Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit? Random computer freezes


  • This topic is locked This topic is locked
3 replies to this topic

#1 4Sloan09h8f

4Sloan09h8f

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 15 February 2013 - 03:52 AM

I have become a bit paranoid about internet security lately, so I hope I don't waste your time. Anyways I ran gmer which gave me a lot of results in the rootkit tab , none red. I have copy pasted the dds.txt and gmer log, and attached the attach.txt file . Thanks for your time!

DDs.txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16464
Run by Desktop at 0:41:45 on 2013-02-15
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.12279.10181 [GMT -8:00]
.
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Norton 360\Engine\20.1.0.24\ccSvcHst.exe
C:\Program Files (x86)\Norton 360\Engine\20.1.0.24\ccSvcHst.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\postgreSQL\bin\pg_ctl.exe
C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe
C:\Program Files (x86)\StrongVPN\StrongService.exe
c:\postgreSQL\bin\postgres.exe
C:\Program Files (x86)\Creative\Shared Files\CTSched.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\postgreSQL\bin\postgres.exe
c:\postgreSQL\bin\postgres.exe
c:\postgreSQL\bin\postgres.exe
c:\postgreSQL\bin\postgres.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\20.1.0.24\CoIEPlg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\20.1.0.24\IPS\IPSBHO.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\20.1.0.24\CoIEPlg.dll
uRun: [CreativeTaskScheduler] "C:\Program Files (x86)\Creative\Shared Files\CTSched.exe" /logon
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AUTORU~1\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{41980E71-927D-4355-8A5D-876C286ADF0A} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
x64-mStart Page = about:blank
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Desktop\AppData\Roaming\Mozilla\Firefox\Profiles\he7xh3c0.default\
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - ExtSQL: 2013-01-27 12:16; {73a6fe31-595d-460b-a920-fcc0f8843232}; C:\Users\Desktop\AppData\Roaming\Mozilla\Firefox\Profiles\he7xh3c0.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2013-02-14 21:29; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn
FF - ExtSQL: 2013-02-14 21:29; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\1401000.018\SymDS64.sys [2013-2-14 493216]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\1401000.018\SymEFA64.sys [2013-2-14 1132192]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130208.001\BHDrvx64.sys [2013-2-8 1388120]
R1 ccSet_N360;Norton 360 Settings Manager;C:\Windows\System32\drivers\N360x64\1401000.018\ccSetx64.sys [2013-2-14 168096]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130214.001\IDSviA64.sys [2013-2-14 513184]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\1401000.018\Ironx64.sys [2013-2-14 224416]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\1401000.018\symnets.sys [2013-2-14 432800]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-12-19 240640]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\20.1.0.24\ccSvcHst.exe [2013-2-14 143928]
R2 postgresql-8.4;postgresql-8.4 - PostgreSQL Server 8.4;c:/postgreSQL/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "c:/postgreSQL/data" -w --> c:/postgreSQL/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
R2 SiHbaWakeupService;SiI31xx HBA Wakeup Utility;C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe [2009-7-27 62464]
R2 StrongService;StrongService;C:\Program Files (x86)\StrongVPN\StrongService.exe [2013-1-27 27648]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-11-6 96256]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.sys [2010-7-7 230488]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.sys [2010-7-7 1445976]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.sys [2010-7-7 95320]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-2-14 138912]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\System32\drivers\ha20x22k.sys [2010-7-7 1612888]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2009-10-16 321064]
R3 tapstrong;StrongVPN Adapter;C:\Windows\System32\drivers\tapstrong.sys [2013-1-27 35520]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\System32\drivers\btwampfl.sys [2013-1-26 344616]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2013-1-26 39464]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2013-1-26 79360]
S3 CT20XUT;CT20XUT;C:\Windows\System32\drivers\CT20XUT.sys [2010-7-7 230488]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\System32\drivers\CTEXFIFX.sys [2010-7-7 1445976]
S3 CTHWIUT;CTHWIUT;C:\Windows\System32\drivers\CTHWIUT.sys [2010-7-7 95320]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-1-28 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-1-28 57856]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-1-26 1255736]
.
=============== Created Last 30 ================
.
2013-02-15 07:05:18    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-02-15 06:50:17    98816    ----a-w-    C:\Windows\sed.exe
2013-02-15 06:50:17    256000    ----a-w-    C:\Windows\PEV.exe
2013-02-15 06:50:17    208896    ----a-w-    C:\Windows\MBR.exe
2013-02-15 06:37:50    43680    ----a-r-    C:\Windows\System32\drivers\SymIMV.sys
2013-02-15 06:02:11    --------    d-----w-    C:\Program Files (x86)\Common Files\Symantec Shared
2013-02-15 05:44:41    177312    ----a-w-    C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2013-02-15 05:44:41    --------    d-----w-    C:\Program Files\Symantec
2013-02-15 05:44:41    --------    d-----w-    C:\Program Files\Common Files\Symantec Shared
2013-02-15 05:44:07    776352    ----a-r-    C:\Windows\System32\drivers\N360x64\1401000.018\srtsp64.sys
2013-02-15 05:44:07    493216    ----a-r-    C:\Windows\System32\drivers\N360x64\1401000.018\SymDS64.sys
2013-02-15 05:44:07    432800    ----a-r-    C:\Windows\System32\drivers\N360x64\1401000.018\symnets.sys
2013-02-15 05:44:07    37496    ----a-r-    C:\Windows\System32\drivers\N360x64\1401000.018\srtspx64.sys
2013-02-15 05:44:07    23448    ----a-r-    C:\Windows\System32\drivers\N360x64\1401000.018\SymELAM.sys
2013-02-15 05:44:07    224416    ----a-r-    C:\Windows\System32\drivers\N360x64\1401000.018\Ironx64.sys
2013-02-15 05:44:07    1132192    ----a-r-    C:\Windows\System32\drivers\N360x64\1401000.018\SymEFA64.sys
2013-02-15 05:44:06    168096    ----a-r-    C:\Windows\System32\drivers\N360x64\1401000.018\ccSetx64.sys
2013-02-15 05:43:50    --------    d-----w-    C:\Windows\System32\drivers\N360x64\1401000.018
2013-02-15 05:43:50    --------    d-----w-    C:\Windows\System32\drivers\N360x64
2013-02-15 05:43:48    --------    d-----w-    C:\Program Files (x86)\Norton 360
2013-02-15 05:43:41    --------    d-----w-    C:\Program Files (x86)\NortonInstaller
2013-02-15 05:41:15    --------    d-----w-    C:\Users\Desktop\AppData\Local\CrashDumps
2013-02-15 05:27:55    --------    d-----w-    C:\ProgramData\Norton
2013-02-15 05:27:45    --------    d-----w-    C:\ProgramData\NortonInstaller
2013-02-15 03:45:01    --------    d-----w-    C:\Users\Desktop\AppData\Roaming\SUPERAntiSpyware.com
2013-02-14 00:46:47    996352    ----a-w-    C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-14 00:46:47    768000    ----a-w-    C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-14 00:44:59    5553512    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-02-14 00:44:58    3967848    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-02-14 00:44:58    3913064    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-02-14 00:44:55    3153408    ----a-w-    C:\Windows\System32\win32k.sys
2013-02-14 00:44:52    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2013-02-14 00:44:52    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2013-02-14 00:44:52    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2013-02-14 00:44:52    215040    ----a-w-    C:\Windows\System32\winsrv.dll
2013-02-14 00:44:52    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2013-02-14 00:44:52    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2013-02-14 00:44:50    288088    ----a-w-    C:\Windows\System32\drivers\FWPKCLNT.SYS
2013-02-14 00:44:50    1913192    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-02-13 00:54:26    --------    d-----w-    C:\ProgramData\SUPERAntiSpyware.com
2013-02-13 00:54:26    --------    d-----w-    C:\Program Files\SUPERAntiSpyware
2013-02-12 06:55:58    9161176    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{AB21C4AC-D401-481B-9C02-F07E4C295345}\mpengine.dll
2013-02-12 05:47:03    --------    d-----r-    C:\Backup
2013-02-12 05:45:12    85048    ----a-w-    C:\Windows\System32\drivers\CSCrySec.sys
2013-02-12 05:45:12    66104    ----a-w-    C:\Windows\System32\drivers\CSVirtualDiskDrv.sys
2013-02-12 05:44:37    --------    d-----w-    C:\ProgramData\Kaspersky Lab
2013-02-12 02:08:39    --------    d-----w-    C:\Users\Desktop\AppData\Roaming\ESET
2013-02-12 02:08:39    --------    d-----w-    C:\Users\Desktop\AppData\Local\ESET
2013-02-06 18:13:28    --------    d-----w-    C:\Users\Desktop\AppData\Roaming\.strongvpn
2013-02-06 16:10:07    --------    d-----w-    C:\Program Files (x86)\ESET
2013-02-06 08:29:19    --------    d-----w-    C:\Users\Desktop\AppData\Local\Google
2013-02-06 08:27:17    --------    d-----w-    C:\ProgramData\AVAST Software
2013-02-06 08:27:17    --------    d-----w-    C:\Program Files\AVAST Software
2013-02-05 11:48:19    --------    d-----w-    C:\Users\Desktop\AppData\Local\FullTiltPoker
2013-02-05 10:45:38    --------    d-----w-    C:\Users\Desktop\AppData\Roaming\Wireshark
2013-02-05 10:27:09    --------    d-----w-    C:\Program Files (x86)\WinPcap
2013-02-05 10:26:45    --------    d-----w-    C:\Program Files\Wireshark
2013-02-05 03:23:44    --------    d-----w-    C:\Desktop
2013-02-04 04:32:55    --------    d-----w-    C:\found.000
2013-02-04 02:58:19    --------    d-----w-    C:\ProgramData\BDLogging
2013-02-04 02:58:09    511328    ----a-w-    C:\Windows\capicom.dll
2013-02-04 02:58:08    1721576    ----a-w-    C:\Windows\System32\WdfCoInstaller01009.dll
2013-02-04 02:56:11    --------    d-----w-    C:\Users\Desktop\AppData\Roaming\QuickScan
2013-02-04 02:55:43    --------    d-----w-    C:\Program Files\Bitdefender
2013-02-04 02:55:23    --------    d-----w-    C:\Program Files\Common Files\Bitdefender
2013-02-04 02:23:37    9161176    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-02-04 02:13:20    --------    d-----w-    C:\Program Files (x86)\Common Files\Bitdefender
2013-02-04 01:13:29    --------    d-----w-    C:\Users\Desktop\AppData\Roaming\Malwarebytes
2013-02-04 01:13:20    --------    d-----w-    C:\ProgramData\Malwarebytes
2013-02-04 00:54:59    --------    d-----w-    C:\Users\Desktop\AppData\Local\ElevatedDiagnostics
2013-02-01 11:00:24    294912    ----a-w-    C:\Windows\System32\browserchoice.exe
2013-01-31 18:06:44    74248    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-31 18:06:44    697864    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-01-29 02:53:01    458712    ----a-w-    C:\Windows\System32\drivers\cng.sys
2013-01-29 02:53:01    340992    ----a-w-    C:\Windows\System32\schannel.dll
2013-01-29 02:53:01    247808    ----a-w-    C:\Windows\SysWow64\schannel.dll
2013-01-29 02:53:01    154480    ----a-w-    C:\Windows\System32\drivers\ksecpkg.sys
2013-01-29 02:53:01    1448448    ----a-w-    C:\Windows\System32\lsasrv.dll
2013-01-29 02:53:00    96768    ----a-w-    C:\Windows\SysWow64\sspicli.dll
2013-01-29 02:53:00    22016    ----a-w-    C:\Windows\SysWow64\secur32.dll
2013-01-29 02:52:58    514560    ----a-w-    C:\Windows\SysWow64\qdvd.dll
2013-01-29 02:52:58    366592    ----a-w-    C:\Windows\System32\qdvd.dll
2013-01-29 01:39:43    --------    d-----w-    C:\Program Files\CCleaner
2013-01-29 01:32:31    --------    d-----w-    C:\Poker
2013-01-29 01:21:38    --------    d-----w-    C:\50637648d20f947480
2013-01-27 21:41:05    --------    d-----w-    C:\Users\Desktop\AppData\Local\Hold'em_Manager
2013-01-27 21:41:01    --------    d-----w-    C:\HM2Archive
2013-01-27 21:40:55    --------    d-----w-    C:\Users\Desktop\AppData\Roaming\HEM Data
2013-01-27 21:36:13    --------    d-----w-    C:\Users\Desktop\AppData\Local\IsolatedStorage
2013-01-27 21:36:13    --------    d-----w-    C:\ProgramData\XHEO INC
2013-01-27 21:36:10    --------    d-----w-    C:\Users\Desktop\AppData\Roaming\HoldemManager
2013-01-27 21:31:43    --------    d-----w-    C:\Program Files (x86)\Holdem Manager 2
2013-01-27 21:29:06    --------    d-----w-    C:\postgreSQL
2013-01-27 21:28:05    --------    d-----w-    C:\Program Files (x86)\PSQLINSTALL
2013-01-27 21:16:00    35520    ----a-w-    C:\Windows\System32\drivers\tapstrong.sys
2013-01-27 21:16:00    --------    d-----w-    C:\Program Files (x86)\StrongVPN
2013-01-27 21:15:51    --------    d-----w-    C:\Users\Desktop\AppData\Local\Programs
2013-01-27 20:37:55    --------    d-----w-    C:\Users\Desktop\AppData\Roaming\KeePass
2013-01-27 20:32:42    --------    d-----w-    C:\Program Files (x86)\KeePass Password Safe 2
2013-01-27 20:15:58    --------    d-----w-    C:\Users\Desktop\AppData\Local\Mozilla
2013-01-27 20:15:53    --------    d-----w-    C:\Program Files (x86)\Mozilla Maintenance Service
2013-01-27 19:49:07    --------    d-----w-    C:\Windows\System32\SPReview
2013-01-27 19:48:07    --------    d-----w-    C:\Windows\System32\EventProviders
2013-01-27 19:39:06    7450888    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\f79b0a3f1cdfcc549\bingbarsetup.exe
2013-01-27 19:37:31    15712    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\bf634a871cdfcc53b\MeshBetaRemover.exe
2013-01-27 19:35:48    89944    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\81ed02b31cdfcc52d\DSETUP.dll
2013-01-27 19:35:48    537432    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\81ed02b31cdfcc52d\DXSETUP.exe
2013-01-27 19:35:48    1801048    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\81ed02b31cdfcc52d\dsetup32.dll
2013-01-27 19:35:43    94040    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\7e8a8dd01cdfcc52c\DSETUP.dll
2013-01-27 19:35:43    525656    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\7e8a8dd01cdfcc52c\DXSETUP.exe
2013-01-27 19:35:43    1691480    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\7e8a8dd01cdfcc52c\dsetup32.dll
2013-01-27 19:33:19    6260088    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\2893fc0b1cdfcc518\Silverlight.4.0.exe
2013-01-27 19:30:46    --------    d-----w-    C:\Users\Desktop\AppData\Local\Windows Live
2013-01-27 19:30:45    --------    d-----w-    C:\Program Files (x86)\Common Files\Windows Live
2013-01-27 19:28:58    261632    ----a-w-    C:\Windows\System32\drivers\netbt.sys
2013-01-27 19:27:59    726528    ----a-w-    C:\Windows\System32\appwiz.cpl
2013-01-27 19:26:59    244736    ----a-w-    C:\Windows\System32\sqmapi.dll
2013-01-27 10:46:19    --------    d-----w-    C:\f4d4817fce16dad5ab9ada2d97
2013-01-27 07:10:39    --------    d-----w-    C:\Users\Desktop\AppData\Local\WindowsUpdate
2013-01-27 06:58:35    --------    d-----w-    C:\Users\Desktop\AppData\Local\ATI
2013-01-27 06:55:19    902656    ----a-w-    C:\Windows\System32\d2d1.dll
2013-01-27 06:55:19    739840    ----a-w-    C:\Windows\SysWow64\d2d1.dll
2013-01-27 06:55:19    1139200    ----a-w-    C:\Windows\System32\FntCache.dll
2013-01-27 06:43:35    --------    d-----w-    C:\Windows\SysWow64\Wat
2013-01-27 06:43:34    --------    d-----w-    C:\Windows\System32\Wat
2013-01-27 05:48:17    9728    ----a-w-    C:\Windows\System32\Wdfres.dll
2013-01-27 05:48:17    785512    ----a-w-    C:\Windows\System32\drivers\Wdf01000.sys
2013-01-27 05:48:17    54376    ----a-w-    C:\Windows\System32\drivers\WdfLdr.sys
2013-01-27 05:48:17    2560    ----a-w-    C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2013-01-27 05:33:25    70656    ----a-w-    C:\Windows\SysWow64\fontsub.dll
2013-01-27 05:33:25    46080    ----a-w-    C:\Windows\System32\atmlib.dll
2013-01-27 05:33:25    367616    ----a-w-    C:\Windows\System32\atmfd.dll
2013-01-27 05:33:25    34304    ----a-w-    C:\Windows\SysWow64\atmlib.dll
2013-01-27 05:33:25    295424    ----a-w-    C:\Windows\SysWow64\atmfd.dll
2013-01-27 05:33:25    100864    ----a-w-    C:\Windows\System32\fontsub.dll
2013-01-27 05:32:49    87040    ----a-w-    C:\Windows\System32\drivers\WUDFPf.sys
2013-01-27 05:32:49    84992    ----a-w-    C:\Windows\System32\WUDFSvc.dll
2013-01-27 05:32:49    744448    ----a-w-    C:\Windows\System32\WUDFx.dll
2013-01-27 05:32:49    45056    ----a-w-    C:\Windows\System32\WUDFCoinstaller.dll
2013-01-27 05:32:49    229888    ----a-w-    C:\Windows\System32\WUDFHost.exe
2013-01-27 05:32:49    198656    ----a-w-    C:\Windows\System32\drivers\WUDFRd.sys
2013-01-27 05:32:49    194048    ----a-w-    C:\Windows\System32\WUDFPlatform.dll
2013-01-27 05:30:20    81408    ----a-w-    C:\Windows\System32\imagehlp.dll
2013-01-27 05:30:20    23408    ----a-w-    C:\Windows\System32\drivers\fs_rec.sys
2013-01-27 05:30:20    159232    ----a-w-    C:\Windows\SysWow64\imagehlp.dll
2013-01-27 05:30:19    5120    ----a-w-    C:\Windows\SysWow64\wmi.dll
2013-01-27 05:30:19    5120    ----a-w-    C:\Windows\System32\wmi.dll
2013-01-27 05:26:46    778752    ----a-w-    C:\Windows\System32\mssvp.dll
2013-01-27 05:25:59    2048    ----a-w-    C:\Windows\SysWow64\tzres.dll
2013-01-27 05:16:14    723456    ----a-w-    C:\Windows\System32\EncDec.dll
2013-01-27 05:15:58    503808    ----a-w-    C:\Windows\System32\srcore.dll
2013-01-27 05:14:45    273840    ------w-    C:\Windows\System32\MpSigStub.exe
2013-01-27 05:14:20    1464320    ----a-w-    C:\Windows\System32\crypt32.dll
2013-01-27 05:14:19    184320    ----a-w-    C:\Windows\System32\cryptsvc.dll
2013-01-27 05:14:19    140288    ----a-w-    C:\Windows\SysWow64\cryptsvc.dll
2013-01-27 05:14:19    140288    ----a-w-    C:\Windows\System32\cryptnet.dll
2013-01-27 05:14:19    1159680    ----a-w-    C:\Windows\SysWow64\crypt32.dll
2013-01-27 05:14:19    103936    ----a-w-    C:\Windows\SysWow64\cryptnet.dll
2013-01-27 05:14:10    77312    ----a-w-    C:\Windows\System32\packager.dll
2013-01-27 05:14:10    67072    ----a-w-    C:\Windows\SysWow64\packager.dll
2013-01-27 05:12:58    826880    ----a-w-    C:\Windows\SysWow64\rdpcore.dll
2013-01-27 05:12:58    23552    ----a-w-    C:\Windows\System32\drivers\tdtcp.sys
2013-01-27 05:12:58    1031680    ----a-w-    C:\Windows\System32\rdpcore.dll
2013-01-27 05:08:36    2622464    ----a-w-    C:\Windows\System32\wucltux.dll
2013-01-27 05:08:30    99840    ----a-w-    C:\Windows\System32\wudriver.dll
2013-01-27 05:08:24    36864    ----a-w-    C:\Windows\System32\wuapp.exe
2013-01-27 05:08:24    186752    ----a-w-    C:\Windows\System32\wuwebv.dll
2013-01-27 04:58:40    --------    d-----w-    C:\Users\Desktop\AppData\Local\Broadcom
2013-01-27 04:57:54    39464    ----a-w-    C:\Windows\System32\drivers\btwl2cap.sys
2013-01-27 04:57:54    344616    ----a-w-    C:\Windows\System32\drivers\btwampfl.sys
2013-01-27 04:57:54    21544    ----a-w-    C:\Windows\System32\drivers\btwrchid.sys
2013-01-27 04:57:54    135720    ----a-w-    C:\Windows\System32\drivers\btwavdt.sys
2013-01-27 04:57:53    102952    ----a-w-    C:\Windows\System32\drivers\btwaudio.sys
2013-01-27 04:56:41    --------    d-----w-    C:\Program Files\WIDCOMM
2013-01-27 04:13:19    --------    d-----w-    C:\Program Files (x86)\Silicon Image
2013-01-27 04:05:31    --------    d-----w-    C:\Program Files\Broadcom
2013-01-27 03:53:42    --------    d-----w-    C:\Users\Desktop\AppData\Local\Downloaded Installations
2013-01-27 03:47:27    7062    ----a-w-    C:\Windows\SysWow64\audiopid.vxd
2013-01-27 03:47:04    --------    d--h--w-    C:\Program Files (x86)\Creative Installation Information
2013-01-27 03:47:04    --------    d-----w-    C:\Program Files (x86)\Common Files\Creative
2013-01-27 03:42:50    0    ----a-w-    C:\Windows\ativpsrm.bin
2013-01-27 03:40:19    --------    d-----w-    C:\ProgramData\AMD
2013-01-27 03:40:18    --------    d-----w-    C:\Program Files (x86)\AMD AVT
2013-01-27 03:40:16    --------    d-----w-    C:\Program Files (x86)\AMD APP
2013-01-27 03:40:13    --------    d-----w-    C:\Program Files\Common Files\ATI Technologies
2013-01-27 03:40:13    --------    d-----w-    C:\Program Files (x86)\Common Files\ATI Technologies
2013-01-27 03:39:18    --------    d-----w-    C:\Program Files (x86)\ATI Technologies
2013-01-27 03:39:15    --------    d-sh--w-    C:\Windows\Installer
2013-01-27 03:39:07    --------    d-----w-    C:\Program Files\ATI Technologies
2013-01-27 03:39:05    --------    d-----w-    C:\Program Files\ATI
2013-01-27 03:38:35    --------    d-----w-    C:\AMD
2013-01-27 01:31:55    53248    ----a-w-    C:\Windows\SysWow64\CSVer.dll
2013-01-27 01:31:50    --------    d-----w-    C:\Intel
2013-01-27 01:31:31    --------    d-----w-    C:\dell
2013-01-26 23:01:43    --------    d-----w-    C:\Windows\Panther
.
==================== Find3M  ====================
.
2013-01-27 19:52:55    152576    ----a-w-    C:\Windows\SysWow64\msclmd.dll
2013-01-27 19:52:54    175616    ----a-w-    C:\Windows\System32\msclmd.dll
2013-01-27 03:46:25    466520    ----a-w-    C:\Windows\System32\wrap_oal.dll
2013-01-27 03:46:25    445016    ----a-w-    C:\Windows\SysWow64\wrap_oal.dll
2013-01-27 03:46:25    123480    ----a-w-    C:\Windows\System32\OpenAL32.dll
2013-01-27 03:46:25    109144    ----a-w-    C:\Windows\SysWow64\OpenAL32.dll
2013-01-09 01:19:09    2312704    ----a-w-    C:\Windows\System32\jscript9.dll
2013-01-09 01:12:03    1392128    ----a-w-    C:\Windows\System32\wininet.dll
2013-01-09 01:11:06    1494528    ----a-w-    C:\Windows\System32\inetcpl.cpl
2013-01-09 01:07:51    173056    ----a-w-    C:\Windows\System32\ieUnatt.exe
2013-01-09 01:07:47    599040    ----a-w-    C:\Windows\System32\vbscript.dll
2013-01-09 01:04:42    2382848    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-01-08 22:11:21    1800704    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-01-08 22:03:20    1129472    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-01-08 22:03:12    1427968    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2013-01-08 21:59:02    142848    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2013-01-08 21:58:29    420864    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2013-01-08 21:56:23    2382848    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-01-04 04:43:21    44032    ----a-w-    C:\Windows\apppatch\acwow64.dll
2012-12-21 21:09:24    59440    ----a-w-    C:\Windows\System32\drivers\EpfwLWF.sys
2012-12-19 23:45:12    222720    ----a-w-    C:\Windows\System32\clinfo.exe
2012-12-19 23:44:48    76288    ----a-w-    C:\Windows\System32\OpenVideo64.dll
2012-12-19 23:44:42    65536    ----a-w-    C:\Windows\SysWow64\OpenVideo.dll
2012-12-19 23:44:36    64000    ----a-w-    C:\Windows\System32\OVDecode64.dll
2012-12-19 23:44:32    56320    ----a-w-    C:\Windows\SysWow64\OVDecode.dll
2012-12-19 23:44:20    34518016    ----a-w-    C:\Windows\System32\amdocl64.dll
2012-12-19 23:38:48    28732928    ----a-w-    C:\Windows\SysWow64\amdocl.dll
2012-12-19 23:34:40    54784    ----a-w-    C:\Windows\System32\OpenCL.dll
2012-12-19 23:34:38    50176    ----a-w-    C:\Windows\SysWow64\OpenCL.dll
2012-12-19 20:50:14    5630200    ----a-w-    C:\Windows\SysWow64\atiumdag.dll
2012-12-19 20:48:48    11278336    ----a-w-    C:\Windows\System32\drivers\atikmdag.sys
2012-12-19 20:29:36    23461376    ----a-w-    C:\Windows\System32\atio6axx.dll
2012-12-19 20:22:50    70144    ----a-w-    C:\Windows\System32\coinst_9.012.dll
2012-12-19 20:19:46    163840    ----a-w-    C:\Windows\System32\atiapfxx.exe
2012-12-19 20:18:04    51200    ----a-w-    C:\Windows\System32\aticalrt64.dll
2012-12-19 20:18:02    46080    ----a-w-    C:\Windows\SysWow64\aticalrt.dll
2012-12-19 20:17:54    44544    ----a-w-    C:\Windows\System32\aticalcl64.dll
2012-12-19 20:17:52    44032    ----a-w-    C:\Windows\SysWow64\aticalcl.dll
2012-12-19 20:17:40    16082944    ----a-w-    C:\Windows\System32\aticaldd64.dll
2012-12-19 20:13:24    13703168    ----a-w-    C:\Windows\SysWow64\aticaldd.dll
2012-12-19 20:12:44    18982400    ----a-w-    C:\Windows\SysWow64\atioglxx.dll
2012-12-19 20:09:52    960512    ----a-w-    C:\Windows\SysWow64\aticfx32.dll
2012-12-19 20:08:04    1151488    ----a-w-    C:\Windows\System32\aticfx64.dll
2012-12-19 20:06:00    6681088    ----a-w-    C:\Windows\SysWow64\atidxx32.dll
2012-12-19 19:59:44    5087744    ----a-w-    C:\Windows\System32\atiumd6a.dll
2012-12-19 19:57:00    442368    ----a-w-    C:\Windows\System32\atidemgy.dll
2012-12-19 19:56:46    550912    ----a-w-    C:\Windows\System32\atieclxx.exe
2012-12-19 19:56:00    240640    ----a-w-    C:\Windows\System32\atiesrxx.exe
2012-12-19 19:54:38    120320    ----a-w-    C:\Windows\System32\atitmm64.dll
2012-12-19 19:54:22    21504    ----a-w-    C:\Windows\System32\atimuixx.dll
2012-12-19 19:54:18    59392    ----a-w-    C:\Windows\System32\atiedu64.dll
2012-12-19 19:54:12    43520    ----a-w-    C:\Windows\SysWow64\ati2edxx.dll
2012-12-19 19:49:00    7370752    ----a-w-    C:\Windows\System32\atidxx64.dll
2012-12-19 19:44:28    4162048    ----a-w-    C:\Windows\SysWow64\atiumdva.dll
2012-12-19 19:44:12    6786560    ----a-w-    C:\Windows\System32\atiumd64.dll
2012-12-19 19:33:50    56320    ----a-w-    C:\Windows\System32\atimpc64.dll
2012-12-19 19:33:50    56320    ----a-w-    C:\Windows\System32\amdpcom64.dll
2012-12-19 19:33:42    619008    ----a-w-    C:\Windows\System32\atiadlxx.dll
2012-12-19 19:33:40    56832    ----a-w-    C:\Windows\SysWow64\atimpc32.dll
2012-12-19 19:33:40    56832    ----a-w-    C:\Windows\SysWow64\amdpcom32.dll
2012-12-19 19:33:32    421888    ----a-w-    C:\Windows\SysWow64\atiadlxy.dll
2012-12-19 19:33:18    17920    ----a-w-    C:\Windows\System32\atig6pxx.dll
2012-12-19 19:33:14    14848    ----a-w-    C:\Windows\SysWow64\atiglpxx.dll
2012-12-19 19:33:14    14848    ----a-w-    C:\Windows\System32\atiglpxx.dll
2012-12-19 19:33:10    41984    ----a-w-    C:\Windows\System32\atig6txx.dll
2012-12-19 19:33:04    33280    ----a-w-    C:\Windows\SysWow64\atigktxx.dll
2012-12-19 19:32:54    552960    ----a-w-    C:\Windows\System32\drivers\atikmpag.sys
2012-12-19 19:31:14    130048    ----a-w-    C:\Windows\System32\atiuxp64.dll
2012-12-19 19:31:08    109568    ----a-w-    C:\Windows\SysWow64\atiuxpag.dll
2012-12-19 19:31:00    104448    ----a-w-    C:\Windows\System32\atiu9p64.dll
2012-12-19 19:30:52    83968    ----a-w-    C:\Windows\SysWow64\atiu9pag.dll
2012-12-19 19:30:16    53248    ----a-w-    C:\Windows\System32\drivers\ati2erec.dll
2012-12-07 13:20:16    441856    ----a-w-    C:\Windows\System32\Wpc.dll
2012-12-07 13:15:31    2746368    ----a-w-    C:\Windows\System32\gameux.dll
2012-12-07 12:26:17    308736    ----a-w-    C:\Windows\SysWow64\Wpc.dll
2012-12-07 12:20:43    2576384    ----a-w-    C:\Windows\SysWow64\gameux.dll
2012-12-07 11:20:04    30720    ----a-w-    C:\Windows\System32\usk.rs
2012-12-07 11:20:03    43520    ----a-w-    C:\Windows\System32\csrr.rs
2012-12-07 11:20:03    23552    ----a-w-    C:\Windows\System32\oflc.rs
2012-12-07 11:20:01    45568    ----a-w-    C:\Windows\System32\oflc-nz.rs
2012-12-07 11:20:01    44544    ----a-w-    C:\Windows\System32\pegibbfc.rs
2012-12-07 11:20:01    20480    ----a-w-    C:\Windows\System32\pegi-fi.rs
2012-12-07 11:20:00    20480    ----a-w-    C:\Windows\System32\pegi-pt.rs
2012-12-07 11:19:59    20480    ----a-w-    C:\Windows\System32\pegi.rs
2012-12-07 11:19:58    46592    ----a-w-    C:\Windows\System32\fpb.rs
2012-12-07 11:19:57    40960    ----a-w-    C:\Windows\System32\cob-au.rs
2012-12-07 11:19:57    21504    ----a-w-    C:\Windows\System32\grb.rs
2012-12-07 11:19:57    15360    ----a-w-    C:\Windows\System32\djctq.rs
2012-12-07 11:19:56    55296    ----a-w-    C:\Windows\System32\cero.rs
2012-12-07 11:19:55    51712    ----a-w-    C:\Windows\System32\esrb.rs
2012-11-30 05:45:35    362496    ----a-w-    C:\Windows\System32\wow64win.dll
2012-11-30 05:45:35    243200    ----a-w-    C:\Windows\System32\wow64.dll
2012-11-30 05:45:35    13312    ----a-w-    C:\Windows\System32\wow64cpu.dll
2012-11-30 05:43:12    16384    ----a-w-    C:\Windows\System32\ntvdm64.dll
2012-11-30 05:41:07    424448    ----a-w-    C:\Windows\System32\KernelBase.dll
2012-11-30 04:53:59    274944    ----a-w-    C:\Windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48    338432    ----a-w-    C:\Windows\System32\conhost.exe
2012-11-30 02:38:59    6144    ---ha-w-    C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59    4608    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59    3584    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
.
============= FINISH:  0:42:10.86 ===============

Gmer Quick scan:
GMER 2.1.18952 - http://www.gmer.net
Rootkit scan 2013-02-14 23:46:18
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST350041 rev.CC45 465.76GB
Running: hcy9b4ym.exe; Driver: C:\Users\Desktop\AppData\Local\Temp\fglorpog.sys


---- User code sections - GMER 2.1 ----

.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                       00000000776bfc90 5 bytes JMP 000000010028091c
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                     00000000776bfdf4 5 bytes JMP 0000000100280048
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                              00000000776bfe88 5 bytes JMP 00000001002802ee
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                           00000000776bffe4 5 bytes JMP 00000001002804b2
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                   00000000776c0018 5 bytes JMP 00000001002809fe
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                           00000000776c0048 5 bytes JMP 0000000100280ae0
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                        00000000776c0064 5 bytes JMP 000000010002004c
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                           00000000776c077c 5 bytes JMP 000000010028012a
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                               00000000776c086c 5 bytes JMP 0000000100280758
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                         00000000776c0884 5 bytes JMP 0000000100280676
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                             00000000776c0dd4 5 bytes JMP 00000001002803d0
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                       00000000776c1900 5 bytes JMP 0000000100280594
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                   00000000776c1bc4 5 bytes JMP 000000010028083a
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                          00000000776c1d50 5 bytes JMP 000000010028020c
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                              0000000076551492 7 bytes JMP 00000001002a059e
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                         000000007621524f 7 bytes JMP 0000000100280f52
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                             00000000762153d0 7 bytes JMP 00000001002a0210
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                            0000000076215677 1 byte JMP 00000001002a0048
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                            0000000076215679 5 bytes {JMP 0xffffffff8a08a9d1}
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                   000000007621589a 7 bytes JMP 0000000100280ca6
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                   0000000076215a1d 7 bytes JMP 00000001002a03d8
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                              0000000076215c9b 7 bytes JMP 00000001002a012c
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                0000000076215d87 7 bytes JMP 00000001002a02f4
.text  C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1036] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                               0000000076217240 7 bytes JMP 0000000100280e6e
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                    00000000776bfc90 5 bytes JMP 000000010038091c
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                                  00000000776bfdf4 5 bytes JMP 0000000100380048
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                           00000000776bfe88 5 bytes JMP 00000001003802ee
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                        00000000776bffe4 5 bytes JMP 00000001003804b2
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                                00000000776c0018 5 bytes JMP 00000001003809fe
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                                        00000000776c0048 5 bytes JMP 0000000100380ae0
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                     00000000776c0064 5 bytes JMP 000000010036004c
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                        00000000776c077c 5 bytes JMP 000000010038012a
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                            00000000776c086c 5 bytes JMP 0000000100380758
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                      00000000776c0884 5 bytes JMP 0000000100380676
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                          00000000776c0dd4 5 bytes JMP 00000001003803d0
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                    00000000776c1900 5 bytes JMP 0000000100380594
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                00000000776c1bc4 5 bytes JMP 000000010038083a
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                                       00000000776c1d50 5 bytes JMP 000000010038020c
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                                      000000007621524f 7 bytes JMP 0000000100380f52
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                          00000000762153d0 7 bytes JMP 0000000100390210
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                                         0000000076215677 1 byte JMP 0000000100390048
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                                         0000000076215679 5 bytes {JMP 0xffffffff8a17a9d1}
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                                000000007621589a 7 bytes JMP 0000000100380ca6
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                                0000000076215a1d 7 bytes JMP 00000001003903d8
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                           0000000076215c9b 7 bytes JMP 000000010039012c
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                             0000000076215d87 7 bytes JMP 00000001003902f4
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                            0000000076217240 7 bytes JMP 0000000100380e6e
.text  c:\postgreSQL\bin\pg_ctl.exe[1444] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                           0000000076551492 7 bytes JMP 000000010039059e
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                          00000000776bfc90 5 bytes JMP 000000010028091c
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                        00000000776bfdf4 5 bytes JMP 0000000100280048
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                 00000000776bfe88 5 bytes JMP 00000001002802ee
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                              00000000776bffe4 5 bytes JMP 00000001002804b2
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                      00000000776c0018 5 bytes JMP 00000001002809fe
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                              00000000776c0048 5 bytes JMP 0000000100280ae0
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                           00000000776c0064 5 bytes JMP 000000010002004c
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                              00000000776c077c 5 bytes JMP 000000010028012a
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                  00000000776c086c 5 bytes JMP 0000000100280758
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                            00000000776c0884 5 bytes JMP 0000000100280676
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                00000000776c0dd4 5 bytes JMP 00000001002803d0
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                          00000000776c1900 5 bytes JMP 0000000100280594
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                      00000000776c1bc4 5 bytes JMP 000000010028083a
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                             00000000776c1d50 5 bytes JMP 000000010028020c
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                 0000000076551492 7 bytes JMP 00000001002904bc
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206            000000007621524f 7 bytes JMP 0000000100280f52
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                00000000762153d0 7 bytes JMP 0000000100290210
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149               0000000076215677 1 byte JMP 0000000100290048
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151               0000000076215679 5 bytes {JMP 0xffffffff8a07a9d1}
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                      000000007621589a 7 bytes JMP 0000000100280ca6
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                      0000000076215a1d 7 bytes JMP 00000001002903d8
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                 0000000076215c9b 7 bytes JMP 000000010029012c
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                   0000000076215d87 7 bytes JMP 00000001002902f4
.text  C:\Program Files (x86)\Silicon Image\SiI31xx HBA Wakeup Utility\SiHbaWakeupService.exe[1680] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123  0000000076217240 7 bytes JMP 0000000100280e6e
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                  00000000776bfc90 5 bytes JMP 0000000100f5091c
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                                00000000776bfdf4 5 bytes JMP 0000000100f50048
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                         00000000776bfe88 5 bytes JMP 0000000100f502ee
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                      00000000776bffe4 5 bytes JMP 0000000100f504b2
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                              00000000776c0018 5 bytes JMP 0000000100f509fe
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                                      00000000776c0048 5 bytes JMP 0000000100f50ae0
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                   00000000776c0064 5 bytes JMP 0000000100df004c
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                      00000000776c077c 5 bytes JMP 0000000100f5012a
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                          00000000776c086c 5 bytes JMP 0000000100f50758
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                    00000000776c0884 5 bytes JMP 0000000100f50676
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                        00000000776c0dd4 5 bytes JMP 0000000100f503d0
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                  00000000776c1900 5 bytes JMP 0000000100f50594
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                              00000000776c1bc4 5 bytes JMP 0000000100f5083a
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                                     00000000776c1d50 5 bytes JMP 0000000100f5020c
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                                    000000007621524f 7 bytes JMP 0000000100f50f52
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                        00000000762153d0 7 bytes JMP 0000000100f60210
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                                       0000000076215677 1 byte JMP 0000000100f60048
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                                       0000000076215679 5 bytes {JMP 0xffffffff8ad4a9d1}
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                              000000007621589a 7 bytes JMP 0000000100f50ca6
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                              0000000076215a1d 7 bytes JMP 0000000100f603d8
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                         0000000076215c9b 7 bytes JMP 0000000100f6012c
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                           0000000076215d87 7 bytes JMP 0000000100f602f4
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                          0000000076217240 7 bytes JMP 0000000100f50e6e
.text  c:\postgreSQL\bin\postgres.exe[1824] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                         0000000076551492 7 bytes JMP 0000000100f604bc
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                        00000000776bfc90 5 bytes JMP 000000010020091c
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                      00000000776bfdf4 5 bytes JMP 0000000100200048
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                               00000000776bfe88 5 bytes JMP 00000001002002ee
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                            00000000776bffe4 5 bytes JMP 00000001002004b2
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                    00000000776c0018 5 bytes JMP 00000001002009fe
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                            00000000776c0048 5 bytes JMP 0000000100200ae0
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                         00000000776c0064 5 bytes JMP 000000010002004c
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                            00000000776c077c 5 bytes JMP 000000010020012a
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                00000000776c086c 5 bytes JMP 0000000100200758
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                          00000000776c0884 5 bytes JMP 0000000100200676
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                              00000000776c0dd4 5 bytes JMP 00000001002003d0
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                        00000000776c1900 5 bytes JMP 0000000100200594
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                    00000000776c1bc4 5 bytes JMP 000000010020083a
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                           00000000776c1d50 5 bytes JMP 000000010020020c
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                               0000000076551492 7 bytes JMP 00000001002104bc
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                          000000007621524f 7 bytes JMP 0000000100200f52
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                              00000000762153d0 7 bytes JMP 0000000100210210
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                             0000000076215677 1 byte JMP 0000000100210048
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                             0000000076215679 5 bytes {JMP 0xffffffff89ffa9d1}
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                    000000007621589a 7 bytes JMP 0000000100200ca6
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                    0000000076215a1d 7 bytes JMP 00000001002103d8
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                               0000000076215c9b 7 bytes JMP 000000010021012c
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                 0000000076215d87 7 bytes JMP 00000001002102f4
.text  C:\Program Files (x86)\Creative\Shared Files\CTSched.exe[2060] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                0000000076217240 7 bytes JMP 0000000100200e6e
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                  00000000776bfc90 5 bytes JMP 00000001001e091c
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                                00000000776bfdf4 5 bytes JMP 00000001001e0048
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                         00000000776bfe88 5 bytes JMP 00000001001e02ee
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                      00000000776bffe4 5 bytes JMP 00000001001e04b2
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                              00000000776c0018 5 bytes JMP 00000001001e09fe
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                                      00000000776c0048 5 bytes JMP 00000001001e0ae0
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                   00000000776c0064 5 bytes JMP 00000001001c004c
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                      00000000776c077c 5 bytes JMP 00000001001e012a
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                          00000000776c086c 5 bytes JMP 00000001001e0758
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                    00000000776c0884 5 bytes JMP 00000001001e0676
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                        00000000776c0dd4 5 bytes JMP 00000001001e03d0
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                  00000000776c1900 5 bytes JMP 00000001001e0594
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                              00000000776c1bc4 5 bytes JMP 00000001001e083a
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                                     00000000776c1d50 5 bytes JMP 00000001001e020c
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                                    000000007621524f 7 bytes JMP 00000001001e0f52
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                        00000000762153d0 7 bytes JMP 00000001001f0210
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                                       0000000076215677 1 byte JMP 00000001001f0048
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                                       0000000076215679 5 bytes {JMP 0xffffffff89fda9d1}
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                              000000007621589a 7 bytes JMP 00000001001e0ca6
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                              0000000076215a1d 7 bytes JMP 00000001001f03d8
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                         0000000076215c9b 7 bytes JMP 00000001001f012c
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                           0000000076215d87 7 bytes JMP 00000001001f02f4
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                          0000000076217240 7 bytes JMP 00000001001e0e6e
.text  c:\postgreSQL\bin\postgres.exe[2836] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                         0000000076551492 7 bytes JMP 00000001001f04bc
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                  00000000776bfc90 5 bytes JMP 0000000100f5091c
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                                00000000776bfdf4 5 bytes JMP 0000000100f50048
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                         00000000776bfe88 5 bytes JMP 0000000100f502ee
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                      00000000776bffe4 5 bytes JMP 0000000100f504b2
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                              00000000776c0018 5 bytes JMP 0000000100f509fe
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                                      00000000776c0048 5 bytes JMP 0000000100f50ae0
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                   00000000776c0064 5 bytes JMP 0000000100df004c
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                      00000000776c077c 5 bytes JMP 0000000100f5012a
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                          00000000776c086c 5 bytes JMP 0000000100f50758
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                    00000000776c0884 5 bytes JMP 0000000100f50676
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                        00000000776c0dd4 5 bytes JMP 0000000100f503d0
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                  00000000776c1900 5 bytes JMP 0000000100f50594
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                              00000000776c1bc4 5 bytes JMP 0000000100f5083a
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                                     00000000776c1d50 5 bytes JMP 0000000100f5020c
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                                    000000007621524f 7 bytes JMP 0000000100f50f52
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                        00000000762153d0 7 bytes JMP 0000000100f60210
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                                       0000000076215677 1 byte JMP 0000000100f60048
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                                       0000000076215679 5 bytes {JMP 0xffffffff8ad4a9d1}
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                              000000007621589a 7 bytes JMP 0000000100f50ca6
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                              0000000076215a1d 7 bytes JMP 0000000100f603d8
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                         0000000076215c9b 7 bytes JMP 0000000100f6012c
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                           0000000076215d87 7 bytes JMP 0000000100f602f4
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                          0000000076217240 7 bytes JMP 0000000100f50e6e
.text  c:\postgreSQL\bin\postgres.exe[2844] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                         0000000076551492 7 bytes JMP 0000000100f604bc
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                  00000000776bfc90 5 bytes JMP 00000001002a091c
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                                00000000776bfdf4 5 bytes JMP 00000001002a0048
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                         00000000776bfe88 5 bytes JMP 00000001002a02ee
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                      00000000776bffe4 5 bytes JMP 00000001002a04b2
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                              00000000776c0018 5 bytes JMP 00000001002a09fe
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                                      00000000776c0048 5 bytes JMP 00000001002a0ae0
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                   00000000776c0064 5 bytes JMP 000000010024004c
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                      00000000776c077c 5 bytes JMP 00000001002a012a
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                          00000000776c086c 5 bytes JMP 00000001002a0758
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                    00000000776c0884 5 bytes JMP 00000001002a0676
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                        00000000776c0dd4 5 bytes JMP 00000001002a03d0
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                  00000000776c1900 5 bytes JMP 00000001002a0594
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                              00000000776c1bc4 5 bytes JMP 00000001002a083a
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                                     00000000776c1d50 5 bytes JMP 00000001002a020c
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                                    000000007621524f 7 bytes JMP 00000001002a0f52
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                        00000000762153d0 7 bytes JMP 00000001002b0210
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                                       0000000076215677 1 byte JMP 00000001002b0048
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                                       0000000076215679 5 bytes {JMP 0xffffffff8a09a9d1}
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                              000000007621589a 7 bytes JMP 00000001002a0ca6
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                              0000000076215a1d 7 bytes JMP 00000001002b03d8
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                         0000000076215c9b 7 bytes JMP 00000001002b012c
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                           0000000076215d87 7 bytes JMP 00000001002b02f4
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                          0000000076217240 7 bytes JMP 00000001002a0e6e
.text  c:\postgreSQL\bin\postgres.exe[2852] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                         0000000076551492 7 bytes JMP 00000001002b04bc
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                  00000000776bfc90 5 bytes JMP 00000001001e091c
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                                00000000776bfdf4 5 bytes JMP 00000001001e0048
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                         00000000776bfe88 5 bytes JMP 00000001001e02ee
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                      00000000776bffe4 5 bytes JMP 00000001001e04b2
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                              00000000776c0018 5 bytes JMP 00000001001e09fe
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                                      00000000776c0048 5 bytes JMP 00000001001e0ae0
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                   00000000776c0064 5 bytes JMP 00000001001c004c
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                      00000000776c077c 5 bytes JMP 00000001001e012a
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                          00000000776c086c 5 bytes JMP 00000001001e0758
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                    00000000776c0884 5 bytes JMP 00000001001e0676
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                        00000000776c0dd4 5 bytes JMP 00000001001e03d0
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                  00000000776c1900 5 bytes JMP 00000001001e0594
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                              00000000776c1bc4 5 bytes JMP 00000001001e083a
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                                     00000000776c1d50 5 bytes JMP 00000001001e020c
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                                    000000007621524f 7 bytes JMP 00000001001e0f52
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                        00000000762153d0 7 bytes JMP 00000001003b0210
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                                       0000000076215677 1 byte JMP 00000001003b0048
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                                       0000000076215679 5 bytes {JMP 0xffffffff8a19a9d1}
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                              000000007621589a 7 bytes JMP 00000001001e0ca6
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                              0000000076215a1d 7 bytes JMP 00000001003b03d8
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                         0000000076215c9b 7 bytes JMP 00000001003b012c
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                           0000000076215d87 7 bytes JMP 00000001003b02f4
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                          0000000076217240 7 bytes JMP 00000001001e0e6e
.text  c:\postgreSQL\bin\postgres.exe[2860] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                         0000000076551492 7 bytes JMP 00000001003b04bc
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                           00000000776bfc90 5 bytes JMP 00000001001d091c
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                         00000000776bfdf4 5 bytes JMP 00000001001d0048
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                  00000000776bfe88 5 bytes JMP 00000001001d02ee
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                               00000000776bffe4 5 bytes JMP 00000001001d04b2
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                       00000000776c0018 5 bytes JMP 00000001001d09fe
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                               00000000776c0048 5 bytes JMP 00000001001d0ae0
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                            00000000776c0064 5 bytes JMP 000000010002004c
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                               00000000776c077c 5 bytes JMP 00000001001d012a
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                   00000000776c086c 5 bytes JMP 00000001001d0758
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                             00000000776c0884 5 bytes JMP 00000001001d0676
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                 00000000776c0dd4 5 bytes JMP 00000001001d03d0
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                           00000000776c1900 5 bytes JMP 00000001001d0594
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                       00000000776c1bc4 5 bytes JMP 00000001001d083a
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                              00000000776c1d50 5 bytes JMP 00000001001d020c
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                             000000007621524f 7 bytes JMP 00000001001d0f52
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                 00000000762153d0 7 bytes JMP 00000001001e0210
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                                0000000076215677 1 byte JMP 00000001001e0048
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                                0000000076215679 5 bytes {JMP 0xffffffff89fca9d1}
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                       000000007621589a 7 bytes JMP 00000001001d0ca6
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                       0000000076215a1d 7 bytes JMP 00000001001e03d8
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                  0000000076215c9b 7 bytes JMP 00000001001e012c
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                    0000000076215d87 7 bytes JMP 00000001001e02f4
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                   0000000076217240 7 bytes JMP 00000001001d0e6e
.text  C:\Users\Desktop\Desktop\hcy9b4ym.exe[1324] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                  0000000076551492 7 bytes JMP 00000001001e04bc

---- Registry - GMER 2.1 ----

Reg    HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076982135                                                                                            
Reg    HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076982135 (not active ControlSet)                                                                        

---- EOF - GMER 2.1 ----
 

Attached Files



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:59 PM

Posted 15 February 2013 - 11:56 AM

Hi and welcome!  

 

 

aswmbr-1-1.jpg Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.

  • Click the Scan button to start scan.

  • If you are asked to update the Avast Virus database please allow it to do so.

  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

 
aswmbrscan.jpg
Click the image to enlarge it
----------

Edited by jeffce, 15 February 2013 - 11:56 AM.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:59 PM

Posted 18 February 2013 - 02:15 PM

Still need help?

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:59 PM

Posted 19 February 2013 - 01:25 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users