AR5416 (7d53e5646ba23fd51296f7ef8979a000) C:\WINDOWS\system32\DRIVERS\athw.sys
06:47:16.0125 11964 AR5416 - ok
06:47:16.0125 11964 asc - ok
06:47:16.0140 11964 asc3350p - ok
06:47:16.0140 11964 asc3550 - ok
06:47:16.0156 11964 AsDsm (4385e371c25c94c804e9d3152bd9e1f7) C:\WINDOWS\system32\drivers\AsDsm.sys
06:47:16.0171 11964 AsDsm - ok
06:47:16.0390 11964 ASMMAP (7b4d08d2017ac06689d422e06c43f0aa) C:\Program Files\ATKGFNEX\ASMMAP.sys
06:47:16.0390 11964 ASMMAP - ok
06:47:16.0468 11964 ASNDIS5 (05a56c3156e1b6cc7bbd8e1d54d491f2) C:\PROGRA~1\ASUS\ATKHOT~1\ASNDIS5.SYS
06:47:16.0484 11964 ASNDIS5 - ok
06:47:16.0671 11964 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
06:47:16.0687 11964 aspnet_state - ok
06:47:16.0734 11964 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
06:47:16.0750 11964 AsyncMac - ok
06:47:16.0828 11964 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
06:47:16.0843 11964 atapi - ok
06:47:16.0843 11964 Atdisk - ok
06:47:17.0140 11964 Ati HotKey Poller (795b413bee60a410d831946043d228c9) C:\WINDOWS\system32\Ati2evxx.exe
06:47:17.0343 11964 Ati HotKey Poller - ok
06:47:18.0484 11964 ati2mtag (e168986d07d7c41f63677eea5dd3f95b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
06:47:19.0515 11964 ati2mtag - ok
06:47:19.0765 11964 ATKGFNEXSrv (7c157574a181b19b9dcf5f339e25337e) C:\Program Files\ATKGFNEX\GFNEXSrv.exe
06:47:19.0812 11964 ATKGFNEXSrv - ok
06:47:20.0265 11964 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
06:47:20.0312 11964 Atmarpc - ok
06:47:20.0406 11964 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
06:47:20.0437 11964 AudioSrv - ok
06:47:20.0531 11964 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
06:47:20.0531 11964 audstub - ok
06:47:20.0953 11964 avg9wd (c4d15594db5be042d3346ea58df87d89) C:\Program Files\AVG\AVG9\avgwdsvc.exe
06:47:21.0062 11964 avg9wd - ok
06:47:21.0250 11964 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
06:47:21.0343 11964 AvgLdx86 - ok
06:47:21.0453 11964 AvgMfx86 (80ff2b1b7eeda966394f0baa895bbf4b) C:\WINDOWS\system32\Drivers\avgmfx86.sys
06:47:21.0468 11964 AvgMfx86 - ok
06:47:21.0671 11964 AvgTdiX (9a7a93388f503a34e7339ae7f9997449) C:\WINDOWS\system32\Drivers\avgtdix.sys
06:47:21.0859 11964 AvgTdiX - ok
06:47:21.0968 11964 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
06:47:21.0984 11964 Beep - ok
06:47:22.0218 11964 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
06:47:22.0468 11964 BITS - ok
06:47:22.0718 11964 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
06:47:23.0015 11964 Bonjour Service - ok
06:47:23.0140 11964 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
06:47:23.0187 11964 Browser - ok
06:47:23.0375 11964 BrYNSvc (ea7e57f87d6fee5fd6c5f813c04e8cd2) C:\Program Files\Browny02\BrYNSvc.exe
06:47:23.0500 11964 BrYNSvc - ok
06:47:23.0500 11964 catchme - ok
06:47:23.0531 11964 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
06:47:23.0546 11964 cbidf2k - ok
06:47:23.0578 11964 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
06:47:23.0593 11964 CCDECODE - ok
06:47:23.0609 11964 cd20xrnt - ok
06:47:23.0687 11964 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
06:47:23.0703 11964 Cdaudio - ok
06:47:23.0734 11964 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
06:47:23.0765 11964 Cdfs - ok
06:47:23.0796 11964 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
06:47:23.0828 11964 Cdrom - ok
06:47:23.0843 11964 Changer - ok
06:47:23.0921 11964 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
06:47:23.0937 11964 CiSvc - ok
06:47:23.0953 11964 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
06:47:23.0984 11964 ClipSrv - ok
06:47:24.0171 11964 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
06:47:24.0218 11964 clr_optimization_v2.0.50727_32 - ok
06:47:24.0296 11964 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
06:47:24.0312 11964 CmBatt - ok
06:47:24.0312 11964 CmdIde - ok
06:47:24.0328 11964 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
06:47:24.0343 11964 Compbatt - ok
06:47:24.0343 11964 COMSysApp - ok
06:47:24.0359 11964 Cpqarray - ok
06:47:24.0484 11964 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
06:47:24.0546 11964 CryptSvc - ok
06:47:24.0546 11964 dac2w2k - ok
06:47:24.0562 11964 dac960nt - ok
06:47:24.0953 11964 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
06:47:25.0218 11964 DcomLaunch - ok
06:47:25.0390 11964 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
06:47:25.0453 11964 Dhcp - ok
06:47:25.0531 11964 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
06:47:25.0546 11964 Disk - ok
06:47:25.0546 11964 dmadmin - ok
06:47:25.0937 11964 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
06:47:26.0312 11964 dmboot - ok
06:47:26.0375 11964 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
06:47:26.0437 11964 dmio - ok
06:47:26.0453 11964 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
06:47:26.0453 11964 dmload - ok
06:47:26.0515 11964 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
06:47:26.0531 11964 dmserver - ok
06:47:26.0578 11964 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
06:47:26.0703 11964 DMusic - ok
06:47:26.0812 11964 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
06:47:26.0843 11964 Dnscache - ok
06:47:26.0968 11964 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
06:47:27.0046 11964 Dot3svc - ok
06:47:27.0062 11964 dpti2o - ok
06:47:27.0125 11964 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
06:47:27.0140 11964 drmkaud - ok
06:47:27.0218 11964 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
06:47:27.0265 11964 EapHost - ok
06:47:27.0328 11964 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
06:47:27.0375 11964 ERSvc - ok
06:47:27.0515 11964 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
06:47:27.0781 11964 Eventlog - ok
06:47:27.0984 11964 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
06:47:28.0250 11964 EventSystem - ok
06:47:28.0312 11964 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
06:47:28.0375 11964 Fastfat - ok
06:47:28.0531 11964 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
06:47:28.0718 11964 FastUserSwitchingCompatibility - ok
06:47:28.0843 11964 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
06:47:28.0859 11964 Fdc - ok
06:47:28.0890 11964 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
06:47:28.0906 11964 Fips - ok
06:47:28.0921 11964 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
06:47:28.0937 11964 Flpydisk - ok
06:47:29.0000 11964 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
06:47:29.0062 11964 FltMgr - ok
06:47:29.0343 11964 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
06:47:29.0359 11964 FontCache3.0.0.0 - ok
06:47:29.0437 11964 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
06:47:29.0453 11964 Fs_Rec - ok
06:47:29.0500 11964 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
06:47:29.0578 11964 Ftdisk - ok
06:47:29.0781 11964 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
06:47:29.0906 11964 GEARAspiWDM - ok
06:47:30.0031 11964 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
06:47:30.0062 11964 Gpc - ok
06:47:30.0671 11964 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
06:47:30.0734 11964 gupdate - ok
06:47:30.0734 11964 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
06:47:30.0734 11964 gupdatem - ok
06:47:30.0906 11964 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
06:47:31.0062 11964 HDAudBus - ok
06:47:31.0312 11964 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
06:47:31.0343 11964 helpsvc - ok
06:47:31.0343 11964 HidServ - ok
06:47:31.0421 11964 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
06:47:31.0437 11964 HidUsb - ok
06:47:31.0531 11964 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
06:47:31.0640 11964 hkmsvc - ok
06:47:31.0640 11964 hpn - ok
06:47:31.0812 11964 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
06:47:31.0921 11964 HTTP - ok
06:47:31.0937 11964 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
06:47:32.0015 11964 HTTPFilter - ok
06:47:32.0015 11964 i2omgmt - ok
06:47:32.0031 11964 i2omp - ok
06:47:32.0140 11964 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
06:47:32.0171 11964 i8042prt - ok
06:47:32.0656 11964 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
06:47:33.0046 11964 idsvc - ok
06:47:33.0109 11964 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
06:47:33.0125 11964 Imapi - ok
06:47:33.0296 11964 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
06:47:33.0390 11964 ImapiService - ok
06:47:33.0406 11964 ini910u - ok
06:47:35.0312 11964 IntcAzAudAddService (b00bb702f990797cc9e1062adcfb654d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
06:47:37.0093 11964 IntcAzAudAddService - ok
06:47:37.0468 11964 IntelIde - ok
06:47:37.0531 11964 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
06:47:37.0546 11964 intelppm - ok
06:47:37.0609 11964 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
06:47:37.0640 11964 Ip6Fw - ok
06:47:37.0687 11964 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
06:47:37.0718 11964 IpFilterDriver - ok
06:47:37.0750 11964 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
06:47:37.0781 11964 IpInIp - ok
06:47:37.0890 11964 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
06:47:37.0953 11964 IpNat - ok
06:47:38.0468 11964 iPod Service (ce004777b92dea56fe14ec900d20baa4) C:\Program Files\iPod\bin\iPodService.exe
06:47:38.0765 11964 iPod Service - ok
06:47:38.0843 11964 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
06:47:38.0875 11964 IPSec - ok
06:47:38.0937 11964 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
06:47:38.0937 11964 IRENUM - ok
06:47:39.0015 11964 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
06:47:39.0031 11964 isapnp - ok
06:47:39.0296 11964 JavaQuickStarterService (1834c96fb1f9280bcf6ddfa6de8338bf) C:\Program Files\Java\jre6\bin\jqs.exe
06:47:39.0453 11964 JavaQuickStarterService - ok
06:47:39.0484 11964 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
06:47:39.0500 11964 Kbdclass - ok
06:47:39.0546 11964 kbfiltr (cc2a86d7bbf14977340dca61bbcba771) C:\WINDOWS\system32\DRIVERS\kbfiltr.sys
06:47:39.0562 11964 kbfiltr - ok
06:47:39.0687 11964 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
06:47:39.0906 11964 kmixer - ok
06:47:40.0015 11964 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
06:47:40.0156 11964 KSecDD - ok
06:47:40.0296 11964 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
06:47:40.0437 11964 lanmanserver - ok
06:47:40.0609 11964 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
06:47:40.0890 11964 lanmanworkstation - ok
06:47:40.0906 11964 Lbd - ok
06:47:40.0906 11964 lbrtfdc - ok
06:47:41.0046 11964 LightScribeService (c215e09622118383b236dd56c2065183) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
06:47:41.0062 11964 LightScribeService - ok
06:47:41.0171 11964 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
06:47:41.0203 11964 LmHosts - ok
06:47:41.0281 11964 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
06:47:41.0312 11964 MBAMSwissArmy - ok
06:47:41.0421 11964 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
06:47:41.0468 11964 mcdbus - ok
06:47:41.0531 11964 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
06:47:41.0640 11964 Messenger - ok
06:47:41.0890 11964 Micorsoft Windows Service - ok
06:47:42.0109 11964 Microsoft Office Groove Audit Service (123271bd5237ab991dc5c21fdf8835eb) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
06:47:42.0203 11964 Microsoft Office Groove Audit Service - ok
06:47:42.0265 11964 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
06:47:42.0281 11964 mnmdd - ok
06:47:42.0375 11964 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
06:47:42.0437 11964 mnmsrvc - ok
06:47:42.0500 11964 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
06:47:42.0531 11964 Modem - ok
06:47:42.0578 11964 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
06:47:42.0718 11964 Mouclass - ok
06:47:42.0812 11964 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
06:47:42.0828 11964 mouhid - ok
06:47:42.0859 11964 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
06:47:42.0890 11964 MountMgr - ok
06:47:43.0031 11964 MozillaMaintenance (15d5398eed42c2504bb3d4fc875c15d1) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
06:47:43.0078 11964 MozillaMaintenance - ok
06:47:43.0078 11964 mraid35x - ok
06:47:43.0171 11964 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
06:47:43.0234 11964 MRxDAV - ok
06:47:43.0437 11964 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
06:47:43.0609 11964 MRxSmb - ok
06:47:43.0640 11964 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
06:47:43.0671 11964 MSDTC - ok
06:47:43.0750 11964 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
06:47:43.0796 11964 Msfs - ok
06:47:43.0796 11964 MSIServer - ok
06:47:43.0843 11964 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
06:47:43.0843 11964 MSKSSRV - ok
06:47:43.0859 11964 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
06:47:43.0875 11964 MSPCLOCK - ok
06:47:43.0921 11964 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
06:47:43.0921 11964 MSPQM - ok
06:47:43.0953 11964 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
06:47:43.0968 11964 mssmbios - ok
06:47:44.0031 11964 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
06:47:44.0031 11964 MSTEE - ok
06:47:44.0093 11964 MTsensor (97affa9d95ffe20eee6229bc6be166cf) C:\WINDOWS\system32\DRIVERS\ATKACPI.sys
06:47:44.0109 11964 MTsensor - ok
06:47:44.0250 11964 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
06:47:44.0296 11964 Mup - ok
06:47:44.0375 11964 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
06:47:44.0421 11964 NABTSFEC - ok
06:47:44.0562 11964 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
06:47:44.0828 11964 napagent - ok
06:47:44.0937 11964 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
06:47:45.0015 11964 NDIS - ok
06:47:45.0093 11964 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
06:47:45.0125 11964 NdisIP - ok
06:47:45.0187 11964 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
06:47:45.0203 11964 NdisTapi - ok
06:47:45.0218 11964 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
06:47:45.0250 11964 Ndisuio - ok
06:47:45.0281 11964 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
06:47:45.0328 11964 NdisWan - ok
06:47:45.0437 11964 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
06:47:45.0468 11964 NDProxy - ok
06:47:45.0500 11964 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
06:47:45.0515 11964 NetBIOS - ok
06:47:45.0593 11964 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
06:47:45.0796 11964 NetBT - ok
06:47:45.0875 11964 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
06:47:46.0000 11964 NetDDE - ok
06:47:46.0000 11964 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
06:47:46.0046 11964 NetDDEdsdm - ok
06:47:46.0093 11964 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
06:47:46.0140 11964 Netlogon - ok
06:47:46.0234 11964 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
06:47:46.0328 11964 Netman - ok
06:47:46.0656 11964 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
06:47:46.0734 11964 NetTcpPortSharing - ok
06:47:46.0890 11964 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
06:47:47.0000 11964 Nla - ok
06:47:47.0125 11964 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
06:47:47.0140 11964 Npfs - ok
06:47:47.0359 11964 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
06:47:47.0562 11964 Ntfs - ok
06:47:47.0578 11964 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
06:47:47.0609 11964 NtLmSsp - ok
06:47:47.0859 11964 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
06:47:48.0046 11964 NtmsSvc - ok
06:47:48.0125 11964 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
06:47:48.0125 11964 Null - ok
06:47:48.0187 11964 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
06:47:48.0203 11964 NwlnkFlt - ok
06:47:48.0218 11964 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
06:47:48.0250 11964 NwlnkFwd - ok
06:47:48.0890 11964 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
06:47:49.0156 11964 odserv - ok
06:47:49.0281 11964 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
06:47:49.0375 11964 ose - ok
06:47:49.0437 11964 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
06:47:49.0468 11964 Parport - ok
06:47:49.0531 11964 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
06:47:49.0546 11964 PartMgr - ok
06:47:49.0625 11964 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
06:47:49.0640 11964 ParVdm - ok
06:47:49.0671 11964 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
06:47:49.0703 11964 PCI - ok
06:47:49.0718 11964 PCIDump - ok
06:47:49.0718 11964 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
06:47:49.0734 11964 PCIIde - ok
06:47:49.0843 11964 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
06:47:49.0906 11964 Pcmcia - ok
06:47:49.0906 11964 PDCOMP - ok
06:47:49.0921 11964 PDFRAME - ok
06:47:49.0921 11964 PDRELI - ok
06:47:49.0937 11964 PDRFRAME - ok
06:47:49.0937 11964 perc2 - ok
06:47:49.0953 11964 perc2hib - ok
06:47:50.0078 11964 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
06:47:50.0171 11964 PlugPlay - ok
06:47:50.0281 11964 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
06:47:50.0296 11964 PolicyAgent - ok
06:47:50.0421 11964 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
06:47:50.0437 11964 PptpMiniport - ok
06:47:50.0437 11964 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
06:47:50.0468 11964 ProtectedStorage - ok
06:47:50.0500 11964 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
06:47:50.0531 11964 PSched - ok
06:47:50.0593 11964 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
06:47:50.0593 11964 Ptilink - ok
06:47:50.0609 11964 ql1080 - ok
06:47:50.0609 11964 Ql10wnt - ok
06:47:50.0625 11964 ql12160 - ok
06:47:50.0625 11964 ql1240 - ok
06:47:50.0640 11964 ql1280 - ok
06:47:50.0703 11964 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
06:47:50.0718 11964 RasAcd - ok
06:47:50.0812 11964 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
06:47:50.0968 11964 RasAuto - ok
06:47:51.0031 11964 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
06:47:51.0062 11964 Rasl2tp - ok
06:47:51.0250 11964 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
06:47:51.0406 11964 RasMan - ok
06:47:51.0437 11964 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
06:47:51.0453 11964 RasPppoe - ok
06:47:51.0468 11964 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
06:47:51.0484 11964 Raspti - ok
06:47:51.0578 11964 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
06:47:51.0671 11964 Rdbss - ok
06:47:51.0765 11964 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
06:47:51.0781 11964 RDPCDD - ok
06:47:51.0875 11964 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
06:47:51.0953 11964 rdpdr - ok
06:47:52.0125 11964 RDPWD (6589db6e5969f8eee594cf71171c5028) C:\WINDOWS\system32\drivers\RDPWD.sys
06:47:52.0187 11964 RDPWD - ok
06:47:52.0312 11964 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
06:47:52.0468 11964 RDSessMgr - ok
06:47:52.0546 11964 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
06:47:52.0578 11964 redbook - ok
06:47:52.0671 11964 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
06:47:52.0765 11964 RemoteAccess - ok
06:47:52.0843 11964 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
06:47:52.0953 11964 RemoteRegistry - ok
06:47:53.0265 11964 RichVideo (17e0bef5ca5c9ce52cc8082ac6ebc449) C:\Program Files\CyberLink\Shared Files\RichVideo.exe
06:47:53.0359 11964 RichVideo - ok
06:47:53.0421 11964 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
06:47:53.0515 11964 RpcLocator - ok
06:47:53.0734 11964 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
06:47:53.0812 11964 RpcSs - ok
06:47:53.0921 11964 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
06:47:54.0015 11964 RSVP - ok
06:47:54.0093 11964 RTSTOR (b1c9626c5089a85de411c1bedbc5620e) C:\WINDOWS\system32\drivers\RTSTOR.SYS
06:47:54.0109 11964 RTSTOR - ok
06:47:54.0234 11964 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
06:47:54.0250 11964 SamSs - ok
06:47:54.0359 11964 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
06:47:54.0500 11964 SCardSvr - ok
06:47:54.0640 11964 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
06:47:54.0875 11964 Schedule - ok
06:47:54.0953 11964 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
06:47:54.0968 11964 Secdrv - ok
06:47:55.0031 11964 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
06:47:55.0140 11964 seclogon - ok
06:47:55.0156 11964 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
06:47:55.0234 11964 SENS - ok
06:47:55.0359 11964 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
06:47:55.0390 11964 Serial - ok
06:47:55.0406 11964 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
06:47:55.0421 11964 Sfloppy - ok
06:47:55.0546 11964 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
06:47:55.0718 11964 SharedAccess - ok
06:47:55.0859 11964 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
06:47:55.0937 11964 ShellHWDetection - ok
06:47:55.0937 11964 Simbad - ok
06:47:56.0062 11964 SiSGbeXP (ea5fb3ce8477ceb46c64ea3179013d38) C:\WINDOWS\system32\DRIVERS\SiSGbeXP.sys
06:47:56.0093 11964 SiSGbeXP - ok
06:47:56.0156 11964 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
06:47:56.0187 11964 SLIP - ok
06:47:56.0906 11964 SNP2UVC (0302bc619d4a723317e7f8eb0c362bd3) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
06:47:57.0593 11964 SNP2UVC - ok
06:47:58.0093 11964 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
06:47:58.0109 11964 SONYPVU1 - ok
06:47:58.0109 11964 Sparrow - ok
06:47:58.0187 11964 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
06:47:58.0203 11964 splitter - ok
06:47:58.0328 11964 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
06:47:58.0453 11964 Spooler - ok
06:47:58.0484 11964 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
06:47:58.0531 11964 sr - ok
06:47:58.0703 11964 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
06:47:58.0921 11964 srservice - ok
06:47:59.0125 11964 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
06:47:59.0265 11964 Srv - ok
06:47:59.0343 11964 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
06:47:59.0421 11964 SSDPSRV - ok
06:47:59.0625 11964 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
06:47:59.0984 11964 stisvc - ok
06:48:00.0062 11964 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
06:48:00.0078 11964 streamip - ok
06:48:00.0140 11964 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
06:48:00.0156 11964 swenum - ok
06:48:00.0187 11964 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
06:48:00.0218 11964 swmidi - ok
06:48:00.0234 11964 SwPrv - ok
06:48:00.0250 11964 symc810 - ok
06:48:00.0250 11964 symc8xx - ok
06:48:00.0265 11964 sym_hi - ok
06:48:00.0265 11964 sym_u3 - ok
06:48:00.0468 11964 SynTP (c8cc806f0506e9f168750371d37eee18) C:\WINDOWS\system32\DRIVERS\SynTP.sys
06:48:00.0562 11964 SynTP - ok
06:48:00.0609 11964 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
06:48:00.0656 11964 sysaudio - ok
06:48:00.0812 11964 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
06:48:00.0921 11964 SysmonLog - ok
06:48:01.0031 11964 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
06:48:01.0156 11964 TapiSrv - ok
06:48:01.0390 11964 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
06:48:01.0515 11964 Tcpip - ok
06:48:01.0593 11964 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
06:48:01.0609 11964 TDPIPE - ok
06:48:01.0625 11964 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
06:48:01.0640 11964 TDTCP - ok
06:48:01.0703 11964 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
06:48:01.0734 11964 TermDD - ok
06:48:01.0937 11964 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
06:48:02.0093 11964 TermService - ok
06:48:02.0234 11964 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
06:48:02.0328 11964 Themes - ok
06:48:02.0421 11964 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
06:48:02.0546 11964 TlntSvr - ok
06:48:02.0562 11964 TosIde - ok
06:48:02.0640 11964 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
06:48:02.0828 11964 TrkWks - ok
06:48:02.0953 11964 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
06:48:02.0984 11964 Udfs - ok
06:48:03.0000 11964 ultra - ok
06:48:03.0234 11964 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
06:48:03.0390 11964 Update - ok
06:48:03.0468 11964 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
06:48:03.0593 11964 upnphost - ok
06:48:03.0640 11964 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
06:48:03.0718 11964 UPS - ok
06:48:03.0781 11964 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
06:48:03.0828 11964 USBAAPL - ok
06:48:03.0890 11964 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
06:48:03.0921 11964 usbccgp - ok
06:48:04.0000 11964 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
06:48:04.0015 11964 usbehci - ok
06:48:04.0046 11964 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
06:48:04.0078 11964 usbhub - ok
06:48:04.0093 11964 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
06:48:04.0125 11964 usbohci - ok
06:48:04.0187 11964 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
06:48:04.0218 11964 usbprint - ok
06:48:04.0265 11964 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
06:48:04.0281 11964 usbscan - ok
06:48:04.0343 11964 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
06:48:04.0359 11964 usbstor - ok
06:48:04.0453 11964 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
06:48:04.0531 11964 usbvideo - ok
06:48:04.0578 11964 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
06:48:04.0609 11964 VgaSave - ok
06:48:04.0609 11964 ViaIde - ok
06:48:04.0734 11964 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
06:48:04.0875 11964 VolSnap - ok
06:48:05.0031 11964 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
06:48:05.0234 11964 VSS - ok
06:48:05.0359 11964 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
06:48:05.0484 11964 W32Time - ok
06:48:05.0515 11964 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
06:48:05.0531 11964 Wanarp - ok
06:48:05.0546 11964 WDICA - ok
06:48:05.0593 11964 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
06:48:05.0625 11964 wdmaud - ok
06:48:05.0718 11964 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
06:48:05.0781 11964 WebClient - ok
06:48:06.0015 11964 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
06:48:06.0078 11964 winmgmt - ok
06:48:06.0171 11964 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
06:48:06.0218 11964 WmdmPmSN - ok
06:48:06.0546 11964 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
06:48:06.0781 11964 Wmi - ok
06:48:06.0906 11964 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
06:48:06.0953 11964 WmiApSrv - ok
06:48:07.0484 11964 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
06:48:07.0859 11964 WMPNetworkSvc - ok
06:48:08.0015 11964 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
06:48:08.0031 11964 WS2IFSL - ok
06:48:08.0125 11964 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
06:48:08.0281 11964 wscsvc - ok
06:48:08.0296 11964 WSIMD (21ac4f228f3d36876a42277c76a766c0) C:\WINDOWS\system32\DRIVERS\wsimd.sys
06:48:08.0328 11964 WSIMD - ok
06:48:08.0406 11964 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
06:48:08.0421 11964 WSTCODEC - ok
06:48:08.0484 11964 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
06:48:08.0546 11964 wuauserv - ok
06:48:08.0625 11964 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
06:48:08.0671 11964 WudfPf - ok
06:48:08.0734 11964 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
06:48:08.0859 11964 WudfRd - ok
06:48:08.0890 11964 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
06:48:09.0031 11964 WudfSvc - ok
06:48:09.0031 11964 Suspicious service (NoAccess): wvoip
06:48:09.0031 11964 wvoip ( LockedService.Multi.Generic ) - warning
06:48:09.0031 11964 wvoip - detected LockedService.Multi.Generic (1)
06:48:09.0281 11964 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
06:48:09.0578 11964 WZCSVC - ok
06:48:09.0656 11964 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
06:48:09.0828 11964 xmlprov - ok
06:48:09.0875 11964 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
06:48:10.0375 11964 \Device\Harddisk0\DR0 - ok
06:48:10.0390 11964 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR3
06:48:10.0390 11964 \Device\Harddisk1\DR3 - ok
06:48:10.0406 11964 Boot (0x1200) (8bf9e8535f7157901f51d02b602070e7) \Device\Harddisk0\DR0\Partition0
06:48:10.0406 11964 \Device\Harddisk0\DR0\Partition0 - ok
06:48:10.0421 11964 Boot (0x1200) (e089a7a85309abb69da3d7105c862107) \Device\Harddisk1\DR3\Partition0
06:48:10.0421 11964 \Device\Harddisk1\DR3\Partition0 - ok
06:48:10.0421 11964 ============================================================
06:48:10.0421 11964 Scan finished
06:48:10.0421 11964 ============================================================
06:48:10.0437 9424 Detected object count: 1
06:48:10.0437 9424 Actual detected object count: 1
06:48:23.0640 9424 wvoip ( LockedService.Multi.Generic ) - skipped by user
06:48:23.0640 9424 wvoip ( LockedService.Multi.Generic ) - User select action: Skip


aswMBR.txt:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-28 06:50:53
-----------------------------
06:50:53.343 OS Version: Windows 5.1.2600 Service Pack 3
06:50:53.343 Number of processors: 2 586 0xF0D
06:50:53.343 ComputerName: ASUS_NB UserName:
06:50:57.390 Initialize success
06:51:18.640 AVAST engine download error: 0
06:51:28.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
06:51:28.171 Disk 0 Vendor: ST9250320AS 0303 Size: 238475MB BusType: 3
06:51:28.421 Disk 0 MBR read successfully
06:51:28.421 Disk 0 MBR scan
06:51:28.421 Disk 0 Windows XP default MBR code
06:51:28.421 Disk 0 Partition 1 00 1C Hidd FAT32 LBA MSDOS5.0 12001 MB offset 63
06:51:28.437 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 226471 MB offset 24579450
06:51:28.453 Disk 0 scanning sectors +488392065
06:51:28.640 Disk 0 scanning C:\WINDOWS\system32\drivers
06:51:54.640 Service scanning
06:52:36.109 Modules scanning
06:53:01.562 Disk 0 trace - called modules:
06:53:01.562
06:53:01.562 Scan finished successfully
06:54:40.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
06:54:40.968 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


Attached MBR.dat.

Note, aswMBR Avast engine download error (I guess saying that definition update failed??). I cannot access any virus/security internet sites - AVG won't update, can't access AVG, Avast, Symentec, etc, etc - also can't access bleeingcomputers.com from infected machine.

Thanks

Attached Files

  • Attached File  MBR.zip   510bytes   0 downloads


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:00 AM

Posted 28 July 2012 - 08:28 AM

Left laptop on overnight & awoke this morning to windows 'blue screen of death' as follows:-
A problem has been detected and windows has been shutdown to prevent damage to your computer.
The problem seems to be caused by the following file: ati2dvag


ati2dvag is from your ATI graphics card. There is a chance that it bad or going bad when used for a long time.
Heat in your computer may be the cause, not sure.
===


.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF5DBE000, 0x189F82, 0xE8000020]

From your GMER log.
Again related to ATI card.
===

In an other note.

S2 wvoip;Image Time;c:\windows\system32\svchost.exe -k netsvcs [17/08/2006 10:54 AM 14336]

How long have you had this service.

Looking in your previous topic I do see some of these error message.

Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.


Could this be related to wvoip;Image Time?
I have no idea at all.
===

Your Hosts file may have been compromised.
How do I reset the hosts file back to the default?
http://support.microsoft.com/kb/972034

Use the Fix it button on the page.
<<<>>>

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

#9 Darwinboy

Darwinboy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 28 July 2012 - 07:59 PM

1/.

"Quote

S2 wvoip;Image Time;c:\windows\system32\svchost.exe -k netsvcs [17/08/2006 10:54 AM 14336]

How long have you had this service.

Looking in your previous topic I do see some of these error message.


Quote

Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.


Could this be related to wvoip;Image Time?
I have no idea at all.
==="


I also have no idea - I don't use 'voice over wireless'.

I do have Skype installed but don't use it (don't know if a program like Skype would use this??)

2/.
Your Hosts file may have been compromised.
How do I reset the hosts file back to the default?
http://support.microsoft.com/kb/972034

Use the Fix it button on the page.


My browser on the infected laptop won't attach to Microsoft Support site (or any other 'security/virus protection' type site, or bleepingcomputer.com, as previously advised)

3/.Here is another Combofix log :-

ComboFix 12-07-27.03 - Administrator 29/07/2012 9:34.3.2 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\gvrycjnk.log
c:\documents and settings\Administrator\Local Settings\Application Data\hmvmxgrk.log
c:\documents and settings\Administrator\Local Settings\Application Data\ibdlojgv.log
c:\documents and settings\Administrator\Local Settings\Application Data\ijlfvnub.log
c:\documents and settings\Administrator\Local Settings\Application Data\lfmwhcef.log
c:\documents and settings\Administrator\Local Settings\Application Data\slpdvyvb.log
c:\documents and settings\Administrator\Local Settings\Application Data\uegaixae.log
c:\documents and settings\Administrator\Local Settings\Application Data\wowuqhvx\fuohehfo.exe
c:\documents and settings\Administrator\Local Settings\Application Data\ysypnhac.log
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-29 )))))))))))))))))))))))))))))))
.
.
2012-07-18 10:15 . 2012-07-20 03:02 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-07-18 10:15 . 2012-07-18 10:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-07-18 10:15 . 2012-07-18 10:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-07-17 09:28 . 2012-07-27 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-07-17 09:28 . 2012-07-17 10:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-07-16 03:17 . 2012-07-29 00:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\wowuqhvx
2012-07-09 21:33 . 2012-07-09 21:33 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-07-09 21:33 . 2012-07-09 21:33 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-07-03 12:17 . 2012-07-03 12:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\etax2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-27 10:09 . 2012-06-27 10:09 715776 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{66F43DBE-6D46-4BCE-831D-0D4C13639BE8}\Icon66F43DBE.exe
2012-06-13 13:19 . 2006-08-17 01:24 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-14 00:12 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2006-08-17 01:24 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2006-08-17 01:24 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:49 . 2009-04-16 02:57 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 05:49 . 2009-04-16 02:57 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 05:49 . 2009-03-26 23:16 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 05:49 . 2009-03-26 23:16 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 05:49 . 2009-03-26 23:16 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 05:49 . 2009-04-16 02:57 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 05:49 . 2009-04-16 02:57 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 05:49 . 2009-03-26 23:16 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 05:49 . 2009-03-26 23:16 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 05:49 . 2006-08-17 01:24 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 05:49 . 2009-04-16 02:57 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 05:49 . 2009-03-26 23:16 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 05:49 . 2009-03-26 23:16 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 05:48 . 2009-04-16 10:15 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 05:48 . 2009-04-16 10:15 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 05:48 . 2008-10-16 04:37 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2006-08-17 01:24 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 15:39 . 2006-08-17 01:24 832512 ----a-w- c:\windows\system32\wininet.dll
2012-05-04 13:16 . 2004-08-03 13:48 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 13:29 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2009-03-26 23:15 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2010-08-20 15:03 . 2010-08-20 15:03 530432 ----a-w- c:\program files\Common Files\comctl32.dll
2009-07-13 10:45 . 2009-07-13 10:45 486912 ----a-w- c:\program files\Common Files\comdlg32.dll
2012-07-09 21:33 . 2012-02-14 09:25 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-27_00.11.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-29 00:20 . 2012-07-29 00:20 16384 c:\windows\Temp\Perflib_Perfdata_338.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9df9360-97f8-4690-afe6-996c80790da4}]
2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E9DF9360-97F8-4690-AFE6-996C80790DA4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 07:38 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]
"SybaseCentral43"="c:\program files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [2004-10-13 102400]
"DBISQL9"="c:\program files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2004-10-19 131072]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2008-03-18 2508072]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-03-17 2289664]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"FuoHehfo"="c:\documents and settings\Administrator\Local Settings\Application Data\wowuqhvx\fuohehfo.exe" [BU]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-08 17021440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-30 1343488]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMedia.exe" [2008-06-24 159744]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-09-26 450648]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2007-11-30 51768]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"ADSMTray"="c:\program files\ASUS\ASUS Data Security Manager\ADSMTray.exe" [2008-03-31 266240]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2008-01-15 851968]
"ASUS Camera ScreenSaver"="c:\windows\AsScrProlog.exe" [2009-03-26 47672]
"ASUS Screen Saver Protector"="c:\windows\ASScrPro.exe" [2009-03-26 33136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-04-02 87336]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2008-02-22 62760]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2012-01-27 2077536]
"Launcher"="c:\program files\Kyocera\FS-720 Utilities\KMGLNC.exe" [2005-04-15 53248]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\Peter\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Administrator\Local Settings\Application Data\wowuqhvx\fuohehfo.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Aspwdflt]
2008-04-19 13:41 1556480 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-25 08:50 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe"=
"c:\\Program Files\\Sybase\\Shared\\Sybase Central 4.3\\win32\\scjview.exe"=
"c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/04/2009 8:26 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/04/2009 8:26 PM 243152]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [25/07/2010 6:20 PM 308136]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\mgpoehbb.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\mgpoehbb.sys [?]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/03/2010 11:40 AM 135664]
S2 wvoip;Image Time;c:\windows\system32\svchost.exe -k netsvcs [17/08/2006 10:54 AM 14336]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2/04/2012 8:34 PM 253600]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [10/07/2012 8:08 AM 245760]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/03/2010 11:40 AM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [18/07/2012 7:45 PM 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [9/05/2012 6:36 AM 113120]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wvoip
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-03-17 08:26 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 11:04]
.
2012-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 02:10]
.
2012-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 02:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.100.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\an06yj98.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-29 09:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\fuohehfo.exe 92500 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lvupdtio]
"ImagePath"="\??\c:\program files\ASUS\ASUS Live Update\SYS\lvupdtio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wvoip]
"ServiceDll"="c:\windows\system32\clgjnxro.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1096)
c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(1152)
c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
.
- - - - - - - > 'explorer.exe'(9756)
c:\windows\system32\WININET.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\RTHDCPL.EXE
c:\program files\ASUS\ATK Hotkey\ATKOSD.exe
c:\windows\system32\ACEngSvr.exe
c:\program files\ASUS\ATK Hotkey\KBFiltr.exe
c:\program files\ASUS\ATK Hotkey\WDC.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\logon.scr
.
**************************************************************************
.
Completion time: 2012-07-29 10:06:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-29 00:36
ComboFix2.txt 2012-07-27 22:28
ComboFix3.txt 2012-07-27 00:23
.
Pre-Run: 92,662,386,688 bytes free
Post-Run: 92,669,534,208 bytes free
.
- - End Of File - - ACECD4BB9709C1C84891E5BCA0ED34A7


4/. This looks quite 'suspicious'???

REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\Documents and Settings\Administrator\Local Settings\Application Data\wowuqhvx\fuohehfo.exe

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:00 AM

Posted 29 July 2012 - 09:19 AM

I do have Skype installed but don't use it (don't know if a program like Skype would use this??)


Could be. If you do not use Skype remove it using the Add/Remove Programs list.
If you ever need it in the future you can reinstall it.
===

After this removal run TDSSKiller and fix this entry if still present.
06:48:23.0640 9424 wvoip ( LockedService.Multi.Generic ) - skipped by user
===

Use this tool to restore the default Hosts file.

Go to: http://www.funkytoad.com/index.php?option=com_content&task=view&id=13&Itemid=
Download the program HostsXpert to restore the default hosts file back onto your machine.
Unzip the program and execute it.
Select
"Restore MS Hosts File".
Close the application.
=*=

Open notepad and copy/paste the text in the quote box below into it:

File::
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\fuohehfo.exe

Driver::
Micorsoft Windows Service

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"=-
"Userinit"="c:\windows\system32\userinit.exe"

ClearJavaCache::

Firefox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\an06yj98.default\
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Please let me know what problem persists.

#11 Darwinboy

Darwinboy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 30 July 2012 - 04:52 AM

OK - this seems to have done the trick :thumbsup:

Here is the last Combofix log :-

ComboFix 12-07-27.03 - Administrator 30/07/2012 18:37:51.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2285 [GMT 9.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\Administrator\Start Menu\Programs\Startup\fuohehfo.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\gvrycjnk.log
c:\documents and settings\Administrator\Local Settings\Application Data\hmvmxgrk.log
c:\documents and settings\Administrator\Local Settings\Application Data\ibdlojgv.log
c:\documents and settings\Administrator\Local Settings\Application Data\ijlfvnub.log
c:\documents and settings\Administrator\Local Settings\Application Data\lfmwhcef.log
c:\documents and settings\Administrator\Local Settings\Application Data\slpdvyvb.log
c:\documents and settings\Administrator\Local Settings\Application Data\uegaixae.log
c:\documents and settings\Administrator\Local Settings\Application Data\wowuqhvx\fuohehfo.exe
c:\documents and settings\Administrator\Local Settings\Application Data\ysypnhac.log
c:\documents and settings\Administrator\Start Menu\Programs\Startup\fuohehfo.exe
.
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\erdnt\cache\ntfs.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-30 )))))))))))))))))))))))))))))))
.
.
2012-07-30 08:42 . 2012-07-30 08:42 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-18 10:15 . 2012-07-20 03:02 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-07-18 10:15 . 2012-07-18 10:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-07-18 10:15 . 2012-07-18 10:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-07-17 09:28 . 2012-07-27 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-07-17 09:28 . 2012-07-17 10:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-07-16 03:17 . 2012-07-30 09:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\wowuqhvx
2012-07-09 21:33 . 2012-07-09 21:33 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-07-09 21:33 . 2012-07-09 21:33 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-07-03 12:17 . 2012-07-03 12:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\etax2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-27 10:09 . 2012-06-27 10:09 715776 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{66F43DBE-6D46-4BCE-831D-0D4C13639BE8}\Icon66F43DBE.exe
2012-06-13 13:19 . 2006-08-17 01:24 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-14 00:12 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2006-08-17 01:24 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2006-08-17 01:24 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:49 . 2009-04-16 02:57 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 05:49 . 2009-04-16 02:57 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 05:49 . 2009-03-26 23:16 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 05:49 . 2009-03-26 23:16 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 05:49 . 2009-03-26 23:16 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 05:49 . 2009-04-16 02:57 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 05:49 . 2009-04-16 02:57 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 05:49 . 2009-03-26 23:16 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 05:49 . 2009-03-26 23:16 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 05:49 . 2006-08-17 01:24 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 05:49 . 2009-04-16 02:57 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 05:49 . 2009-03-26 23:16 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 05:49 . 2009-03-26 23:16 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 05:48 . 2009-04-16 10:15 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 05:48 . 2009-04-16 10:15 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 05:48 . 2008-10-16 04:37 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2006-08-17 01:24 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 15:39 . 2006-08-17 01:24 832512 ----a-w- c:\windows\system32\wininet.dll
2012-05-04 13:16 . 2004-08-03 13:48 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 13:29 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2009-03-26 23:15 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2010-08-20 15:03 . 2010-08-20 15:03 530432 ----a-w- c:\program files\Common Files\comctl32.dll
2009-07-13 10:45 . 2009-07-13 10:45 486912 ----a-w- c:\program files\Common Files\comdlg32.dll
2012-07-29 00:42 . 2012-02-14 09:25 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-27_00.11.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-30 09:23 . 2012-07-30 09:23 16384 c:\windows\Temp\Perflib_Perfdata_3cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9df9360-97f8-4690-afe6-996c80790da4}]
2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E9DF9360-97F8-4690-AFE6-996C80790DA4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 07:38 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]
"SybaseCentral43"="c:\program files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [2004-10-13 102400]
"DBISQL9"="c:\program files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2004-10-19 131072]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2008-03-18 2508072]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-03-17 2289664]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"FuoHehfo"="c:\documents and settings\Administrator\Local Settings\Application Data\wowuqhvx\fuohehfo.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-08 17021440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-30 1343488]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMedia.exe" [2008-06-24 159744]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-09-26 450648]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2007-11-30 51768]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"ADSMTray"="c:\program files\ASUS\ASUS Data Security Manager\ADSMTray.exe" [2008-03-31 266240]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2008-01-15 851968]
"ASUS Camera ScreenSaver"="c:\windows\AsScrProlog.exe" [2009-03-26 47672]
"ASUS Screen Saver Protector"="c:\windows\ASScrPro.exe" [2009-03-26 33136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-04-02 87336]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2008-02-22 62760]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2012-01-27 2077536]
"Launcher"="c:\program files\Kyocera\FS-720 Utilities\KMGLNC.exe" [2005-04-15 53248]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\Peter\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Aspwdflt]
2008-04-19 13:41 1556480 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-25 08:50 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe"=
"c:\\Program Files\\Sybase\\Shared\\Sybase Central 4.3\\win32\\scjview.exe"=
"c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/04/2009 8:26 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/04/2009 8:26 PM 243152]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [25/07/2010 6:20 PM 308136]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/03/2010 11:40 AM 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2/04/2012 8:34 PM 253600]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [10/07/2012 8:08 AM 245760]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/03/2010 11:40 AM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [18/07/2012 7:45 PM 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [9/05/2012 6:36 AM 113120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-03-17 08:26 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 11:04]
.
2012-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 02:10]
.
2012-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 02:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.100.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\an06yj98.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-80068903.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-30 18:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1100)
c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(1156)
c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
.
- - - - - - - > 'explorer.exe'(5868)
c:\windows\system32\WININET.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ASUS\ATK Hotkey\ATKOSD.exe
c:\program files\ASUS\ATK Hotkey\KBFiltr.exe
c:\windows\system32\ACEngSvr.exe
c:\program files\ASUS\ATK Hotkey\WDC.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-07-30 19:08:27 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-30 09:38
ComboFix2.txt 2012-07-29 00:36
ComboFix3.txt 2012-07-27 22:28
ComboFix4.txt 2012-07-27 00:23
.
Pre-Run: 92,548,395,008 bytes free
Post-Run: 92,658,970,624 bytes free
.
- - End Of File - - 34B41F9F78D8EA9D1EEC5BE9930FC653


I'm posting this from the infected machine, so access to this site now OK. Also able to update AVG definitions, and Thunderbird now able send/receive.

Thanks heaps for your assistance - I'll be making a donation to show appreciation :clapping:

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:00 AM

Posted 01 August 2012 - 08:20 AM

Sorry for this long delay.
I had some techincal difficulties. I'm back.
===

Looking better.

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\an06yj98.default\
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=


Open notepad and copy/paste the text in the quote box below into it:

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FuoHehfo"=-

ClearJavaCache::

Firefox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\an06yj98.default\
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=



Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.
===

p.s. My services are free so you will not find a paypal link.

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 20


===

Critical vulnerabilities have been identified in Adobe Flash Player v11.3.300.264 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)

Remove these old versions using the Add/Remove Programs list, is still present.
Adobe Flash Player 9 Flash Player out of Date!
Adobe Flash Player 11.2.202.228
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

#13 Darwinboy

Darwinboy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 01 August 2012 - 04:42 PM

Here is the new Combofix log :-

ComboFix 12-07-27.03 - Administrator 02/08/2012 6:51.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2109 [GMT 9.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-07-01 to 2012-08-01 )))))))))))))))))))))))))))))))
.
.
2012-07-31 11:50 . 2012-07-31 11:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-31 11:50 . 2012-07-03 04:16 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-30 08:42 . 2012-07-30 08:42 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-18 10:15 . 2012-07-18 10:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-07-18 10:15 . 2012-07-18 10:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-07-17 09:28 . 2012-07-27 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-07-17 09:28 . 2012-07-17 10:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-07-16 03:17 . 2012-07-30 09:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\wowuqhvx
2012-07-09 21:33 . 2012-07-09 21:33 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-07-09 21:33 . 2012-07-09 21:33 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-07-03 12:17 . 2012-07-03 12:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\etax2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-27 10:09 . 2012-06-27 10:09 715776 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{66F43DBE-6D46-4BCE-831D-0D4C13639BE8}\Icon66F43DBE.exe
2012-06-13 13:19 . 2006-08-17 01:24 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-14 00:12 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2006-08-17 01:24 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2006-08-17 01:24 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:49 . 2009-04-16 02:57 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 05:49 . 2009-04-16 02:57 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 05:49 . 2009-03-26 23:16 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 05:49 . 2009-03-26 23:16 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 05:49 . 2009-03-26 23:16 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 05:49 . 2009-04-16 02:57 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 05:49 . 2009-04-16 02:57 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 05:49 . 2009-03-26 23:16 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 05:49 . 2009-03-26 23:16 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 05:49 . 2006-08-17 01:24 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 05:49 . 2009-04-16 02:57 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 05:49 . 2009-03-26 23:16 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 05:49 . 2009-03-26 23:16 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 05:48 . 2009-04-16 10:15 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 05:48 . 2009-04-16 10:15 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 05:48 . 2008-10-16 04:37 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2006-08-17 01:24 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 15:39 . 2006-08-17 01:24 832512 ----a-w- c:\windows\system32\wininet.dll
2012-05-04 13:16 . 2004-08-03 13:48 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 13:29 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-20 15:03 . 2010-08-20 15:03 530432 ----a-w- c:\program files\Common Files\comctl32.dll
2009-07-13 10:45 . 2009-07-13 10:45 486912 ----a-w- c:\program files\Common Files\comdlg32.dll
2012-07-29 00:42 . 2012-02-14 09:25 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-27_00.11.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-01 09:00 . 2012-08-01 09:00 16384 c:\windows\Temp\Perflib_Perfdata_1e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9df9360-97f8-4690-afe6-996c80790da4}]
2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E9DF9360-97F8-4690-AFE6-996C80790DA4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 07:38 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]
"SybaseCentral43"="c:\program files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [2004-10-13 102400]
"DBISQL9"="c:\program files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2004-10-19 131072]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2008-03-18 2508072]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-03-17 2289664]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-08 17021440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-30 1343488]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMedia.exe" [2008-06-24 159744]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-09-26 450648]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2007-11-30 51768]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"ADSMTray"="c:\program files\ASUS\ASUS Data Security Manager\ADSMTray.exe" [2008-03-31 266240]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2008-01-15 851968]
"ASUS Camera ScreenSaver"="c:\windows\AsScrProlog.exe" [2009-03-26 47672]
"ASUS Screen Saver Protector"="c:\windows\ASScrPro.exe" [2009-03-26 33136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-04-02 87336]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2008-02-22 62760]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2012-01-27 2077536]
"Launcher"="c:\program files\Kyocera\FS-720 Utilities\KMGLNC.exe" [2005-04-15 53248]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\Peter\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2007-7-17 49152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Aspwdflt]
2008-04-19 13:41 1556480 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-25 08:50 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe"=
"c:\\Program Files\\Sybase\\Shared\\Sybase Central 4.3\\win32\\scjview.exe"=
"c:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/04/2009 8:26 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/04/2009 8:26 PM 243152]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [25/07/2010 6:20 PM 308136]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/03/2010 11:40 AM 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2/04/2012 8:34 PM 253600]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [10/07/2012 8:08 AM 245760]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/03/2010 11:40 AM 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [9/05/2012 6:36 AM 113120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-03-17 08:26 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 11:04]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 02:10]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 02:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.100.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\an06yj98.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-02 07:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\ADSM_PData_0150
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1096)
c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(1152)
c:\program files\ASUS\ASUS Data Security Manager\ASPWDFLT.dll
.
- - - - - - - > 'explorer.exe'(16976)
c:\windows\system32\WININET.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-08-02 07:03:09
ComboFix-quarantined-files.txt 2012-08-01 21:33
ComboFix2.txt 2012-07-30 09:38
ComboFix3.txt 2012-07-29 00:36
ComboFix4.txt 2012-07-27 22:28
ComboFix5.txt 2012-08-01 21:19
.
Pre-Run: 92,565,925,888 bytes free
Post-Run: 92,563,918,848 bytes free
.
- - End Of File - - 12A553765EF77F38EB241212451B63EA

#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:00 AM

Posted 02 August 2012 - 08:10 AM

Your log is clean.

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users