1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved RunDLL (Error loading) Vista Home Premium

Discussion in 'Malware and Virus Removal Archive' started by AlanR, 2011/04/23.

Page 1 of 2
  1. 2011/04/23
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    [Resolved] RunDLL (Error loading) Vista Home Premium

    I am running Vista Home Premium and are looking for some guidance.

    My Avast antvirus has just caught a number of Malware (trojan)
    viruses etc. which have now been isolated in it's virus chest but,
    I believe that this has lost some files as I get the following error
    after logging into my PC when it has loaded my desktop.

    At present my PC seems to be running ok but I am aware that this
    error needs correcting.

    ...............................

    RunDLL

    Error loading C:\Users\Alan\AppData\Local\wizeTAT.dll

    The specified module could not be found.

    ...............................



    Please can you relate to this particular problem? and advise the
    best way forward? Maybe a Registry cleaner?



    Thank you so very much.


    Alan


    PS I have seen a post by BRONI at:
    http://www.windowsbbs.com/malware-virus-removal/87672-active-rundll-error-loading.html

    Would these details be suitable for Windows Vista?
     
    AlanR,
    #1
  2. 2011/04/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, complete all steps listed here: this post

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
    broni,
    #2


  3. to hide this advert.

  4. 2011/04/25
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Thank you broni

    Further information.

    My Avast anti virus software is also telling me, when desktop loads, that it has blocked an infection.

    Example:

    Object: 182407db0409.weirden.com
    Infection: URL.Mal
    Action:Blocked
    Process: C:\windows\explorer.exe

    Thanks Broni, I will get back to you when I have completed your instructions,or if I have question.

    Alan
     
    AlanR,
    #3
  5. 2011/04/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Go on...
     
    broni,
    #4
  6. 2011/04/26
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Hi Broni

    Script Blocker Question:
    I have not installed a script blocker, is there one somewhere in Vista,Defender,Firefox etc. that I am not aware of that I should be concerned with? before I do step 4.

    TFC Question:
    I have completed a TFC scan but was unprepared for the option boxes that came up a number of times during the scan. I was told that "A file did not exist as it may have been moved or deleted. DO YOU WANT TO CREATE IT? "

    Four Option boxes 'YES' 'SKIP' 'CANCEL' were offered, and 'DO THIS FOR ALL CURRENT ITEMS' (4857 Found)

    I chose 'CANCEL' but not sure if this was correct as a second scan that I performed came up with the same results as the first scan (Total Files Cleaned 749.00mb)

    If you could clarify this for me please, I have the log if needed.

    Thanks Broni

    Alan

    PS. Sorry if dumb questions but I have not gone down this route before.
     
    Last edited: 2011/04/26
    AlanR,
    #5
  7. 2011/04/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No reason for any apology.
    It's always a good idea to ask a question, if you're not sure what to do.
    Select "Skip" and 'DO THIS FOR ALL CURRENT ITEMS'

    As for script blocking, if you use Windows Defender...

    Disable Windows Defender, as it'll interfere with cleaning process:
    - Open Windows Defender by clicking the Start, clicking All Programs, and then clicking Windows Defender.
    - Click Tools
    then...

    ++ Windows XP:
    - Click General Settings
    - Scroll down to Real Time Protection Options
    - Uncheck Turn on Real Time Protection
    - After you uncheck this, click on the Save button
    - Close Windows Defender

    ++ Windows Vista:
    - Click Options
    - Under Administrator options, clear the Use Windows Defender check box, and then click Save.

    Enable Windows Defender, when all cleaning is done.
     
    broni,
    #6
  8. 2011/04/27
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Thanks Broni

    Here are my logs as requested. I have split them up for ease of reading and look forward to hearing from you.

    Alan

    I did 2 scans for MBAM, the second one was just checking that 'Defender' (I left it running) had let Malwarebytes through to delete the items it had chosen, and after a reboot for deletion of other files.


    mbam-log-2011-04-27 (10-47-00)

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6455

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19048

    27/04/2011 10:47:00
    mbam-log-2011-04-27 (10-47-00).txt

    Scan type: Quick scan
    Objects scanned: 135098
    Time elapsed: 3 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\Users\Alan\AppData\Local\aviguyoy.dll (Trojan.Hiloti) -> Delete on reboot.

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rfofucuraqi (Trojan.Hiloti) -> Value: Rfofucuraqi -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lgaxu (Trojan.Agent.U) -> Value: Lgaxu -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\Alan\AppData\Local\aviguyoy.dll (Trojan.Hiloti) -> Delete on reboot.
    c:\Users\Alan\local settings\application data\aviguyoy.dll (Trojan.Hiloti) -> Delete on reboot.


    I had to tell 'Windows Defender' to let 'Malwarebytes' through

    #########################################################

    2nd scan (after reboot...and defender disabled)

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6455

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19048

    27/04/2011 11:19:42
    mbam-log-2011-04-27 (11-19-42).txt

    Scan type: Quick scan
    Objects scanned: 135128
    Time elapsed: 2 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
    Last edited: 2011/04/27
    AlanR,
    #7
  9. 2011/04/27
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    GMER appeared to take little notice of my Drive 'D' (Recovery drive) or any for my Drive 'f'
    (my remote back up drive)


    GMER Part 1 of 3



    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-04-27 14:02:37
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-1 ST3250310AS rev.4.ADA
    Running: zjh77ngp.exe; Driver: C:\Users\Alan\AppData\Local\Temp\pxldrpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwAddBootEntry [0x8C96A202]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwCreateEvent [0x8C96C7F0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwCreateEventPair [0x8C96C848]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwCreateIoCompletion [0x8C96C95E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwCreateMutant [0x8C96C746]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwCreateSection [0x8C96C898]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwCreateSemaphore [0x8C96C79A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwCreateTimer [0x8C96C90C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwDeleteBootEntry [0x8C96A226]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwLoadDriver [0x8C969FF0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwModifyBootEntry [0x8C96A24A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwNotifyChangeKey [0x8C96CD56]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwNotifyChangeMultipleKeys [0x8C96ACDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwOpenEvent [0x8C96C820]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwOpenEventPair [0x8C96C870]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwOpenIoCompletion [0x8C96C988]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwOpenMutant [0x8C96C772]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwOpenSection [0x8C96C8D8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwOpenSemaphore [0x8C96C7C8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwOpenTimer [0x8C96C936]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwQueryObject [0x8C96ABA0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwSetBootEntryOrder [0x8C96A26E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwSetBootOptions [0x8C96A292]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwSetSystemInformation [0x8C96A04A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwSetSystemPowerState [0x8C96A186]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwShutdownSystem [0x8C96A162]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwSystemDebugControl [0x8C96A1AA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ZwVdmControl [0x8C96A2B6]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

    ZwCreateProcessEx [0x8CFC0762]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

    ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

    ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 10D

    826C9890 4 Bytes [02, A2, 96, 8C]
    .text ntkrnlpa.exe!KeSetEvent + 1D1

    826C9954 8 Bytes [F0, C7, 96, 8C, 48, C8, 96, ...]
    .text ntkrnlpa.exe!KeSetEvent + 1DD

    826C9960 4 Bytes [5E, C9, 96, 8C]
    .text ntkrnlpa.exe!KeSetEvent + 1F5

    826C9978 4 Bytes [46, C7, 96, 8C]
    .text ntkrnlpa.exe!KeSetEvent + 215

    826C9998 8 Bytes [98, C8, 96, 8C, 9A, C7, 96, ...]
    .text ...


    PAGE ntkrnlpa.exe!ObMakeTemporaryObject

    827F45C7 5 Bytes JMP 8CFBC11E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection

    module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject

    8284D4F3 5 Bytes JMP 8CFBDBBC \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection

    module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110

    82856E18 4 Bytes CALL 8C96B34B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization

    Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121

    8285AA8C 4 Bytes CALL 8C96B361 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization

    Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx

    828AEDAE 7 Bytes JMP 8CFC0766 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection

    module/AVAST Software)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] ntdll.dll!

    LdrLoadDll 772A93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] ntdll.dll!

    LdrUnloadDll 772BB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] kernel32.dll!

    GetBinaryTypeW + 70 75E92247 1 Byte [62]
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] USER32.dll!

    SetWindowsHookExA 75F26322 5 Bytes JMP 00170600
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] USER32.dll!

    SetWindowsHookExW 75F287AD 5 Bytes JMP 00170804
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] USER32.dll!

    UnhookWindowsHookEx 75F298DB 5 Bytes JMP 00170A08
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] USER32.dll!

    SetWinEventHook 75F29F3A 5 Bytes JMP 001701F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] USER32.dll!

    UnhookWinEvent 75F2C06F 5 Bytes JMP 001703FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] ADVAPI32.dll!

    CreateServiceW 76289EB4 5 Bytes JMP 001803FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] ADVAPI32.dll!

    DeleteService 7628A07E 5 Bytes JMP 00180600
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] ADVAPI32.dll!

    SetServiceObjectSecurity 762C6CD9 5 Bytes JMP 00181014
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] ADVAPI32.dll!

    ChangeServiceConfigA 762C6DD9 5 Bytes JMP 00180804
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] ADVAPI32.dll!

    ChangeServiceConfigW 762C6F81 5 Bytes JMP 00180A08
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] ADVAPI32.dll!

    ChangeServiceConfig2A 762C7099 5 Bytes JMP 00180C0C
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] ADVAPI32.dll!

    ChangeServiceConfig2W 762C71E1 5 Bytes JMP 00180E10
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[276] ADVAPI32.dll!

    CreateServiceA 762C72A1 5 Bytes JMP 001801F8
    .text C:\Windows\system32\csrss.exe[544] KERNEL32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\wininit.exe[588] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000301F8
    .text C:\Windows\system32\wininit.exe[588] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000303FC
    .text C:\Windows\system32\wininit.exe[588] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\wininit.exe[588] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 001503FC
    .text C:\Windows\system32\wininit.exe[588] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00150600
    .text C:\Windows\system32\wininit.exe[588] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00151014
    .text C:\Windows\system32\wininit.exe[588] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00150804
    .text C:\Windows\system32\wininit.exe[588] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00150A08
    .text C:\Windows\system32\wininit.exe[588] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00150C0C
    .text C:\Windows\system32\wininit.exe[588] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00150E10
    .text C:\Windows\system32\wininit.exe[588] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 001501F8
    .text C:\Windows\system32\wininit.exe[588] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 001A0600
    .text C:\Windows\system32\wininit.exe[588] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 001A0804
    .text C:\Windows\system32\wininit.exe[588] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 001A0A08
    .text C:\Windows\system32\wininit.exe[588] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 001A01F8
    .text C:\Windows\system32\wininit.exe[588] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 001A03FC
    .text C:\Windows\system32\csrss.exe[600] KERNEL32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\services.exe[632] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\services.exe[632] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\services.exe[632] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\services.exe[632] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\services.exe[632] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\services.exe[632] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\services.exe[632] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\services.exe[632] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\services.exe[632] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\services.exe[632] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\services.exe[632] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\services.exe[632] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00080600
    .text C:\Windows\system32\services.exe[632] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00080804
    .text C:\Windows\system32\services.exe[632] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00080A08
    .text C:\Windows\system32\services.exe[632] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000801F8
    .text C:\Windows\system32\services.exe[632] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000803FC
    .text C:\Windows\system32\lsass.exe[648] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\lsass.exe[648] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\lsass.exe[648] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\lsass.exe[648] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00080600
    .text C:\Windows\system32\lsass.exe[648] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00080804
    .text C:\Windows\system32\lsass.exe[648] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00080A08
    .text C:\Windows\system32\lsass.exe[648] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000801F8
    .text C:\Windows\system32\lsass.exe[648] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000803FC
    .text C:\Windows\system32\lsm.exe[656] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\lsm.exe[656] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\lsm.exe[656] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\lsm.exe[656] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\lsm.exe[656] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\lsm.exe[656] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\lsm.exe[656] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\lsm.exe[656] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\lsm.exe[656] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\lsm.exe[656] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\lsm.exe[656] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\winlogon.exe[700] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000301F8
    .text C:\Windows\system32\winlogon.exe[700] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000303FC
    .text C:\Windows\system32\winlogon.exe[700] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\winlogon.exe[700] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000503FC
    .text C:\Windows\system32\winlogon.exe[700] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00050600
    .text C:\Windows\system32\winlogon.exe[700] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00051014
    .text C:\Windows\system32\winlogon.exe[700] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00050804
    .text C:\Windows\system32\winlogon.exe[700] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00050A08
    .text C:\Windows\system32\winlogon.exe[700] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00050C0C
    .text C:\Windows\system32\winlogon.exe[700] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00050E10
    .text C:\Windows\system32\winlogon.exe[700] ADVAPI32.dll!CreateServiceA

    762C72A1 3 Bytes JMP 000501F8
    .text C:\Windows\system32\winlogon.exe[700] ADVAPI32.dll!CreateServiceA + 4

    762C72A5 1 Byte [89]
    .text C:\Windows\system32\winlogon.exe[700] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00070600
    .text C:\Windows\system32\winlogon.exe[700] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00070804
    .text C:\Windows\system32\winlogon.exe[700] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00070A08
    .text C:\Windows\system32\winlogon.exe[700] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000701F8
    .text C:\Windows\system32\winlogon.exe[700] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[848] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[848] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[848] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[848] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\svchost.exe[848] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00AF0600
    .text C:\Windows\system32\svchost.exe[848] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00AF0804
    .text C:\Windows\system32\svchost.exe[848] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00AF0A08
    .text C:\Windows\system32\svchost.exe[848] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 00AF01F8
    .text C:\Windows\system32\svchost.exe[848] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 00AF03FC
    .text C:\Windows\system32\svchost.exe[928] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000901F8
    .text C:\Windows\system32\svchost.exe[928] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000903FC
    .text C:\Windows\system32\svchost.exe[928] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000B03FC
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 000B0600
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 000B1014
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 000B0804
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 000B0A08
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 000B0C0C
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 000B0E10
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000B01F8
    .text C:\Windows\system32\svchost.exe[928] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00A50600
    .text C:\Windows\system32\svchost.exe[928] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00A50804
    .text C:\Windows\system32\svchost.exe[928] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00A50A08
    .text C:\Windows\system32\svchost.exe[928] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 00A501F8
    .text C:\Windows\system32\svchost.exe[928] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 00A503FC
    .text C:\Windows\System32\svchost.exe[964] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\System32\svchost.exe[964] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\svchost.exe[964] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[964] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\System32\svchost.exe[964] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\System32\svchost.exe[964] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\System32\svchost.exe[964] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\System32\svchost.exe[964] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\System32\svchost.exe[964] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\System32\svchost.exe[964] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\System32\svchost.exe[964] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\System32\svchost.exe[964] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00090600
    .text C:\Windows\System32\svchost.exe[964] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00090804
    .text C:\Windows\System32\svchost.exe[964] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00090A08
    .text C:\Windows\System32\svchost.exe[964] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000901F8
    .text C:\Windows\System32\svchost.exe[964] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000903FC
    .text C:\Windows\Explorer.EXE[1016] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000901F8
    .text C:\Windows\Explorer.EXE[1016] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000903FC
    .text C:\Windows\Explorer.EXE[1016] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\Explorer.EXE[1016] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000B03FC
    .text C:\Windows\Explorer.EXE[1016] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 000B0600
    .text C:\Windows\Explorer.EXE[1016] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 000B1014
    .text C:\Windows\Explorer.EXE[1016] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 000B0804
    .text C:\Windows\Explorer.EXE[1016] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 000B0A08
    .text C:\Windows\Explorer.EXE[1016] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 000B0C0C
    .text C:\Windows\Explorer.EXE[1016] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 000B0E10
    .text C:\Windows\Explorer.EXE[1016] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000B01F8
    .text C:\Windows\Explorer.EXE[1016] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 000C0600
    .text C:\Windows\Explorer.EXE[1016] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 000C0804
    .text C:\Windows\Explorer.EXE[1016] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 000C0A08
    .text C:\Windows\Explorer.EXE[1016] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000C01F8
    .text C:\Windows\Explorer.EXE[1016] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000C03FC
    .text C:\Windows\System32\svchost.exe[1052] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\System32\svchost.exe[1052] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\svchost.exe[1052] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\System32\svchost.exe[1052] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\System32\svchost.exe[1052] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00110600
    .text C:\Windows\System32\svchost.exe[1052] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00110804
    .text C:\Windows\System32\svchost.exe[1052] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00110A08
    .text C:\Windows\System32\svchost.exe[1052] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 001101F8
    .text C:\Windows\System32\svchost.exe[1052] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 001103FC
    .text C:\Windows\System32\svchost.exe[1080] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
     
    AlanR,
    #8
  10. 2011/04/27
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    GMER Part 2 of 3


    .text C:\Windows\System32\svchost.exe[1080] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00930600
    .text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00930804
    .text C:\Windows\System32\svchost.exe[1080] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00930A08
    .text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 009301F8
    .text C:\Windows\System32\svchost.exe[1080] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 009303FC
    .text C:\Windows\system32\svchost.exe[1092] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1092] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000803FC
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00080600
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00081014
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00080804
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00080A08
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00080C0C
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00080E10
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000801F8
    .text C:\Windows\system32\svchost.exe[1092] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 001A0600
    .text C:\Windows\system32\svchost.exe[1092] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 001A0804
    .text C:\Windows\system32\svchost.exe[1092] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 001A0A08
    .text C:\Windows\system32\svchost.exe[1092] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 001A01F8
    .text C:\Windows\system32\svchost.exe[1092] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 001A03FC
    .text C:\Windows\system32\AUDIODG.EXE[1180] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1248] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1248] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1248] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[1248] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\SLsvc.exe[1264] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1324] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1324] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1324] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000B03FC
    .text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 000B0600
    .text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 000B1014
    .text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 000B0804
    .text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 000B0A08
    .text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 000B0C0C
    .text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 000B0E10
    .text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000B01F8
    .text C:\Windows\system32\svchost.exe[1324] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00920600
    .text C:\Windows\system32\svchost.exe[1324] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00920804
    .text C:\Windows\system32\svchost.exe[1324] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00920A08
    .text C:\Windows\system32\svchost.exe[1324] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 009201F8
    .text C:\Windows\system32\svchost.exe[1324] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 009203FC
    .text C:\Windows\system32\taskeng.exe[1388] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\taskeng.exe[1388] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\taskeng.exe[1388] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\taskeng.exe[1388] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\taskeng.exe[1388] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\taskeng.exe[1388] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\taskeng.exe[1388] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\taskeng.exe[1388] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\taskeng.exe[1388] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\taskeng.exe[1388] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\taskeng.exe[1388] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\taskeng.exe[1388] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00080600
    .text C:\Windows\system32\taskeng.exe[1388] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00080804
    .text C:\Windows\system32\taskeng.exe[1388] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00080A08
    .text C:\Windows\system32\taskeng.exe[1388] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000801F8
    .text C:\Windows\system32\taskeng.exe[1388] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000803FC
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] kernel32.dll!

    GetBinaryTypeW + 70 75E92247 1 Byte [62]
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] ADVAPI32.dll!

    CreateServiceW 76289EB4 5 Bytes JMP 001803FC
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00180600
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] ADVAPI32.dll!

    SetServiceObjectSecurity 762C6CD9 5 Bytes JMP 00181014
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] ADVAPI32.dll!

    ChangeServiceConfigA 762C6DD9 5 Bytes JMP 00180804
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] ADVAPI32.dll!

    ChangeServiceConfigW 762C6F81 5 Bytes JMP 00180A08
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] ADVAPI32.dll!

    ChangeServiceConfig2A 762C7099 5 Bytes JMP 00180C0C
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] ADVAPI32.dll!

    ChangeServiceConfig2W 762C71E1 5 Bytes JMP 00180E10
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] ADVAPI32.dll!

    CreateServiceA 762C72A1 5 Bytes JMP 001801F8
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] USER32.dll!

    SetWindowsHookExA 75F26322 5 Bytes JMP 00190600
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] USER32.dll!

    SetWindowsHookExW 75F287AD 5 Bytes JMP 00190804
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] USER32.dll!

    UnhookWindowsHookEx 75F298DB 5 Bytes JMP 00190A08
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 001901F8
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[1424] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 001903FC
    .text C:\Windows\system32\svchost.exe[1448] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1448] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1448] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[1448] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\svchost.exe[1448] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00140600
    .text C:\Windows\system32\svchost.exe[1448] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00140804
    .text C:\Windows\system32\svchost.exe[1448] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00140A08
    .text C:\Windows\system32\svchost.exe[1448] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 001401F8
    .text C:\Windows\system32\svchost.exe[1448] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 001403FC
    .text C:\Windows\system32\Dwm.exe[1484] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\Dwm.exe[1484] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\Dwm.exe[1484] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\Dwm.exe[1484] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\Dwm.exe[1484] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\Dwm.exe[1484] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\Dwm.exe[1484] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\Dwm.exe[1484] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\Dwm.exe[1484] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\Dwm.exe[1484] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\Dwm.exe[1484] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\Dwm.exe[1484] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00080600
    .text C:\Windows\system32\Dwm.exe[1484] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00080804
    .text C:\Windows\system32\Dwm.exe[1484] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00080A08
    .text C:\Windows\system32\Dwm.exe[1484] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000801F8
    .text C:\Windows\system32\Dwm.exe[1484] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000803FC
    .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1552] kernel32.dll!SetUnhandledExceptionFilter

    75E6A84F 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1552] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\System32\spoolsv.exe[1952] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\System32\spoolsv.exe[1952] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\spoolsv.exe[1952] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\System32\spoolsv.exe[1952] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\System32\spoolsv.exe[1952] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\System32\spoolsv.exe[1952] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\System32\spoolsv.exe[1952] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\System32\spoolsv.exe[1952] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\System32\spoolsv.exe[1952] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\System32\spoolsv.exe[1952] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\System32\spoolsv.exe[1952] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\System32\spoolsv.exe[1952] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00110600
    .text C:\Windows\System32\spoolsv.exe[1952] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00110804
    .text C:\Windows\System32\spoolsv.exe[1952] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00110A08
    .text C:\Windows\System32\spoolsv.exe[1952] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 001101F8
    .text C:\Windows\System32\spoolsv.exe[1952] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 001103FC
    .text C:\Windows\system32\svchost.exe[1976] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1976] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1976] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1976] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[1976] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[1976] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[1976] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[1976] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[1976] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[1976] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[1976] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\svchost.exe[1976] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 008F0600
    .text C:\Windows\system32\svchost.exe[1976] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 008F0804
    .text C:\Windows\system32\svchost.exe[1976] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 008F0A08
    .text C:\Windows\system32\svchost.exe[1976] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 008F01F8
    .text C:\Windows\system32\svchost.exe[1976] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 008F03FC
    .text C:\Windows\system32\svchost.exe[2284] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[2284] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[2284] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[2284] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[2284] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[2284] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[2284] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[2284] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[2284] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[2284] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[2284] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\svchost.exe[2284] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 000F0600
    .text C:\Windows\system32\svchost.exe[2284] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 000F0804
    .text C:\Windows\system32\svchost.exe[2284] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 000F0A08
    .text C:\Windows\system32\svchost.exe[2284] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000F01F8
    .text C:\Windows\system32\svchost.exe[2284] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000F03FC
    .text C:\Windows\system32\svchost.exe[2324] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[2324] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[2324] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[2324] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000B03FC
    .text C:\Windows\system32\svchost.exe[2324] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 000B0600
    .text C:\Windows\system32\svchost.exe[2324] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 000B1014
    .text C:\Windows\system32\svchost.exe[2324] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 000B0804
    .text C:\Windows\system32\svchost.exe[2324] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 000B0A08
    .text C:\Windows\system32\svchost.exe[2324] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 000B0C0C
    .text C:\Windows\system32\svchost.exe[2324] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 000B0E10
    .text C:\Windows\system32\svchost.exe[2324] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000B01F8
    .text C:\Windows\System32\svchost.exe[2364] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\System32\svchost.exe[2364] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\svchost.exe[2364] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[2364] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\System32\svchost.exe[2364] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\System32\svchost.exe[2364] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\System32\svchost.exe[2364] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\System32\svchost.exe[2364] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\System32\svchost.exe[2364] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\System32\svchost.exe[2364] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\System32\svchost.exe[2364] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\SearchIndexer.exe[2392] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000D01F8
    .text C:\Windows\system32\SearchIndexer.exe[2392] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000D03FC
    .text C:\Windows\system32\SearchIndexer.exe[2392] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\SearchIndexer.exe[2392] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000F03FC
    .text C:\Windows\system32\SearchIndexer.exe[2392] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 000F0600
    .text C:\Windows\system32\SearchIndexer.exe[2392] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 000F1014
    .text C:\Windows\system32\SearchIndexer.exe[2392] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 000F0804
    .text C:\Windows\system32\SearchIndexer.exe[2392] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 000F0A08
    .text C:\Windows\system32\SearchIndexer.exe[2392] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 000F0C0C
    .text C:\Windows\system32\SearchIndexer.exe[2392] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 000F0E10
    .text C:\Windows\system32\SearchIndexer.exe[2392] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000F01F8
    .text C:\Windows\system32\SearchIndexer.exe[2392] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00100600
    .text C:\Windows\system32\SearchIndexer.exe[2392] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00100804
    .text C:\Windows\system32\SearchIndexer.exe[2392] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00100A08
    .text C:\Windows\system32\SearchIndexer.exe[2392] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 001001F8
    .text C:\Windows\system32\SearchIndexer.exe[2392] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 001003FC
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000B03FC
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 000B0600
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 000B1014
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 000B0804
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 000B0A08
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 000B0C0C
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 000B0E10
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000B01F8
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 000C0600
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 000C0804
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 000C0A08
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000C01F8
    .text C:\Program Files\Windows Defender\MSASCui.exe[2400] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000C03FC
    .text C:\Windows\System32\hkcmd.exe[2476] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 001501F8
    .text C:\Windows\System32\hkcmd.exe[2476] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 001503FC
     
    AlanR,
    #9
  11. 2011/04/27
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    GMER Part 3 of 3

    .text C:\Windows\System32\hkcmd.exe[2476] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\System32\hkcmd.exe[2476] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00180600
    .text C:\Windows\System32\hkcmd.exe[2476] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00180804
    .text C:\Windows\System32\hkcmd.exe[2476] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00180A08
    .text C:\Windows\System32\hkcmd.exe[2476] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 001801F8
    .text C:\Windows\System32\hkcmd.exe[2476] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 001803FC
    .text C:\Windows\System32\hkcmd.exe[2476] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 001903FC
    .text C:\Windows\System32\hkcmd.exe[2476] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00190600
    .text C:\Windows\System32\hkcmd.exe[2476] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00191014
    .text C:\Windows\System32\hkcmd.exe[2476] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00190804
    .text C:\Windows\System32\hkcmd.exe[2476] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00190A08
    .text C:\Windows\System32\hkcmd.exe[2476] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00190C0C
    .text C:\Windows\System32\hkcmd.exe[2476] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00190E10
    .text C:\Windows\System32\hkcmd.exe[2476] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 001901F8
    .text C:\Windows\System32\igfxpers.exe[2528] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 001501F8
    .text C:\Windows\System32\igfxpers.exe[2528] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 001503FC
    .text C:\Windows\System32\igfxpers.exe[2528] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\System32\igfxpers.exe[2528] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00270600
    .text C:\Windows\System32\igfxpers.exe[2528] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00270804
    .text C:\Windows\System32\igfxpers.exe[2528] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00270A08
    .text C:\Windows\System32\igfxpers.exe[2528] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 002701F8
    .text C:\Windows\System32\igfxpers.exe[2528] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 002703FC
    .text C:\Windows\System32\igfxpers.exe[2528] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 002803FC
    .text C:\Windows\System32\igfxpers.exe[2528] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00280600
    .text C:\Windows\System32\igfxpers.exe[2528] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00281014
    .text C:\Windows\System32\igfxpers.exe[2528] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00280804
    .text C:\Windows\System32\igfxpers.exe[2528] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00280A08
    .text C:\Windows\System32\igfxpers.exe[2528] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00280C0C
    .text C:\Windows\System32\igfxpers.exe[2528] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00280E10
    .text C:\Windows\System32\igfxpers.exe[2528] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 002801F8
    .text C:\Windows\system32\WUDFHost.exe[2592] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\WUDFHost.exe[2592] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\WUDFHost.exe[2592] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\WUDFHost.exe[2592] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\WUDFHost.exe[2592] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\WUDFHost.exe[2592] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\WUDFHost.exe[2592] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\WUDFHost.exe[2592] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\WUDFHost.exe[2592] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\WUDFHost.exe[2592] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\WUDFHost.exe[2592] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\WUDFHost.exe[2592] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00080600
    .text C:\Windows\system32\WUDFHost.exe[2592] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00080804
    .text C:\Windows\system32\WUDFHost.exe[2592] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00080A08
    .text C:\Windows\system32\WUDFHost.exe[2592] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000801F8
    .text C:\Windows\system32\WUDFHost.exe[2592] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000803FC
    .text C:\Windows\system32\igfxsrvc.exe[2660] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 001501F8
    .text C:\Windows\system32\igfxsrvc.exe[2660] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 001503FC
    .text C:\Windows\system32\igfxsrvc.exe[2660] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\igfxsrvc.exe[2660] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00170600
    .text C:\Windows\system32\igfxsrvc.exe[2660] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00170804
    .text C:\Windows\system32\igfxsrvc.exe[2660] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00170A08
    .text C:\Windows\system32\igfxsrvc.exe[2660] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 001701F8
    .text C:\Windows\system32\igfxsrvc.exe[2660] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 001703FC
    .text C:\Windows\system32\igfxsrvc.exe[2660] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 001803FC
    .text C:\Windows\system32\igfxsrvc.exe[2660] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00180600
    .text C:\Windows\system32\igfxsrvc.exe[2660] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00181014
    .text C:\Windows\system32\igfxsrvc.exe[2660] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00180804
    .text C:\Windows\system32\igfxsrvc.exe[2660] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00180A08
    .text C:\Windows\system32\igfxsrvc.exe[2660] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00180C0C
    .text C:\Windows\system32\igfxsrvc.exe[2660] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00180E10
    .text C:\Windows\system32\igfxsrvc.exe[2660] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 001801F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] ntdll.dll!

    LdrLoadDll 772A93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] ntdll.dll!

    LdrUnloadDll 772BB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] kernel32.dll!

    GetBinaryTypeW + 70 75E92247 1 Byte [62]
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] USER32.dll!

    SetWindowsHookExA 75F26322 5 Bytes JMP 00180600
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] USER32.dll!

    SetWindowsHookExW 75F287AD 5 Bytes JMP 00180804
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] USER32.dll!

    UnhookWindowsHookEx 75F298DB 5 Bytes JMP 00180A08
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] USER32.dll!

    SetWinEventHook 75F29F3A 5 Bytes JMP 001801F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] USER32.dll!

    UnhookWinEvent 75F2C06F 5 Bytes JMP 001803FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] ADVAPI32.dll!

    CreateServiceW 76289EB4 5 Bytes JMP 002903FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] ADVAPI32.dll!

    DeleteService 7628A07E 5 Bytes JMP 00290600
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] ADVAPI32.dll!

    SetServiceObjectSecurity 762C6CD9 5 Bytes JMP 00291014
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] ADVAPI32.dll!

    ChangeServiceConfigA 762C6DD9 5 Bytes JMP 00290804
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] ADVAPI32.dll!

    ChangeServiceConfigW 762C6F81 5 Bytes JMP 00290A08
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] ADVAPI32.dll!

    ChangeServiceConfig2A 762C7099 5 Bytes JMP 00290C0C
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] ADVAPI32.dll!

    ChangeServiceConfig2W 762C71E1 5 Bytes JMP 00290E10
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2676] ADVAPI32.dll!

    CreateServiceA 762C72A1 5 Bytes JMP 002901F8
    .text C:\Windows\system32\taskeng.exe[2688] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\taskeng.exe[2688] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\taskeng.exe[2688] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\taskeng.exe[2688] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\taskeng.exe[2688] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\taskeng.exe[2688] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\taskeng.exe[2688] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\taskeng.exe[2688] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\taskeng.exe[2688] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\taskeng.exe[2688] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\taskeng.exe[2688] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\taskeng.exe[2688] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00080600
    .text C:\Windows\system32\taskeng.exe[2688] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00080804
    .text C:\Windows\system32\taskeng.exe[2688] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00080A08
    .text C:\Windows\system32\taskeng.exe[2688] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000801F8
    .text C:\Windows\system32\taskeng.exe[2688] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000803FC
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 001601F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 001603FC
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 001703FC
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00170600
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] ADVAPI32.dll!

    SetServiceObjectSecurity 762C6CD9 5 Bytes JMP 00171014
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00170804
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00170A08
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] ADVAPI32.dll!

    ChangeServiceConfig2A 762C7099 5 Bytes JMP 00170C0C
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] ADVAPI32.dll!

    ChangeServiceConfig2W 762C71E1 5 Bytes JMP 00170E10
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 001701F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00280600
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00280804
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00280A08
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 002801F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2812] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 002803FC
    .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[2912] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] ntdll.dll!

    LdrUnloadDll 772BB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] kernel32.dll!

    GetBinaryTypeW + 70 75E92247 1 Byte [62]
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] USER32.dll!

    SetWindowsHookExA 75F26322 5 Bytes JMP 00BC0600
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] USER32.dll!

    SetWindowsHookExW 75F287AD 5 Bytes JMP 00BC0804
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] USER32.dll!

    UnhookWindowsHookEx 75F298DB 5 Bytes JMP 00BC0A08
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] USER32.dll!

    SetWinEventHook 75F29F3A 5 Bytes JMP 00BC01F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] USER32.dll!

    UnhookWinEvent 75F2C06F 5 Bytes JMP 00BC03FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] ADVAPI32.dll!

    CreateServiceW 76289EB4 5 Bytes JMP 00BD03FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] ADVAPI32.dll!

    DeleteService 7628A07E 5 Bytes JMP 00BD0600
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] ADVAPI32.dll!

    SetServiceObjectSecurity 762C6CD9 5 Bytes JMP 00BD1014
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] ADVAPI32.dll!

    ChangeServiceConfigA 762C6DD9 5 Bytes JMP 00BD0804
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] ADVAPI32.dll!

    ChangeServiceConfigW 762C6F81 5 Bytes JMP 00BD0A08
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] ADVAPI32.dll!

    ChangeServiceConfig2A 762C7099 5 Bytes JMP 00BD0C0C
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] ADVAPI32.dll!

    ChangeServiceConfig2W 762C71E1 5 Bytes JMP 00BD0E10
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2956] ADVAPI32.dll!

    CreateServiceA 762C72A1 5 Bytes JMP 00BD01F8
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] ntdll.dll!

    LdrUnloadDll 772BB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] kernel32.dll!

    GetBinaryTypeW + 70 75E92247 1 Byte [62]
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] ADVAPI32.dll!

    CreateServiceW 76289EB4 5 Bytes JMP 001703FC
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] ADVAPI32.dll!

    DeleteService 7628A07E 5 Bytes JMP 00170600
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] ADVAPI32.dll!

    SetServiceObjectSecurity 762C6CD9 5 Bytes JMP 00171014
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] ADVAPI32.dll!

    ChangeServiceConfigA 762C6DD9 5 Bytes JMP 00170804
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] ADVAPI32.dll!

    ChangeServiceConfigW 762C6F81 5 Bytes JMP 00170A08
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] ADVAPI32.dll!

    ChangeServiceConfig2A 762C7099 5 Bytes JMP 00170C0C
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] ADVAPI32.dll!

    ChangeServiceConfig2W 762C71E1 5 Bytes JMP 00170E10
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] ADVAPI32.dll!

    CreateServiceA 762C72A1 5 Bytes JMP 001701F8
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] USER32.dll!

    SetWindowsHookExA 75F26322 5 Bytes JMP 00180600
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] USER32.dll!

    SetWindowsHookExW 75F287AD 5 Bytes JMP 00180804
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] USER32.dll!

    UnhookWindowsHookEx 75F298DB 5 Bytes JMP 00180A08
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] USER32.dll!

    SetWinEventHook 75F29F3A 5 Bytes JMP 001801F8
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3084] USER32.dll!

    UnhookWinEvent 75F2C06F 5 Bytes JMP 001803FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 005403FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00540600
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00541014
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00540804
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00540A08
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00540C0C
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00540E10
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 005401F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00550600
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00550804
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00550A08
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 005501F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3300] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 005503FC
    .text C:\Windows\ehome\ehtray.exe[3328] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000901F8
    .text C:\Windows\ehome\ehtray.exe[3328] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000903FC
    .text C:\Windows\ehome\ehtray.exe[3328] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\ehome\ehtray.exe[3328] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000B03FC
    .text C:\Windows\ehome\ehtray.exe[3328] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 000B0600
    .text C:\Windows\ehome\ehtray.exe[3328] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 000B1014
    .text C:\Windows\ehome\ehtray.exe[3328] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 000B0804
    .text C:\Windows\ehome\ehtray.exe[3328] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 000B0A08
    .text C:\Windows\ehome\ehtray.exe[3328] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 000B0C0C
    .text C:\Windows\ehome\ehtray.exe[3328] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 000B0E10
    .text C:\Windows\ehome\ehtray.exe[3328] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000B01F8
    .text C:\Windows\ehome\ehtray.exe[3328] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 000C0600
    .text C:\Windows\ehome\ehtray.exe[3328] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 000C0804
    .text C:\Windows\ehome\ehtray.exe[3328] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 000C0A08
    .text C:\Windows\ehome\ehtray.exe[3328] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000C01F8
    .text C:\Windows\ehome\ehtray.exe[3328] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000C03FC
    .text C:\Windows\ehome\ehmsas.exe[3560] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000401F8
    .text C:\Windows\ehome\ehmsas.exe[3560] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000403FC
    .text C:\Windows\ehome\ehmsas.exe[3560] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\ehome\ehmsas.exe[3560] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000603FC
    .text C:\Windows\ehome\ehmsas.exe[3560] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00060600
    .text C:\Windows\ehome\ehmsas.exe[3560] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00061014
    .text C:\Windows\ehome\ehmsas.exe[3560] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00060804
    .text C:\Windows\ehome\ehmsas.exe[3560] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00060A08
    .text C:\Windows\ehome\ehmsas.exe[3560] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00060C0C
    .text C:\Windows\ehome\ehmsas.exe[3560] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00060E10
    .text C:\Windows\ehome\ehmsas.exe[3560] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000601F8
    .text C:\Windows\ehome\ehmsas.exe[3560] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 00070600
    .text C:\Windows\ehome\ehmsas.exe[3560] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 00070804
    .text C:\Windows\ehome\ehmsas.exe[3560] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 00070A08
    .text C:\Windows\ehome\ehmsas.exe[3560] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000701F8
    .text C:\Windows\ehome\ehmsas.exe[3560] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000703FC
    .text C:\Users\Alan\Desktop\zjh77ngp.exe[3600] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[3792] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[3792] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[3792] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[3792] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[3792] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[3792] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[3792] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[3792] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[3792] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[3792] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[3792] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000701F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] ntdll.dll!LdrLoadDll

    772A93A8 5 Bytes JMP 000501F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] ntdll.dll!LdrUnloadDll

    772BB740 5 Bytes JMP 000503FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] kernel32.dll!GetBinaryTypeW + 70

    75E92247 1 Byte [62]
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] ADVAPI32.dll!CreateServiceW

    76289EB4 5 Bytes JMP 000C03FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] ADVAPI32.dll!DeleteService

    7628A07E 5 Bytes JMP 000C0600
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] ADVAPI32.dll!SetServiceObjectSecurity

    762C6CD9 5 Bytes JMP 000C1014
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] ADVAPI32.dll!ChangeServiceConfigA

    762C6DD9 5 Bytes JMP 000C0804
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] ADVAPI32.dll!ChangeServiceConfigW

    762C6F81 5 Bytes JMP 000C0A08
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] ADVAPI32.dll!ChangeServiceConfig2A

    762C7099 5 Bytes JMP 000C0C0C
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] ADVAPI32.dll!ChangeServiceConfig2W

    762C71E1 5 Bytes JMP 000C0E10
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] ADVAPI32.dll!CreateServiceA

    762C72A1 5 Bytes JMP 000C01F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] USER32.dll!SetWindowsHookExA

    75F26322 5 Bytes JMP 000D0600
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] USER32.dll!SetWindowsHookExW

    75F287AD 5 Bytes JMP 000D0804
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] USER32.dll!UnhookWindowsHookEx

    75F298DB 5 Bytes JMP 000D0A08
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] USER32.dll!SetWinEventHook

    75F29F3A 5 Bytes JMP 000D01F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3832] USER32.dll!UnhookWinEvent

    75F2C06F 5 Bytes JMP 000D03FC

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\services.exe [ADVAPI32.dll!

    CreateProcessAsUserW] 001C0002
    IAT C:\Windows\system32\services.exe[632] @ C:\Windows\system32\services.exe [KERNEL32.dll!

    CreateProcessW] 001C0000
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]

    [74037817]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]

    [7408A86D]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]

    [7403BB22]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]

    [7402F695]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]

    [740375E9]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]

    [7402E7CA]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!

    GdipCreateBitmapFromStreamICM] [74068395]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream]

    [7403DA60]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]

    [7402FFFA]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]

    [7402FF61]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]

    [740271CF]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM]

    [740BCAE2]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile]

    [7405C8D8]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]

    [7402D968]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]

    [74026853]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]

    [7402687E]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]

    [74032AD1]

    C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll

    (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs

    aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\tdx \Device\Tcp

    aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp

    aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \FileSystem\fastfat \Fat

    fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
    AlanR,
    #10
  12. 2011/04/27
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    MBRCheck, version 1.2.3
    (c) 2010, AD


    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Dell Inc.
    BIOS Manufacturer: Dell Inc.
    System Manufacturer: Dell Inc.
    System Product Name: Inspiron 530
    Logical Drives Mask: 0x000003fc

    Kernel Drivers (total 138):
    0x8261D000 \SystemRoot\system32\ntkrnlpa.exe
    0x829D7000 \SystemRoot\system32\hal.dll
    0x80400000 \SystemRoot\system32\kdcom.dll
    0x80407000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x80477000 \SystemRoot\system32\PSHED.dll
    0x80488000 \SystemRoot\system32\BOOTVID.dll
    0x80490000 \SystemRoot\system32\CLFS.SYS
    0x804D1000 \SystemRoot\system32\CI.dll
    0x8060E000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8068A000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x80697000 \SystemRoot\system32\drivers\acpi.sys
    0x806DD000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x806E6000 \SystemRoot\system32\drivers\msisadrv.sys
    0x806EE000 \SystemRoot\system32\drivers\pci.sys
    0x80715000 \SystemRoot\System32\drivers\partmgr.sys
    0x80724000 \SystemRoot\system32\drivers\volmgr.sys
    0x80733000 \SystemRoot\System32\drivers\volmgrx.sys
    0x8077D000 \SystemRoot\system32\drivers\pciide.sys
    0x80784000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x80792000 \SystemRoot\System32\drivers\mountmgr.sys
    0x807A2000 \SystemRoot\system32\drivers\atapi.sys
    0x807AA000 \SystemRoot\system32\drivers\ataport.SYS
    0x807C8000 \SystemRoot\system32\drivers\fltmgr.sys
    0x805B1000 \SystemRoot\system32\drivers\fileinfo.sys
    0x87E09000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x87E7A000 \SystemRoot\system32\drivers\ndis.sys
    0x87F85000 \SystemRoot\system32\drivers\msrpc.sys
    0x87FB0000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8800C000 \SystemRoot\System32\drivers\tcpip.sys
    0x880F6000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x88201000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x88311000 \SystemRoot\system32\drivers\volsnap.sys
    0x8834A000 \SystemRoot\System32\Drivers\spldr.sys
    0x88352000 \SystemRoot\System32\Drivers\mup.sys
    0x88361000 \SystemRoot\System32\drivers\ecache.sys
    0x88388000 \SystemRoot\system32\drivers\disk.sys
    0x88399000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x883BA000 \SystemRoot\system32\drivers\crcdisk.sys
    0x883E3000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x883EE000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x88111000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x8BE0E000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
    0x8C45B000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8C4FB000 \SystemRoot\System32\drivers\watchdog.sys
    0x8C507000 \SystemRoot\system32\DRIVERS\e1e6032.sys
    0x8C541000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x8C54C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8C58A000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x88120000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8C599000 \SystemRoot\system32\DRIVERS\fdc.sys
    0x8C5A4000 \SystemRoot\system32\drivers\Afc.sys
    0x8C5AC000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8C5C4000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x881AD000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8C5F3000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x805C1000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8BE00000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x805D8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x881EE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x87FEB000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8C802000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x8C817000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8C827000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8C832000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8C83D000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8C83F000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8C869000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8C873000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8C880000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8C8B5000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8C8C6000 \SystemRoot\system32\drivers\HdAudio.sys
    0x8C905000 \SystemRoot\system32\drivers\portcls.sys
    0x8C932000 \SystemRoot\system32\drivers\drmk.sys
    0x8C957000 \SystemRoot\System32\Drivers\aswSnx.SYS
    0x8C9C7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8C9D0000 \SystemRoot\System32\Drivers\Null.SYS
    0x8C9D7000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8C9E7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x8C9EE000 \SystemRoot\System32\drivers\vga.sys
    0x8CE07000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8CE28000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8CE30000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8CE38000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8CE43000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8CE51000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8CE5A000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8CE70000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0x8CE7A000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8CE8E000 \SystemRoot\system32\drivers\afd.sys
    0x8CED6000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0x8CEDB000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8CF0D000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8CF23000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8CF31000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8CF44000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8CF80000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8CF8A000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8CFA1000 \SystemRoot\System32\Drivers\aswSP.SYS
    0x8CFEA000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x8CE00000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x883C3000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x80600000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x88000000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x8C9DE000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0x883D9000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x9420D000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x9421D000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x95400000 \SystemRoot\System32\win32k.sys
    0x94225000 \SystemRoot\System32\drivers\Dxapi.sys
    0x9422F000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x95620000 \SystemRoot\System32\TSDDD.dll
    0x9423E000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x94255000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x95640000 \SystemRoot\System32\cdd.dll
    0x9425E000 \SystemRoot\system32\drivers\luafv.sys
    0x94279000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
    0x942B1000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0x942B4000 \SystemRoot\system32\drivers\spsys.sys
    0x94364000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x94374000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x94387000 \SystemRoot\system32\drivers\HTTP.sys
    0xA8C09000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0xA8C26000 \SystemRoot\system32\DRIVERS\bowser.sys
    0xA8C3F000 \SystemRoot\System32\drivers\mpsdrv.sys
    0xA8C54000 \SystemRoot\system32\drivers\mrxdav.sys
    0xA8C75000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xA8C94000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0xA8CCD000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0xA8CE5000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xA8D0D000 \SystemRoot\System32\DRIVERS\srv.sys
    0xA8D5C000 \SystemRoot\System32\Drivers\fastfat.SYS
    0xAD401000 \SystemRoot\system32\drivers\peauth.sys
    0xAD4DF000 \SystemRoot\System32\Drivers\secdrv.SYS
    0xAD4E9000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xAD4F5000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
    0xAD50A000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
    0xAD5E5000 \??\C:\Users\Alan\AppData\Local\Temp\pxldrpog.sys
    0x77280000 \Windows\System32\ntdll.dll

    Processes (total 52):
    0 System Idle Process
    4 System
    412 C:\Windows\System32\smss.exe
    544 csrss.exe
    588 C:\Windows\System32\wininit.exe
    600 csrss.exe
    632 C:\Windows\System32\services.exe
    648 C:\Windows\System32\lsass.exe
    656 C:\Windows\System32\lsm.exe
    700 C:\Windows\System32\winlogon.exe
    848 C:\Windows\System32\svchost.exe
    928 C:\Windows\System32\svchost.exe
    964 C:\Windows\System32\svchost.exe
    1052 C:\Windows\System32\svchost.exe
    1080 C:\Windows\System32\svchost.exe
    1092 C:\Windows\System32\svchost.exe
    1180 C:\Windows\System32\audiodg.exe
    1248 C:\Windows\System32\svchost.exe
    1264 C:\Windows\System32\SLsvc.exe
    1324 C:\Windows\System32\svchost.exe
    1448 C:\Windows\System32\svchost.exe
    1552 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    1952 C:\Windows\System32\spoolsv.exe
    1976 C:\Windows\System32\svchost.exe
    1388 C:\Windows\System32\taskeng.exe
    1484 C:\Windows\System32\dwm.exe
    1016 C:\Windows\explorer.exe
    276 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    1424 C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    2284 C:\Windows\System32\svchost.exe
    2324 C:\Windows\System32\svchost.exe
    2364 C:\Windows\System32\svchost.exe
    2392 C:\Windows\System32\SearchIndexer.exe
    2400 C:\Program Files\Windows Defender\MSASCui.exe
    2476 C:\Windows\System32\hkcmd.exe
    2528 C:\Windows\System32\igfxpers.exe
    2592 WUDFHost.exe
    2660 C:\Windows\System32\igfxsrvc.exe
    2676 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    2688 C:\Windows\System32\taskeng.exe
    2812 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    2912 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    2956 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    3084 C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
    3300 C:\Program Files\Windows Sidebar\sidebar.exe
    3328 C:\Windows\ehome\ehtray.exe
    3560 C:\Windows\ehome\ehmsas.exe
    3832 C:\Program Files\Windows Sidebar\sidebar.exe
    3792 C:\Windows\System32\svchost.exe
    3644 C:\Windows\System32\SearchProtocolHost.exe
    624 C:\Windows\System32\SearchFilterHost.exe
    12 C:\Users\Alan\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`83f00000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`03f00000 (NTFS)
    \\.\F: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: ST3250310AS, Rev: 4.ADA
    PhysicalDrive5 Model Number: SeagateFreeAgent, Rev: 0132

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows Vista MBR code detected
    SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979
    465 GB \\.\PhysicalDrive5 RE: Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
    AlanR,
    #11
  13. 2011/04/27
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    DDS log


    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Alan at 14:09:54.01 on 27/04/2011
    Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_18
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2036.830 [GMT 1:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Alan\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe "
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\alan\appdata\roaming\mozilla\firefox\profiles\iobn5cct.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: XULRunner: {848056AD-5C00-4537-BCD6-5EC0A53C7FC5} - c:\users\alan\appdata\local\{848056AD-5C00-4537-BCD6-5EC0A53C7FC5}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-7 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-1-15 307288]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-15 19544]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-1-15 53592]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-10 42184]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [2006-7-31 580992]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-04-27 10:02:14 784136 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
    2011-04-27 09:40:28 -------- d-----w- c:\users\alan\appdata\roaming\Malwarebytes
    2011-04-27 09:40:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-27 09:40:08 -------- d-----w- c:\progra~2\Malwarebytes
    2011-04-27 09:40:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-27 09:40:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-26 14:38:40 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{494dec0b-7fda-45a0-8a57-a6cd965fb7cf}\mpengine.dll
    2011-04-20 09:50:04 -------- d-----w- c:\users\alan\appdata\local\{848056AD-5C00-4537-BCD6-5EC0A53C7FC5}
    2011-04-16 09:37:49 -------- d-----w- c:\users\alan\appdata\roaming\eBookPro6
    2011-04-14 12:12:08 292864 ----a-w- c:\windows\system32\atmfd.dll
    2011-04-14 12:12:07 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-04-14 12:12:01 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-14 12:12:01 638232 ----a-w- c:\program files\internet explorer\iexplore.exe
    2011-04-14 02:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2011-04-07 18:56:48 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    .
    ==================== Find3M ====================
    .
    2011-04-18 17:25:12 40112 ----a-w- c:\windows\avastSS.scr
    2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
    2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
    2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
    2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
    2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-02-22 06:17:08 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 06:16:53 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-02-22 06:16:40 71680 ----a-w- c:\windows\system32\iesetup.dll
    2011-02-22 06:16:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2011-02-22 05:20:39 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-22 04:43:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-02-22 04:42:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-02-17 06:23:50 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-02-02 17:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    ============= FINISH: 14:10:18.94 ===============
     
    AlanR,
    #12
  14. 2011/04/27
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    ATTACH.log

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 15/01/2009 15:05:06
    System Uptime: 27/04/2011 11:24:38 (3 hours ago)
    .
    Motherboard: Dell Inc. | | 0K216C
    Processor: Intel(R) Core(TM)2 Duo CPU E7200 @ 2.53GHz | Socket 775 | 2534/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 223 GiB total, 154.633 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 5.885 GiB free.
    E: is CDROM (CDFS)
    F: is FIXED (NTFS) - 466 GiB total, 461.244 GiB free.
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: SM Bus Controller
    Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_020D1028&REV_02\3&2411E6FE&0&FB
    Manufacturer:
    Name: SM Bus Controller
    PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_020D1028&REV_02\3&2411E6FE&0&FB
    Service:
    .
    ==== System Restore Points ===================
    .
    RP465: 22/02/2011 12:28:21 - Scheduled Checkpoint
    RP466: 23/02/2011 10:03:23 - Windows Update
    RP467: 25/02/2011 18:33:18 - Windows Update
    RP468: 25/02/2011 18:42:16 - Windows Update
    RP469: 28/02/2011 15:42:38 - Scheduled Checkpoint
    RP470: 01/03/2011 16:02:59 - Windows Update
    RP471: 04/03/2011 18:35:19 - Windows Update
    RP472: 07/03/2011 14:36:53 - Scheduled Checkpoint
    RP473: 08/03/2011 11:57:11 - Windows Update
    RP474: 10/03/2011 13:16:57 - Windows Update
    RP475: 12/03/2011 10:10:58 - Windows Update
    RP476: 15/03/2011 19:15:39 - Windows Update
    RP477: 17/03/2011 09:28:25 - Windows Update
    RP478: 18/03/2011 09:20:29 - Windows Update
    RP479: 22/03/2011 19:59:17 - Windows Update
    RP480: 23/03/2011 09:45:28 - Windows Update
    RP481: 07/04/2011 18:54:45 - Windows Update
    RP482: 07/04/2011 18:59:51 - Windows Update
    RP483: 08/04/2011 17:48:31 - Windows Update
    RP484: 10/04/2011 15:57:35 - Scheduled Checkpoint
    RP485: 11/04/2011 17:45:51 - Scheduled Checkpoint
    RP486: 12/04/2011 14:42:21 - Windows Update
    RP487: 13/04/2011 13:14:05 - Scheduled Checkpoint
    RP488: 15/04/2011 18:40:09 - Windows Update
    RP489: 15/04/2011 18:54:03 - Windows Update
    RP490: 19/04/2011 14:27:50 - Windows Update
    RP491: 22/04/2011 20:38:53 - Windows Update
    RP492: 25/04/2011 20:26:56 - Scheduled Checkpoint
    RP493: 26/04/2011 15:38:11 - Windows Update
    .
    ==== Installed Programs ======================
    .
    7-Zip 4.65
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.4
    ArcSoft MediaImpression
    ArcSoft PhotoImpression 6
    avast! Free Antivirus
    CoffeeCup Free HTML Editor
    Dell Resource CD
    DHTML Editing Component
    Garmin Communicator Plugin
    Garmin USB Drivers
    getPlus(R) for Adobe
    GoToMeeting 4.5.0.457
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    IrfanView (remove only)
    Java Auto Updater
    Java(TM) 6 Update 13
    Java(TM) 6 Update 18
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.16)
    Mozilla Thunderbird (3.1.9)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    OpenOffice.org 3.2
    OVT Scanner X86
    PIXresizer 2.0.4
    Seagate Manager Installer
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Spelling Dictionaries Support For Adobe Reader 9
    Uninstall OVT Scanner
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    23/04/2011 17:02:54, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    23/04/2011 17:02:54, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    23/04/2011 17:02:54, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments " " in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    23/04/2011 15:29:28, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
    20/04/2011 10:59:35, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    .
    ==== End Of File ===========================


    Broni

    I have a handfull of Windows updates waiting to be installed as I notice that it is mentioned at the tail end of the above.

    Many thanks,

    Alan
     
    AlanR,
    #13
  15. 2011/04/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Go ahead with those updates.

    Make sure to disable "word wrap" in Notepad, because some of your logs are hard to read.

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #14
  16. 2011/04/27
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Sorry about the notepad wordwrap.

    Have now installed my Windows updates.

    Here is the Combofix.txt

    ComboFix 11-04-27.01 - Alan 27/04/2011 20:03:07.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2036.1249 [GMT 1:00]
    Running from: c:\users\Alan\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Alan\AppData\Local\{848056AD-5C00-4537-BCD6-5EC0A53C7FC5}
    c:\users\Alan\AppData\Local\{848056AD-5C00-4537-BCD6-5EC0A53C7FC5}\chrome.manifest
    c:\users\Alan\AppData\Local\{848056AD-5C00-4537-BCD6-5EC0A53C7FC5}\chrome\content\_cfg.js
    c:\users\Alan\AppData\Local\{848056AD-5C00-4537-BCD6-5EC0A53C7FC5}\chrome\content\overlay.xul
    c:\users\Alan\AppData\Local\{848056AD-5C00-4537-BCD6-5EC0A53C7FC5}\install.rdf
    c:\users\Alan\g2mdlhlpx.exe
    F:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-27 19:09 . 2011-04-27 19:09 -------- d-----w- c:\users\Alan\AppData\Local\temp
    2011-04-27 19:09 . 2011-04-27 19:09 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-04-27 13:30 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2011-04-27 13:30 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2011-04-27 13:30 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-04-27 10:02 . 2011-04-27 10:02 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2011-04-27 09:40 . 2011-04-27 09:40 -------- d-----w- c:\users\Alan\AppData\Roaming\Malwarebytes
    2011-04-27 09:40 . 2011-04-27 09:40 -------- d-----w- c:\programdata\Malwarebytes
    2011-04-27 09:40 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-27 09:40 . 2011-04-27 09:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-27 09:40 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-26 14:38 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{494DEC0B-7FDA-45A0-8A57-A6CD965FB7CF}\mpengine.dll
    2011-04-16 09:37 . 2011-04-16 09:39 -------- d-----w- c:\users\Alan\AppData\Roaming\eBookPro6
    2011-04-14 12:12 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
    2011-04-14 12:12 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-04-14 12:12 . 2011-02-22 06:21 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-14 12:12 . 2011-02-22 06:21 638232 ----a-w- c:\program files\Internet Explorer\iexplore.exe
    2011-04-14 02:39 . 2011-04-14 02:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-04-07 18:56 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-18 17:25 . 2010-06-30 17:28 40112 ----a-w- c:\windows\avastSS.scr
    2011-04-18 17:25 . 2009-01-15 20:12 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-04-18 17:17 . 2009-01-15 20:13 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-04-18 17:16 . 2009-01-15 20:13 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-04-18 17:13 . 2009-01-15 20:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-04-18 17:13 . 2009-01-15 20:12 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-04-18 17:12 . 2009-01-15 20:13 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-03-03 15:40 . 2011-04-27 13:30 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2011-03-03 15:40 . 2011-04-27 13:30 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
    2011-03-03 15:40 . 2011-04-27 13:30 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2011-03-03 15:40 . 2011-04-27 13:30 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
    2011-02-22 14:13 . 2011-03-22 20:03 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-02-22 13:33 . 2011-03-22 20:03 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-02-22 13:33 . 2011-03-22 20:03 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-02-02 17:11 . 2009-10-03 13:09 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @= "{472083B0-C522-11CF-8763-00608CC02F24} "
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-04-18 17:25 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "WindowsWelcomeCenter "= "oobefldr.dll" [2009-04-11 2153472]
    "ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-04-22 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
    "ArcSoft Connection Service "= "c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "MaxMenuMgr "= "c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-25 185640]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle "= 0 (0x0)
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys [2006-07-31 580992]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-04-18 53592]
    S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-25 189736]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-27 c:\windows\Tasks\User_Feed_Synchronization-{1DE4E923-B64B-4911-904B-DDA2A93AA5A2}.job
    - c:\windows\system32\msfeedssync.exe [2011-04-14 04:43]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    FF - ProfilePath - c:\users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\iobn5cct.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-OVT Scanner - c:\windows\omniuns.exe USB\Vid_05a9&PID_1550 OVT Scanner
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-27 20:09
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-04-27 20:11:54
    ComboFix-quarantined-files.txt 2011-04-27 19:11
    .
    Pre-Run: 165,998,030,848 bytes free
    Post-Run: 166,478,721,024 bytes free
    .
    Current=1 Default=1 Failed=0 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,11
    - - End Of File - - EBD6C23BE65386373BC4D53DC9225141


    Thanks Broni

    PS. I tried to make sense out of this log for my own education...but it might just as well have been in Latin. LOL
     
    Last edited: 2011/04/27
    AlanR,
    #15
  17. 2011/04/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hahaha....

    Combofix log looks good now.

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #16
  18. 2011/04/28
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Hi Broni, my computer appears fine thank you very much. As far as I can tell it is back to how it was before this unfortunate event. The RunDLL Error loading box does not now come up when I first boot up into Desktop, and 'Avast' does not now keep telling me that it has blocked something and that same time.

    I did just now lose my 'Avast' tool bar icon and got an error box (if that is any concern?) but having gone through the 'Start' and 'All Programes' menu the icon is back again after I clicked on the application listed there. All security is running. Would welcome you recommendation on additions I should use.

    Here is the first OTL.txt log:

    OTL logfile created on: 28/04/2011 15:04:35 - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Alan\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.19048)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 222.77 Gb Total Space | 154.73 Gb Free Space | 69.46% Space Free | Partition Type: NTFS
    Drive D: | 10.00 Gb Total Space | 5.88 Gb Free Space | 58.85% Space Free | Partition Type: NTFS
    Drive E: | 66.55 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Drive F: | 465.76 Gb Total Space | 461.24 Gb Free Space | 99.03% Space Free | Partition Type: NTFS

    Computer Name: ALAN-PC | User Name: Alan | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/04/28 14:43:54 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Alan\Desktop\OTL.exe
    PRC - [2011/04/18 18:25:12 | 003,460,784 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    PRC - [2011/04/18 18:25:10 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    PRC - [2010/10/27 20:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    PRC - [2010/08/25 11:27:44 | 000,309,824 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    PRC - [2009/09/26 00:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    PRC - [2009/09/26 00:31:32 | 000,185,640 | ---- | M] (Seagate LLC) -- C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
    PRC - [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/04/28 14:43:54 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Alan\Desktop\OTL.exe
    MOD - [2010/08/31 16:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2011/04/18 18:25:10 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2010/03/29 08:53:22 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
    SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
    SRV - [2009/09/26 00:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
    SRV - [2008/01/21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/04/18 18:17:46 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2011/04/18 18:17:34 | 000,307,288 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011/04/18 18:16:18 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011/04/18 18:13:21 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011/04/18 18:13:09 | 000,053,592 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV - [2011/04/18 18:12:58 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2008/01/21 03:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
    DRV - [2006/11/10 16:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)
    DRV - [2006/07/31 13:44:00 | 000,580,992 | ---- | M] (Omnivision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ov550i.sys -- (APL531)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    IE - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
    IE - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 51 49 3D 8D 5F 15 CB 01 [binary data]
    IE - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========



    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/07 20:05:09 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/23 17:02:53 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.9\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/03/16 10:53:06 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.9\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

    [2010/08/19 16:43:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alan\AppData\Roaming\Mozilla\Extensions
    [2010/08/19 16:43:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alan\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
    [2011/04/27 20:24:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\iobn5cct.default\extensions
    [2009/09/08 14:04:25 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\iobn5cct.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/01/28 12:07:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/03/12 11:08:42 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
    [2011/03/12 11:08:42 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
    [2011/03/12 11:08:42 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
    [2011/03/12 11:08:42 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2011/04/27 20:09:20 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
    O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
    O4 - HKU\S-1-5-21-948891049-2262682744-2781767659-1000..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
    O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2010/10/20 15:59:45 | 000,000,024 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
    O32 - AutoRun File - [2011/04/27 20:14:35 | 000,000,067 | ---- | M] () - F:\autorun.inf -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\...com [@ = ComFile] -- Reg Error: Key error. File not found
    O37 - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\...exe [@ = exefile] -- Reg Error: Key error. File not found

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.I420 - msh263.drv File not found

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/04/28 14:43:51 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Alan\Desktop\OTL.exe
    [2011/04/27 20:11:58 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2011/04/27 20:11:55 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2011/04/27 20:11:55 | 000,000,000 | ---D | C] -- C:\Users\Alan\AppData\Local\temp
    [2011/04/27 20:01:20 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2011/04/27 20:01:20 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2011/04/27 20:01:20 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2011/04/27 20:01:02 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2011/04/27 19:59:22 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/04/27 19:59:07 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
    [2011/04/27 10:40:28 | 000,000,000 | ---D | C] -- C:\Users\Alan\AppData\Roaming\Malwarebytes
    [2011/04/27 10:40:08 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2011/04/27 10:40:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2011/04/27 10:40:05 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2011/04/27 10:40:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/04/27 10:34:21 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Alan\Desktop\mbam-setup-1.50.1.1100.exe
    [2011/04/26 12:18:54 | 000,000,000 | ---D | C] -- C:\Users\Alan\Desktop\MalProblem
    [2011/04/26 11:46:03 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\Alan\Desktop\TFC.exe
    [2011/04/16 10:37:49 | 000,000,000 | ---D | C] -- C:\Users\Alan\AppData\Roaming\eBookPro6
    [2011/04/07 19:56:48 | 000,441,176 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
    [2007/10/15 02:35:00 | 000,040,960 | ---- | C] ( ) -- C:\Windows\OMNIUNS.EXE

    ========== Files - Modified Within 30 Days ==========

    [2011/04/28 14:43:54 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Alan\Desktop\OTL.exe
    [2011/04/28 14:42:42 | 000,608,760 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2011/04/28 14:42:42 | 000,108,268 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2011/04/28 14:37:59 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{1DE4E923-B64B-4911-904B-DDA2A93AA5A2}.job
    [2011/04/28 14:36:23 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/04/28 14:36:23 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/04/28 14:36:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2011/04/28 14:36:15 | 2136,133,632 | -HS- | M] () -- C:\hiberfil.sys
    [2011/04/27 20:09:20 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2011/04/27 19:35:12 | 004,331,679 | R--- | M] () -- C:\Users\Alan\Desktop\ComboFix.exe
    [2011/04/27 12:17:40 | 000,625,664 | ---- | M] () -- C:\Users\Alan\Desktop\dds.scr
    [2011/04/27 12:16:39 | 000,080,384 | ---- | M] () -- C:\Users\Alan\Desktop\MBRCheck.exe
    [2011/04/27 11:50:34 | 000,301,568 | ---- | M] () -- C:\Users\Alan\Desktop\zjh77ngp.exe
    [2011/04/27 10:40:08 | 000,000,932 | ---- | M] () -- C:\Users\Alan\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
    [2011/04/27 10:40:08 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/04/27 10:34:22 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Alan\Desktop\mbam-setup-1.50.1.1100.exe
    [2011/04/26 11:46:07 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Alan\Desktop\TFC.exe
    [2011/04/23 17:02:54 | 000,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
    [2011/04/22 22:14:42 | 000,028,773 | ---- | M] () -- C:\Users\Alan\Documents\CPAiraq.odt
    [2011/04/20 12:09:28 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
    [2011/04/19 21:10:00 | 000,008,602 | ---- | M] () -- C:\Users\Alan\Documents\Cinnamon.rtf
    [2011/04/18 18:25:12 | 000,040,112 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
    [2011/04/18 18:25:10 | 000,199,304 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
    [2011/04/18 18:17:46 | 000,441,176 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
    [2011/04/18 18:17:34 | 000,307,288 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
    [2011/04/18 18:16:18 | 000,049,240 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
    [2011/04/18 18:13:21 | 000,025,432 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
    [2011/04/18 18:13:09 | 000,053,592 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
    [2011/04/18 18:12:58 | 000,019,544 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
    [2011/04/16 13:07:02 | 000,000,558 | ---- | M] () -- C:\Users\Alan\Desktop\AffiliateLink - Shortcut.lnk
    [2011/04/15 19:11:46 | 000,253,072 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2011/04/12 21:20:53 | 000,200,172 | ---- | M] () -- C:\Users\Alan\Desktop\TrafficExchangeSolutions-156.pdf

    ========== Files Created - No Company Name ==========

    [2011/04/27 20:01:20 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/04/27 20:01:20 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/04/27 20:01:20 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/04/27 20:01:20 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/04/27 20:01:20 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/04/27 19:34:59 | 004,331,679 | R--- | C] () -- C:\Users\Alan\Desktop\ComboFix.exe
    [2011/04/27 12:17:37 | 000,625,664 | ---- | C] () -- C:\Users\Alan\Desktop\dds.scr
    [2011/04/27 12:16:38 | 000,080,384 | ---- | C] () -- C:\Users\Alan\Desktop\MBRCheck.exe
    [2011/04/27 11:50:31 | 000,301,568 | ---- | C] () -- C:\Users\Alan\Desktop\zjh77ngp.exe
    [2011/04/27 10:40:08 | 000,000,932 | ---- | C] () -- C:\Users\Alan\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
    [2011/04/27 10:40:08 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/04/22 22:14:39 | 000,028,773 | ---- | C] () -- C:\Users\Alan\Documents\CPAiraq.odt
    [2011/04/19 21:10:00 | 000,008,602 | ---- | C] () -- C:\Users\Alan\Documents\Cinnamon.rtf
    [2011/04/16 13:07:02 | 000,000,558 | ---- | C] () -- C:\Users\Alan\Desktop\AffiliateLink - Shortcut.lnk
    [2011/04/12 21:20:53 | 000,200,172 | ---- | C] () -- C:\Users\Alan\Desktop\TrafficExchangeSolutions-156.pdf
    [2009/10/21 19:30:07 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2009/10/21 19:30:06 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2009/01/31 14:01:39 | 000,016,896 | ---- | C] () -- C:\Users\Alan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/01/15 21:22:26 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
    [2009/01/15 16:51:13 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
    [2009/01/15 16:21:03 | 000,000,680 | ---- | C] () -- C:\Users\Alan\AppData\Local\d3d9caps.dat
    [2008/09/07 04:28:14 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
    [2008/09/07 04:28:14 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
    [2008/09/07 04:28:14 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
    [2008/09/07 04:28:14 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
    [2006/11/02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2006/11/02 13:47:37 | 000,253,072 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 11:33:01 | 000,608,760 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2006/11/02 11:33:01 | 000,108,268 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

    ========== LOP Check ==========

    [2010/01/20 19:36:42 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\CoffeeCup Software
    [2009/07/27 14:22:31 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2011/04/16 10:39:51 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\eBookPro6
    [2009/10/08 19:56:15 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\GARMIN
    [2011/03/09 20:24:14 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\IrfanView
    [2010/03/20 14:40:09 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\Leadertech
    [2009/07/26 18:40:00 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\OpenOffice.org
    [2010/08/19 16:43:53 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\Thunderbird
    [2011/04/28 10:55:23 | 000,032,622 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
    [2011/04/28 14:37:59 | 000,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{1DE4E923-B64B-4911-904B-DDA2A93AA5A2}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
    [2009/04/11 07:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
    [2009/01/15 23:56:31 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
    [2011/04/27 20:11:54 | 000,009,450 | ---- | M] () -- C:\ComboFix.txt
    [2006/09/18 22:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
    [2008/09/07 04:33:53 | 000,004,435 | RH-- | M] () -- C:\dell.sdr
    [2011/04/28 14:36:15 | 2136,133,632 | -HS- | M] () -- C:\hiberfil.sys
    [2008/09/09 12:27:41 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2008/09/09 12:27:41 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2008/10/25 15:40:31 | 000,227,130 | ---- | M] () -- C:\nonav.log
    [2011/04/28 14:36:14 | 2449,948,672 | -HS- | M] () -- C:\pagefile.sys

    < %systemroot%\Fonts\*.com >
    [2006/11/02 13:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2006/11/02 13:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2006/11/02 13:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009/11/09 19:02:00 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/09/18 22:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2006/11/02 13:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011/04/18 18:25:12 | 000,040,112 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2008/01/21 03:43:21 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2008/01/21 04:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
    [2008/01/21 04:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
    [2008/01/21 04:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
    [2006/11/02 11:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
    [2006/11/02 11:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2009/08/15 18:36:05 | 000,000,574 | -HS- | M] () -- C:\Users\Alan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2011/04/27 19:35:12 | 004,331,679 | R--- | M] () -- C:\Users\Alan\Desktop\ComboFix.exe
    [2011/04/27 10:34:22 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Alan\Desktop\mbam-setup-1.50.1.1100.exe
    [2011/04/27 12:16:39 | 000,080,384 | ---- | M] () -- C:\Users\Alan\Desktop\MBRCheck.exe
    [2011/04/28 14:43:54 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Alan\Desktop\OTL.exe
    [2011/04/26 11:46:07 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Alan\Desktop\TFC.exe
    [2011/04/27 11:50:34 | 000,301,568 | ---- | M] () -- C:\Users\Alan\Desktop\zjh77ngp.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >
    [2009/11/09 19:11:38 | 000,008,192 | ---- | M] () -- C:\Windows\security\database\edb.chk
    [2009/11/09 19:11:08 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edb.log
    [2009/11/09 19:11:08 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00001.jrs
    [2009/11/09 19:11:08 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00002.jrs
    [2009/11/09 19:11:08 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbtmp.log
    [2009/11/09 19:11:08 | 001,056,768 | ---- | M] () -- C:\Windows\security\database\tmp.edb

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2010/12/06 12:20:50 | 000,000,402 | -HS- | M] () -- C:\Users\Alan\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >

    Extras.txt follows
     
    AlanR,
    #17
  19. 2011/04/28
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Here is the Extras.txt log:

    OTL Extras logfile created on: 28/04/2011 15:04:35 - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Alan\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.19048)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 222.77 Gb Total Space | 154.73 Gb Free Space | 69.46% Space Free | Partition Type: NTFS
    Drive D: | 10.00 Gb Total Space | 5.88 Gb Free Space | 58.85% Space Free | Partition Type: NTFS
    Drive E: | 66.55 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Drive F: | 465.76 Gb Total Space | 461.24 Gb Free Space | 99.03% Space Free | Partition Type: NTFS

    Computer Name: ALAN-PC | User Name: Alan | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1 ",%*
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Classes\<extension>]
    .bat [@ = batfile] -- Reg Error: Key error. File not found
    .cmd [@ = cmdfile] -- Reg Error: Key error. File not found
    .com [@ = ComFile] -- Reg Error: Key error. File not found
    .exe [@ = exefile] -- Reg Error: Key error. File not found
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
    .pif [@ = piffile] -- Reg Error: Key error. File not found
    .vbs [@ = VBSFile] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1 ",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- "C:\PROGRA~1\COFFEE~2\COFFEE~1\coffee.exe" "%1" (CoffeeCup Software)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1 "
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "VistaSp2" = Reg Error: Unknown registry data type -- File not found

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall" = 0
    "DisableNotifications" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{26A24AE4-039D-4CA4-87B4-2F83216013F0}" = Java(TM) 6 Update 13
    "{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 18
    "{27F00C63-449B-2FAB-CBE8-24AB80E17449}" = Acrobat.com
    "{2A30052B-831C-41D3-8044-3C0388066350}" = Seagate Manager Installer
    "{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
    "{31AE724F-7E99-426A-8B0B-A2C5A33DA204}" = ArcSoft MediaImpression
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{6B566EFE-DC1D-471F-93DD-84832663F140}" = OVT Scanner X86
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.4
    "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
    "{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
    "{BEFBEDDF-1417-4C8A-92FB-F003C0D41199}" = OpenOffice.org 3.2
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus(R) for Adobe
    "{D56401D6-E356-4CA5-97A3-024D666F5E5C}" = ArcSoft PhotoImpression 6
    "{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
    "{EFF87108-C9D0-43F1-BEE1-28DA87778F1A}" = Garmin Communicator Plugin
    "45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
    "7-Zip" = 7-Zip 4.65
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "avast" = avast! Free Antivirus
    "CoffeeCup Free HTML Editor" = CoffeeCup Free HTML Editor
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "InstallShield_{2A30052B-831C-41D3-8044-3C0388066350}" = Seagate Manager Installer
    "IrfanView" = IrfanView (remove only)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
    "Mozilla Thunderbird (3.1.9)" = Mozilla Thunderbird (3.1.9)
    "PIXresizer_is1" = PIXresizer 2.0.4

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "GoToMeeting" = GoToMeeting 4.5.0.457

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 27/04/2011 05:53:31 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 27/04/2011 06:26:38 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 27/04/2011 07:43:41 | Computer Name = Alan-PC | Source = Application Error | ID = 1000
    Description = Faulting application zjh77ngp.exe, version 1.0.15.15570, time stamp
    0x4d86265c, faulting module zjh77ngp.exe, version 1.0.15.15570, time stamp 0x4d86265c,
    exception code 0xc0000005, fault offset 0x0000c676, process id 0xef4, application
    start time 0x01cc04d011c6f270.

    Error - 27/04/2011 07:48:04 | Computer Name = Alan-PC | Source = Perflib | ID = 1010
    Description =

    Error - 27/04/2011 10:19:10 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 27/04/2011 14:06:45 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 27/04/2011 14:31:23 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 27/04/2011 15:15:57 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 28/04/2011 05:19:16 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 28/04/2011 09:38:00 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    [ System Events ]
    Error - 14/04/2011 14:37:12 | Computer Name = Alan-PC | Source = Dhcp | ID = 1002
    Description = The IP address lease 82.37.76.212 for the Network Card with network
    address 001EC981CCB0 has been denied by the DHCP server 192.168.100.1 (The DHCP
    Server sent a DHCPNACK message).

    Error - 14/04/2011 14:37:25 | Computer Name = Alan-PC | Source = Dhcp | ID = 1002
    Description = The IP address lease 192.168.100.11 for the Network Card with network
    address 001EC981CCB0 has been denied by the DHCP server 192.168.100.1 (The DHCP
    Server sent a DHCPNACK message).

    Error - 20/04/2011 05:59:35 | Computer Name = Alan-PC | Source = Service Control Manager | ID = 7022
    Description =

    Error - 23/04/2011 10:29:28 | Computer Name = Alan-PC | Source = Service Control Manager | ID = 7011
    Description =

    Error - 23/04/2011 12:02:54 | Computer Name = Alan-PC | Source = DCOM | ID = 10005
    Description =

    Error - 23/04/2011 12:02:54 | Computer Name = Alan-PC | Source = Service Control Manager | ID = 7009
    Description =

    Error - 23/04/2011 12:02:54 | Computer Name = Alan-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 27/04/2011 15:02:57 | Computer Name = Alan-PC | Source = Service Control Manager | ID = 7030
    Description =

    Error - 27/04/2011 15:07:09 | Computer Name = Alan-PC | Source = Service Control Manager | ID = 7030
    Description =

    Error - 27/04/2011 15:09:22 | Computer Name = Alan-PC | Source = Service Control Manager | ID = 7030
    Description =


    < End of report >
     
    AlanR,
    #18
  20. 2011/04/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good news :)

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =====================================================

    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O37 - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\...com [@ = ComFile] -- Reg Error: Key error. File not found
O37 - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\...exe [@ = exefile] -- Reg Error: Key error. File not found

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =====================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
    broni,
    #19
  21. 2011/04/28
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Broni

    I have just downloaded and installed jxpiinstall but where do I find the items you have listed in 1 & 2 below?


    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.
     
    AlanR,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...