1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved RootKit Virus

Discussion in 'Malware and Virus Removal Archive' started by michaelac, 2011/06/06.

Page 1 of 3
  1. 2011/06/06
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    [Resolved] RootKit Virus

    Hello can someone help.

    I seem to have a rootkit problem. Crashes, Web diversions, Hassles +++

    Logs below
     
    michaelac,
    #1
  2. 2011/06/06
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6784

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19048

    6/06/2011 11:40:07 PM
    mbam-log-2011-06-06 (23-39-16).txt

    Scan type: Quick scan
    Objects scanned: 198467
    Time elapsed: 11 minute(s), 4 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 4
    Registry Values Infected: 4
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\Users\George\AppData\Local\oninirum.dll (Trojan.Hiloti) -> No action taken.

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\4ECYTQ9SIC (Trojan.FakeAlert.SA) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\J40NOZ44HU (Trojan.FakeAlert.SA) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gkeruzacuf (Trojan.Hiloti) -> Value: Gkeruzacuf -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Malware Protection (Rogue.Spypro) -> Value: Malware Protection -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cranezuduqiy (Trojan.Agent.U) -> Value: Cranezuduqiy -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ECYTQ9SIC (Trojan.FakeAlert.SA) -> Value: 4ECYTQ9SIC -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\George\AppData\Local\oninirum.dll (Trojan.Hiloti) -> No action taken.
    c:\Users\George\local settings\application data\oninirum.dll (Trojan.Hiloti) -> No action taken.
     
    michaelac,
    #2


  3. to hide this advert.

  4. 2011/06/06
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    GMER over 3 posts



    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit scan 2011-06-07 00:53:39
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\iaStor0 ST925082 rev.3.AA
    Running: GMER.exe; Driver: C:\Users\George\AppData\Local\Temp\agriykob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x9057E202]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x9058081C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x90580874]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x9058098A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x90580772]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x905808C4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x905807C6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x90580938]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x9057E226]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x9057DFF0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x9057E24A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x90580D82]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x9057ECDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x9058084C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x9058089C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x905809B4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x9058079E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x90580904]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x905807F4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x90580962]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x9057EBA0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x9057E26E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x9057E292]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x9057E04A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x9057E186]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x9057E162]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x9057E1AA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9057E2B6]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x90A22902]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 10D 82CC6890 4 Bytes [02, E2, 57, 90] {ADD AH, DL; PUSH EDI; NOP }
    .text ntkrnlpa.exe!KeSetEvent + 1D1 82CC6954 8 Bytes [1C, 08, 58, 90, 74, 08, 58, ...] {SBB AL, 0x8; POP EAX; NOP ; JZ 0xe; POP EAX; NOP }
    .text ntkrnlpa.exe!KeSetEvent + 1DD 82CC6960 4 Bytes [8A, 09, 58, 90] {MOV CL, [ECX]; POP EAX; NOP }
    .text ntkrnlpa.exe!KeSetEvent + 1F5 82CC6978 4 Bytes [72, 07, 58, 90] {JB 0x9; POP EAX; NOP }
    .text ntkrnlpa.exe!KeSetEvent + 215 82CC6998 8 Bytes [C4, 08, 58, 90, C6, 07, 58, ...] {LES ECX, DWORD [EAX]; POP EAX; NOP ; MOV BYTE [EDI], 0x58; NOP }
    .text ...
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82DF15C7 5 Bytes JMP 90A1E2BE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject 82E4A4F3 5 Bytes JMP 90A1FD5C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82E53E18 4 Bytes CALL 9057F34B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82E57A8C 4 Bytes CALL 9057F361 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 82EABDAE 7 Bytes JMP 90A22906 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    ? System32\drivers\lenqa.sys
     
    michaelac,
    #3
  5. 2011/06/06
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[124] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[124] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[124] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[124] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001A03FC
    .text C:\Windows\system32\svchost.exe[124] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001A0600
    .text C:\Windows\system32\svchost.exe[124] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001A1014
    .text C:\Windows\system32\svchost.exe[124] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001A0804
    .text C:\Windows\system32\svchost.exe[124] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001A0A08
    .text C:\Windows\system32\svchost.exe[124] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001A0C0C
    .text C:\Windows\system32\svchost.exe[124] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001A0E10
    .text C:\Windows\system32\svchost.exe[124] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001A01F8
    .text C:\Windows\system32\svchost.exe[124] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00BA0600
    .text C:\Windows\system32\svchost.exe[124] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00BA0804
    .text C:\Windows\system32\svchost.exe[124] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00BA0A08
    .text C:\Windows\system32\svchost.exe[124] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 00BA01F8
    .text C:\Windows\system32\svchost.exe[124] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 00BA03FC
    .text C:\Windows\system32\rundll32.exe[300] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000601F8
    .text C:\Windows\system32\rundll32.exe[300] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000603FC
    .text C:\Windows\system32\rundll32.exe[300] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\rundll32.exe[300] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000A0600
    .text C:\Windows\system32\rundll32.exe[300] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000A0804
    .text C:\Windows\system32\rundll32.exe[300] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\rundll32.exe[300] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\rundll32.exe[300] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\rundll32.exe[300] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000B03FC
    .text C:\Windows\system32\rundll32.exe[300] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000B0600
    .text C:\Windows\system32\rundll32.exe[300] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000B1014
    .text C:\Windows\system32\rundll32.exe[300] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000B0804
    .text C:\Windows\system32\rundll32.exe[300] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000B0A08
    .text C:\Windows\system32\rundll32.exe[300] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000B0C0C
    .text C:\Windows\system32\rundll32.exe[300] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000B0E10
    .text C:\Windows\system32\rundll32.exe[300] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000B01F8
    .text C:\Windows\system32\csrss.exe[552] KERNEL32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\wininit.exe[596] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000301F8
    .text C:\Windows\system32\wininit.exe[596] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000303FC
    .text C:\Windows\system32\wininit.exe[596] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\wininit.exe[596] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000803FC
    .text C:\Windows\system32\wininit.exe[596] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 00080600
    .text C:\Windows\system32\wininit.exe[596] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 00081014
    .text C:\Windows\system32\wininit.exe[596] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 00080804
    .text C:\Windows\system32\wininit.exe[596] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 00080A08
    .text C:\Windows\system32\wininit.exe[596] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 00080C0C
    .text C:\Windows\system32\wininit.exe[596] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 00080E10
    .text C:\Windows\system32\wininit.exe[596] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000801F8
    .text C:\Windows\system32\wininit.exe[596] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00090600
    .text C:\Windows\system32\wininit.exe[596] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00090804
    .text C:\Windows\system32\wininit.exe[596] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00090A08
    .text C:\Windows\system32\wininit.exe[596] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000901F8
    .text C:\Windows\system32\wininit.exe[596] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000903FC
    .text C:\Windows\system32\csrss.exe[604] KERNEL32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\services.exe[640] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\services.exe[640] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\services.exe[640] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\services.exe[640] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\services.exe[640] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\system32\services.exe[640] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\system32\services.exe[640] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\system32\services.exe[640] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\services.exe[640] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\system32\services.exe[640] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\system32\services.exe[640] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\services.exe[640] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000B0600
    .text C:\Windows\system32\services.exe[640] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000B0804
    .text C:\Windows\system32\services.exe[640] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000B0A08
    .text C:\Windows\system32\services.exe[640] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000B01F8
    .text C:\Windows\system32\services.exe[640] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000B03FC
    .text C:\Windows\system32\lsass.exe[652] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\lsass.exe[652] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\lsass.exe[652] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\lsass.exe[652] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000B0600
    .text C:\Windows\system32\lsass.exe[652] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000B0804
    .text C:\Windows\system32\lsass.exe[652] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000B0A08
    .text C:\Windows\system32\lsass.exe[652] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000B01F8
    .text C:\Windows\system32\lsass.exe[652] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000B03FC
    .text C:\Windows\system32\lsm.exe[660] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\lsm.exe[660] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\lsm.exe[660] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\lsm.exe[660] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\lsm.exe[660] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\system32\lsm.exe[660] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\system32\lsm.exe[660] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\system32\lsm.exe[660] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\lsm.exe[660] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\system32\lsm.exe[660] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\system32\lsm.exe[660] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\lsm.exe[660] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00B80600
    .text C:\Windows\system32\lsm.exe[660] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00B80804
    .text C:\Windows\system32\lsm.exe[660] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00B80A08
    .text C:\Windows\system32\lsm.exe[660] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 00B801F8
    .text C:\Windows\system32\lsm.exe[660] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 00B803FC
    .text C:\Windows\system32\winlogon.exe[688] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000301F8
    .text C:\Windows\system32\winlogon.exe[688] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000303FC
    .text C:\Windows\system32\winlogon.exe[688] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000803FC
    .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 00080600
    .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 00081014
    .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 00080804
    .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 00080A08
    .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 00080C0C
    .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 00080E10
    .text C:\Windows\system32\winlogon.exe[688] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000801F8
    .text C:\Windows\system32\winlogon.exe[688] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00090600
    .text C:\Windows\system32\winlogon.exe[688] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00090804
    .text C:\Windows\system32\winlogon.exe[688] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00090A08
    .text C:\Windows\system32\winlogon.exe[688] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000901F8
    .text C:\Windows\system32\winlogon.exe[688] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000903FC
    .text C:\Windows\system32\Dwm.exe[812] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\Dwm.exe[812] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\Dwm.exe[812] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\Dwm.exe[812] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\Dwm.exe[812] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\system32\Dwm.exe[812] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\system32\Dwm.exe[812] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\system32\Dwm.exe[812] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\Dwm.exe[812] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\system32\Dwm.exe[812] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\system32\Dwm.exe[812] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\Dwm.exe[812] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000B0600
    .text C:\Windows\system32\Dwm.exe[812] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000B0804
    .text C:\Windows\system32\Dwm.exe[812] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000B0A08
    .text C:\Windows\system32\Dwm.exe[812] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000B01F8
    .text C:\Windows\system32\Dwm.exe[812] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000B03FC
    .text C:\Windows\system32\svchost.exe[844] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[844] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[844] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\svchost.exe[844] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 001C0600
    .text C:\Windows\system32\svchost.exe[844] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 001C0804
    .text C:\Windows\system32\svchost.exe[844] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 001C0A08
    .text C:\Windows\system32\svchost.exe[844] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001C01F8
    .text C:\Windows\system32\svchost.exe[844] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001C03FC
    .text C:\Windows\system32\svchost.exe[928] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[928] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[928] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000E03FC
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000E0600
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000E1014
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000E0804
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000E0A08
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000E0C0C
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000E0E10
    .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000E01F8
    .text C:\Windows\system32\svchost.exe[928] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00130600
    .text C:\Windows\system32\svchost.exe[928] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00130804
    .text C:\Windows\system32\svchost.exe[928] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00130A08
    .text C:\Windows\system32\svchost.exe[928] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001301F8
    .text C:\Windows\system32\svchost.exe[928] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001303FC
    .text C:\Windows\Explorer.EXE[956] ntdll.dll!NtProtectVirtualMemory 77DB4B84 5 Bytes JMP 007D000A
    .text C:\Windows\Explorer.EXE[956] ntdll.dll!NtWriteVirtualMemory 77DB54C4 5 Bytes JMP 01BF000A
    .text C:\Windows\Explorer.EXE[956] ntdll.dll!KiUserExceptionDispatcher 77DB5BF8 5 Bytes JMP 007C000A
    .text C:\Windows\Explorer.EXE[956] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000E03FC
    .text C:\Windows\Explorer.EXE[956] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000E0600
    .text C:\Windows\Explorer.EXE[956] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000E1014
    .text C:\Windows\Explorer.EXE[956] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000E0804
    .text C:\Windows\Explorer.EXE[956] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000E0A08
    .text C:\Windows\Explorer.EXE[956] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000E0C0C
    .text C:\Windows\Explorer.EXE[956] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000E0E10
    .text C:\Windows\Explorer.EXE[956] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000E01F8
    .text C:\Windows\Explorer.EXE[956] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000F0600
    .text C:\Windows\Explorer.EXE[956] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000F0804
    .text C:\Windows\Explorer.EXE[956] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000F0A08
    .text C:\Windows\Explorer.EXE[956] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000F01F8
    .text C:\Windows\Explorer.EXE[956] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000F03FC
    .text C:\Windows\Explorer.EXE[956] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C5 7726B37C 4 Bytes [50, 26, 5E, 02]
    .text C:\Windows\System32\svchost.exe[972] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\System32\svchost.exe[972] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\svchost.exe[972] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 009C0600
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 009C0804
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 009C0A08
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 009C01F8
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 009C03FC
    .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\System32\svchost.exe[1068] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00930600
    .text C:\Windows\System32\svchost.exe[1068] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00930804
    .text C:\Windows\System32\svchost.exe[1068] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00930A08
    .text C:\Windows\System32\svchost.exe[1068] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 009301F8
    .text C:\Windows\System32\svchost.exe[1068] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 009303FC
    .text C:\Windows\System32\svchost.exe[1136] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\System32\svchost.exe[1136] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\svchost.exe[1136] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\System32\svchost.exe[1136] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 001C0600
    .text C:\Windows\System32\svchost.exe[1136] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 001C0804
    .text C:\Windows\System32\svchost.exe[1136] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 001C0A08
    .text C:\Windows\System32\svchost.exe[1136] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001C01F8
    .text C:\Windows\System32\svchost.exe[1136] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001C03FC
    .text C:\Windows\system32\svchost.exe[1172] ntdll.dll!NtProtectVirtualMemory 77DB4B84 5 Bytes JMP 00B7000A
    .text C:\Windows\system32\svchost.exe[1172] ntdll.dll!NtWriteVirtualMemory 77DB54C4 5 Bytes JMP 00B8000A
    .text C:\Windows\system32\svchost.exe[1172] ntdll.dll!KiUserExceptionDispatcher 77DB5BF8 5 Bytes JMP 00B6000A
    .text C:\Windows\system32\svchost.exe[1172] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\svchost.exe[1172] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\system32\svchost.exe[1172] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\system32\svchost.exe[1172] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\system32\svchost.exe[1172] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\svchost.exe[1172] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\system32\svchost.exe[1172] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\system32\svchost.exe[1172] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\svchost.exe[1172] ole32.dll!CoCreateInstance 769F9F3E 5 Bytes JMP 00D1000A
    .text C:\Windows\system32\svchost.exe[1172] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000F0600
    .text C:\Windows\system32\svchost.exe[1172] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000F0804
    .text C:\Windows\system32\svchost.exe[1172] USER32.dll!WindowFromPoint 770C884F 5 Bytes JMP 0134000A
    .text C:\Windows\system32\svchost.exe[1172] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000F0A08
    .text C:\Windows\system32\svchost.exe[1172] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000F01F8
    .text C:\Windows\system32\svchost.exe[1172] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000F03FC
    .text C:\Windows\system32\svchost.exe[1172] USER32.dll!GetForegroundWindow 770D32C4 5 Bytes JMP 0280000A
    .text C:\Windows\system32\svchost.exe[1172] USER32.dll!GetCursorPos 770E0B88 5 Bytes JMP 0131000A
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001A03FC
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001A0600
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001A1014
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001A0804
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001A0A08
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001A0C0C
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001A0E10
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001A01F8
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 001B0600
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 001B0804
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 001B0A08
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001B01F8
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1200] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001B03FC
    .text C:\Windows\system32\AUDIODG.EXE[1248] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1304] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1304] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1304] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1304] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\svchost.exe[1304] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\system32\svchost.exe[1304] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\system32\svchost.exe[1304] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\system32\svchost.exe[1304] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\svchost.exe[1304] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\system32\svchost.exe[1304] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\system32\svchost.exe[1304] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\svchost.exe[1304] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00710600
    .text C:\Windows\system32\svchost.exe[1304] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00710804
    .text C:\Windows\system32\svchost.exe[1304] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00710A08
    .text C:\Windows\system32\svchost.exe[1304] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 007101F8
    .text C:\Windows\system32\svchost.exe[1304] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 007103FC
    .text C:\Windows\system32\SLsvc.exe[1328] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1368] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1368] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1368] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00280600
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00280804
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00280A08
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 002801F8
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 002803FC
    .text C:\Windows\system32\vfsFPService.exe[1496] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Windows\system32\vfsFPService.exe[1496] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Windows\system32\vfsFPService.exe[1496] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\vfsFPService.exe[1496] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 002A0600
    .text C:\Windows\system32\vfsFPService.exe[1496] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 002A0804
    .text C:\Windows\system32\vfsFPService.exe[1496] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 002A0A08
    .text C:\Windows\system32\vfsFPService.exe[1496] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 002A01F8
    .text C:\Windows\system32\vfsFPService.exe[1496] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 002A03FC
    .text C:\Windows\system32\vfsFPService.exe[1496] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 002B03FC
    .text C:\Windows\system32\vfsFPService.exe[1496] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 002B0600
    .text C:\Windows\system32\vfsFPService.exe[1496] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 002B1014
    .text C:\Windows\system32\vfsFPService.exe[1496] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 002B0804
    .text C:\Windows\system32\vfsFPService.exe[1496] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 002B0A08
    .text C:\Windows\system32\vfsFPService.exe[1496] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 002B0C0C
    .text C:\Windows\system32\vfsFPService.exe[1496] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 002B0E10
     
    Last edited: 2011/06/06
    michaelac,
    #4
  6. 2011/06/06
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Welcome to WindowsBBS :)

    As a new member with less than X posts any post you make which contains a URL requires approval (moderation) before it is visible.

    Keep the logs coming :)
     
    PeteC,
    #5
  7. 2011/06/06
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    .text C:\Windows\system32\vfsFPService.exe[1496] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 002B01F8
    .text C:\Windows\system32\svchost.exe[1548] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1548] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\svchost.exe[1548] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00A10600
    .text C:\Windows\system32\svchost.exe[1548] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00A10804
    .text C:\Windows\system32\svchost.exe[1548] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00A10A08
    .text C:\Windows\system32\svchost.exe[1548] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 00A101F8
    .text C:\Windows\system32\svchost.exe[1548] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 00A103FC
    .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1664] kernel32.dll!SetUnhandledExceptionFilter 768EA84F 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1664] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\System32\spoolsv.exe[2004] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\System32\spoolsv.exe[2004] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\spoolsv.exe[2004] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\System32\spoolsv.exe[2004] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\System32\spoolsv.exe[2004] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\System32\spoolsv.exe[2004] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\System32\spoolsv.exe[2004] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\System32\spoolsv.exe[2004] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\System32\spoolsv.exe[2004] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\System32\spoolsv.exe[2004] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\System32\spoolsv.exe[2004] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\System32\spoolsv.exe[2004] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00200600
    .text C:\Windows\System32\spoolsv.exe[2004] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00200804
    .text C:\Windows\System32\spoolsv.exe[2004] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00200A08
    .text C:\Windows\System32\spoolsv.exe[2004] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 002001F8
    .text C:\Windows\System32\spoolsv.exe[2004] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 002003FC
    .text C:\Windows\system32\taskeng.exe[2012] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\taskeng.exe[2012] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\taskeng.exe[2012] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\taskeng.exe[2012] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\taskeng.exe[2012] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\system32\taskeng.exe[2012] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\system32\taskeng.exe[2012] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\system32\taskeng.exe[2012] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\taskeng.exe[2012] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\system32\taskeng.exe[2012] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\system32\taskeng.exe[2012] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\taskeng.exe[2012] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000B0600
    .text C:\Windows\system32\taskeng.exe[2012] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000B0804
    .text C:\Windows\system32\taskeng.exe[2012] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000B0A08
    .text C:\Windows\system32\taskeng.exe[2012] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000B01F8
    .text C:\Windows\system32\taskeng.exe[2012] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000B03FC
    .text C:\Windows\system32\taskeng.exe[2052] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\taskeng.exe[2052] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\taskeng.exe[2052] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\taskeng.exe[2052] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 008F03FC
    .text C:\Windows\system32\taskeng.exe[2052] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 008F0600
    .text C:\Windows\system32\taskeng.exe[2052] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 008F1014
    .text C:\Windows\system32\taskeng.exe[2052] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 008F0804
    .text C:\Windows\system32\taskeng.exe[2052] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 008F0A08
    .text C:\Windows\system32\taskeng.exe[2052] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 008F0C0C
    .text C:\Windows\system32\taskeng.exe[2052] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 008F0E10
    .text C:\Windows\system32\taskeng.exe[2052] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 008F01F8
    .text C:\Windows\system32\taskeng.exe[2052] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00900600
    .text C:\Windows\system32\taskeng.exe[2052] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00900804
    .text C:\Windows\system32\taskeng.exe[2052] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00900A08
    .text C:\Windows\system32\taskeng.exe[2052] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 009001F8
    .text C:\Windows\system32\taskeng.exe[2052] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 009003FC
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000B0600
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000B0804
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000B0A08
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000B01F8
    .text C:\Program Files\Windows Defender\MSASCui.exe[2256] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000B03FC
    .text C:\Windows\RtHDVCpl.exe[2268] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Windows\RtHDVCpl.exe[2268] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Windows\RtHDVCpl.exe[2268] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\RtHDVCpl.exe[2268] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001A03FC
    .text C:\Windows\RtHDVCpl.exe[2268] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001A0600
    .text C:\Windows\RtHDVCpl.exe[2268] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001A1014
    .text C:\Windows\RtHDVCpl.exe[2268] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001A0804
    .text C:\Windows\RtHDVCpl.exe[2268] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001A0A08
    .text C:\Windows\RtHDVCpl.exe[2268] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001A0C0C
    .text C:\Windows\RtHDVCpl.exe[2268] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001A0E10
    .text C:\Windows\RtHDVCpl.exe[2268] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001A01F8
    .text C:\Windows\RtHDVCpl.exe[2268] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 001B0600
    .text C:\Windows\RtHDVCpl.exe[2268] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 001B0804
    .text C:\Windows\RtHDVCpl.exe[2268] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 001B0A08
    .text C:\Windows\RtHDVCpl.exe[2268] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001B01F8
    .text C:\Windows\RtHDVCpl.exe[2268] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001B03FC
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001401F8
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001403FC
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00190600
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00190804
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00190A08
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001901F8
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001903FC
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001A03FC
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001A0600
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001A1014
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001A0804
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001A0A08
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001A0C0C
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001A0E10
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2288] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001A01F8
    .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2304] KERNEL32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 00C503FC
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 00C50600
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 00C51014
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 00C50804
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 00C50A08
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 00C50C0C
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 00C50E10
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 00C501F8
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00C60600
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00C60804
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00C60A08
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 00C601F8
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2324] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 00C603FC
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001401F8
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001403FC
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00190600
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00190804
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00190A08
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001901F8
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001903FC
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001A03FC
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001A0600
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001A1014
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001A0804
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001A0A08
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001A0C0C
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001A0E10
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2472] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001A01F8
    .text C:\Windows\PLFSetI.exe[2528] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001401F8
    .text C:\Windows\PLFSetI.exe[2528] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001403FC
    .text C:\Windows\PLFSetI.exe[2528] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\PLFSetI.exe[2528] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00190600
    .text C:\Windows\PLFSetI.exe[2528] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00190804
    .text C:\Windows\PLFSetI.exe[2528] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00190A08
    .text C:\Windows\PLFSetI.exe[2528] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001901F8
    .text C:\Windows\PLFSetI.exe[2528] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001903FC
    .text C:\Windows\PLFSetI.exe[2528] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001A03FC
    .text C:\Windows\PLFSetI.exe[2528] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001A0600
    .text C:\Windows\PLFSetI.exe[2528] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001A1014
    .text C:\Windows\PLFSetI.exe[2528] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001A0804
    .text C:\Windows\PLFSetI.exe[2528] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001A0A08
    .text C:\Windows\PLFSetI.exe[2528] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001A0C0C
    .text C:\Windows\PLFSetI.exe[2528] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001A0E10
    .text C:\Windows\PLFSetI.exe[2528] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001A01F8
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000B0600
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000B0804
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000B0A08
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000B01F8
    .text C:\Windows\system32\wbem\unsecapp.exe[2664] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000B03FC
    .text C:\Windows\System32\hkcmd.exe[2668] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Windows\System32\hkcmd.exe[2668] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Windows\System32\hkcmd.exe[2668] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\System32\hkcmd.exe[2668] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 002B0600
    .text C:\Windows\System32\hkcmd.exe[2668] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 002B0804
    .text C:\Windows\System32\hkcmd.exe[2668] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 002B0A08
    .text C:\Windows\System32\hkcmd.exe[2668] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 002B01F8
    .text C:\Windows\System32\hkcmd.exe[2668] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 002B03FC
    .text C:\Windows\System32\hkcmd.exe[2668] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 002C03FC
    .text C:\Windows\System32\hkcmd.exe[2668] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 002C0600
    .text C:\Windows\System32\hkcmd.exe[2668] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 002C1014
    .text C:\Windows\System32\hkcmd.exe[2668] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 002C0804
    .text C:\Windows\System32\hkcmd.exe[2668] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 002C0A08
    .text C:\Windows\System32\hkcmd.exe[2668] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 002C0C0C
    .text C:\Windows\System32\hkcmd.exe[2668] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 002C0E10
    .text C:\Windows\System32\hkcmd.exe[2668] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 002C01F8
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000901F8
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000903FC
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000E03FC
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000E0600
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000E1014
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000E0804
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000E0A08
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000E0C0C
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000E0E10
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000E01F8
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000F0600
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000F0804
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000F0A08
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000F01F8
    .text C:\Windows\system32\wbem\wmiprvse.exe[2692] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000F03FC
    .text C:\Windows\System32\igfxpers.exe[2720] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Windows\System32\igfxpers.exe[2720] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Windows\System32\igfxpers.exe[2720] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\System32\igfxpers.exe[2720] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 002A0600
    .text C:\Windows\System32\igfxpers.exe[2720] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 002A0804
    .text C:\Windows\System32\igfxpers.exe[2720] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 002A0A08
    .text C:\Windows\System32\igfxpers.exe[2720] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 002A01F8
    .text C:\Windows\System32\igfxpers.exe[2720] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 002A03FC
    .text C:\Windows\System32\igfxpers.exe[2720] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 002B03FC
    .text C:\Windows\System32\igfxpers.exe[2720] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 002B0600
    .text C:\Windows\System32\igfxpers.exe[2720] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 002B1014
    .text C:\Windows\System32\igfxpers.exe[2720] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 002B0804
    .text C:\Windows\System32\igfxpers.exe[2720] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 002B0A08
    .text C:\Windows\System32\igfxpers.exe[2720] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 002B0C0C
    .text C:\Windows\System32\igfxpers.exe[2720] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 002B0E10
    .text C:\Windows\System32\igfxpers.exe[2720] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 002B01F8
    .text C:\Windows\system32\igfxsrvc.exe[2772] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Windows\system32\igfxsrvc.exe[2772] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Windows\system32\igfxsrvc.exe[2772] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\igfxsrvc.exe[2772] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 001A0600
    .text C:\Windows\system32\igfxsrvc.exe[2772] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 001A0804
    .text C:\Windows\system32\igfxsrvc.exe[2772] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 001A0A08
    .text C:\Windows\system32\igfxsrvc.exe[2772] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001A01F8
    .text C:\Windows\system32\igfxsrvc.exe[2772] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001A03FC
    .text C:\Windows\system32\igfxsrvc.exe[2772] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001B03FC
    .text C:\Windows\system32\igfxsrvc.exe[2772] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001B0600
    .text C:\Windows\system32\igfxsrvc.exe[2772] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001B1014
    .text C:\Windows\system32\igfxsrvc.exe[2772] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001B0804
    .text C:\Windows\system32\igfxsrvc.exe[2772] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001B0A08
    .text C:\Windows\system32\igfxsrvc.exe[2772] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001B0C0C
    .text C:\Windows\system32\igfxsrvc.exe[2772] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001B0E10
    .text C:\Windows\system32\igfxsrvc.exe[2772] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001B01F8
    .text C:\Windows\system32\agrsmsvc.exe[2820] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000801F8
    .text C:\Windows\system32\agrsmsvc.exe[2820] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000803FC
     
    michaelac,
    #6
  8. 2011/06/06
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    .text C:\Windows\system32\agrsmsvc.exe[2820] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\agrsmsvc.exe[2820] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000D03FC
    .text C:\Windows\system32\agrsmsvc.exe[2820] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000D0600
    .text C:\Windows\system32\agrsmsvc.exe[2820] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000D1014
    .text C:\Windows\system32\agrsmsvc.exe[2820] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000D0804
    .text C:\Windows\system32\agrsmsvc.exe[2820] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000D0A08
    .text C:\Windows\system32\agrsmsvc.exe[2820] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000D0C0C
    .text C:\Windows\system32\agrsmsvc.exe[2820] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000D0E10
    .text C:\Windows\system32\agrsmsvc.exe[2820] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000D01F8
    .text C:\Windows\system32\agrsmsvc.exe[2820] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000E0600
    .text C:\Windows\system32\agrsmsvc.exe[2820] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000E0804
    .text C:\Windows\system32\agrsmsvc.exe[2820] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000E0A08
    .text C:\Windows\system32\agrsmsvc.exe[2820] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000E01F8
    .text C:\Windows\system32\agrsmsvc.exe[2820] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000E03FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000B0600
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000B0804
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000B0A08
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000B01F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2880] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000B03FC
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001A03FC
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001A0600
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001A1014
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001A0804
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001A0A08
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001A0C0C
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001A0E10
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001A01F8
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 001B0600
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 001B0804
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 001B0A08
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001B01F8
    .text C:\Windows\system32\wbem\unsecapp.exe[2892] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001B03FC
    .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[2916] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[2928] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[2928] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[2928] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\system32\svchost.exe[2928] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\svchost.exe[2928] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00310600
    .text C:\Windows\system32\svchost.exe[2928] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00310804
    .text C:\Windows\system32\svchost.exe[2928] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00310A08
    .text C:\Windows\system32\svchost.exe[2928] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 003101F8
    .text C:\Windows\system32\svchost.exe[2928] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 003103FC
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001401F8
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001403FC
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001903FC
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 00190600
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 00191014
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 00190804
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 00190A08
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 00190C0C
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 00190E10
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001901F8
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 001A0600
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 001A0804
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 001A0A08
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001A01F8
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe[2968] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001A03FC
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001A03FC
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001A0600
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001A1014
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001A0804
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001A0A08
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001A0C0C
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001A0E10
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001A01F8
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 001B0600
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 001B0804
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 001B0A08
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001B01F8
    .text C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe[3048] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001B03FC
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000401F8
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000403FC
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000903FC
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 00090600
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 00091014
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 00090804
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 00090A08
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 00090C0C
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 00090E10
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000901F8
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000A0600
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000A0804
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000A0A08
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000A01F8
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3060] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000A03FC
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001601F8
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001603FC
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 001A0600
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 001A0804
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 001A0A08
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001A01F8
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001A03FC
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001B03FC
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001B0600
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001B1014
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001B0804
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001B0A08
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001B0C0C
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001B0E10
    .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3092] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001B01F8
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001A03FC
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001A0600
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001A1014
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001A0804
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001A0A08
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001A0C0C
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001A0E10
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001A01F8
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 001B0600
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 001B0804
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 001B0A08
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001B01F8
    .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[3100] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001B03FC
    .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3232] KERNEL32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 003C03FC
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 003C0600
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 003C1014
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 003C0804
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 003C0A08
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 003C0C0C
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 003C0E10
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 003C01F8
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 003D0600
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 003D0804
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 003D0A08
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 003D01F8
    .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3312] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 003D03FC
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001401F8
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001403FC
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00190600
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00190804
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00190A08
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001901F8
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001903FC
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001A03FC
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001A0600
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001A1014
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001A0804
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001A0A08
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001A0C0C
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001A0E10
    .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3432] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001A01F8
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 001A0600
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 001A0804
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 001A0A08
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001A01F8
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001A03FC
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001B03FC
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001B0600
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001B1014
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001B0804
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001B0A08
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001B0C0C
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001B0E10
    .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[3512] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001B01F8
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 001C0600
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 001C0804
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 001C0A08
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001C01F8
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001C03FC
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001D03FC
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001D0600
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001D1014
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001D0804
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001D0A08
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001D0C0C
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001D0E10
    .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3580] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001D01F8
    .text C:\Acer\Mobility Center\MobilityService.exe[3628] KERNEL32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 002B03FC
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 002B0600
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 002B1014
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 002B0804
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 002B0A08
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 002B0C0C
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 002B0E10
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 002B01F8
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 002C0600
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 002C0804
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 002C0A08
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 002C01F8
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe[3660] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 002C03FC
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001401F8
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001403FC
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00190600
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00190804
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00190A08
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001901F8
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001903FC
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001A03FC
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001A0600
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001A1014
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001A0804
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001A0A08
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001A0C0C
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001A0E10
    .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[3768] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001A01F8
    .text C:\Windows\system32\svchost.exe[3812] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000901F8
     
    michaelac,
    #7
  9. 2011/06/06
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    .text C:\Windows\system32\svchost.exe[3812] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000903FC
    .text C:\Windows\system32\svchost.exe[3812] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[3812] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000E03FC
    .text C:\Windows\system32\svchost.exe[3812] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000E0600
    .text C:\Windows\system32\svchost.exe[3812] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000E1014
    .text C:\Windows\system32\svchost.exe[3812] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000E0804
    .text C:\Windows\system32\svchost.exe[3812] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000E0A08
    .text C:\Windows\system32\svchost.exe[3812] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000E0C0C
    .text C:\Windows\system32\svchost.exe[3812] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000E0E10
    .text C:\Windows\system32\svchost.exe[3812] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000E01F8
    .text C:\Windows\system32\svchost.exe[3812] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00220600
    .text C:\Windows\system32\svchost.exe[3812] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00220804
    .text C:\Windows\system32\svchost.exe[3812] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00220A08
    .text C:\Windows\system32\svchost.exe[3812] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 002201F8
    .text C:\Windows\system32\svchost.exe[3812] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 002203FC
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 001A0600
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 001A0804
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 001A0A08
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001A01F8
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001A03FC
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001B03FC
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001B0600
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001B1014
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001B0804
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001B0A08
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001B0C0C
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001B0E10
    .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[3848] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001B01F8
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 001A03FC
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 001A0600
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 001A1014
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 001A0804
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 001A0A08
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 001A0C0C
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 001A0E10
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 001A01F8
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00370600
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00370804
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00370A08
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 003701F8
    .text C:\Program Files\Acer\Acer VCM\RS_Service.exe[3872] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 003703FC
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000B0600
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000B0804
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000B0A08
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000B01F8
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[3896] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000B03FC
    .text C:\Windows\system32\svchost.exe[3932] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000901F8
    .text C:\Windows\system32\svchost.exe[3932] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000903FC
    .text C:\Windows\system32\svchost.exe[3932] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[3932] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000E03FC
    .text C:\Windows\system32\svchost.exe[3932] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000E0600
    .text C:\Windows\system32\svchost.exe[3932] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000E1014
    .text C:\Windows\system32\svchost.exe[3932] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000E0804
    .text C:\Windows\system32\svchost.exe[3932] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000E0A08
    .text C:\Windows\system32\svchost.exe[3932] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000E0C0C
    .text C:\Windows\system32\svchost.exe[3932] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000E0E10
    .text C:\Windows\system32\svchost.exe[3932] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000E01F8
    .text C:\Windows\system32\svchost.exe[3932] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00A00600
    .text C:\Windows\system32\svchost.exe[3932] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00A00804
    .text C:\Windows\system32\svchost.exe[3932] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00A00A08
    .text C:\Windows\system32\svchost.exe[3932] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 00A001F8
    .text C:\Windows\system32\svchost.exe[3932] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 00A003FC
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000B0600
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000B0804
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000B0A08
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000B01F8
    .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3984] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000B03FC
    .text C:\Windows\System32\svchost.exe[3996] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\System32\svchost.exe[3996] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\svchost.exe[3996] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[3996] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000A03FC
    .text C:\Windows\System32\svchost.exe[3996] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000A0600
    .text C:\Windows\System32\svchost.exe[3996] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000A1014
    .text C:\Windows\System32\svchost.exe[3996] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000A0804
    .text C:\Windows\System32\svchost.exe[3996] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000A0A08
    .text C:\Windows\System32\svchost.exe[3996] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000A0C0C
    .text C:\Windows\System32\svchost.exe[3996] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000A0E10
    .text C:\Windows\System32\svchost.exe[3996] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000A01F8
    .text C:\Windows\System32\svchost.exe[3996] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00100600
    .text C:\Windows\System32\svchost.exe[3996] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00100804
    .text C:\Windows\System32\svchost.exe[3996] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00100A08
    .text C:\Windows\System32\svchost.exe[3996] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 001001F8
    .text C:\Windows\System32\svchost.exe[3996] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 001003FC
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000B03FC
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000B0600
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000B1014
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000B0804
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000B0A08
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000B0C0C
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000B0E10
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000B01F8
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000C0600
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000C0804
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000C0A08
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000C01F8
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4032] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000C03FC
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 001503FC
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 002A0600
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 002A0804
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 002A0A08
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 002A01F8
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 002A03FC
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 002B03FC
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 002B0600
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 002B1014
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 002B0804
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 002B0A08
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 002B0C0C
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 002B0E10
    .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4448] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 002B01F8
    .text C:\Windows\system32\svchost.exe[5148] ntdll.dll!LdrLoadDll 77D793A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[5148] ntdll.dll!LdrUnloadDll 77D8B740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[5148] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[5148] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000E03FC
    .text C:\Windows\system32\svchost.exe[5148] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000E0600
    .text C:\Windows\system32\svchost.exe[5148] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000E1014
    .text C:\Windows\system32\svchost.exe[5148] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000E0804
    .text C:\Windows\system32\svchost.exe[5148] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000E0A08
    .text C:\Windows\system32\svchost.exe[5148] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000E0C0C
    .text C:\Windows\system32\svchost.exe[5148] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000E0E10
    .text C:\Windows\system32\svchost.exe[5148] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000E01F8
    .text C:\Windows\system32\svchost.exe[5148] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 00830600
    .text C:\Windows\system32\svchost.exe[5148] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 00830804
    .text C:\Windows\system32\svchost.exe[5148] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 00830A08
    .text C:\Windows\system32\svchost.exe[5148] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 008301F8
    .text C:\Windows\system32\svchost.exe[5148] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 008303FC
    .text C:\Windows\system32\wuauclt.exe[5948] ntdll.dll!NtProtectVirtualMemory 77DB4B84 5 Bytes JMP 00C1000A
    .text C:\Windows\system32\wuauclt.exe[5948] ntdll.dll!NtWriteVirtualMemory 77DB54C4 5 Bytes JMP 00C2000A
    .text C:\Windows\system32\wuauclt.exe[5948] ntdll.dll!KiUserExceptionDispatcher 77DB5BF8 5 Bytes JMP 00C0000A
    .text C:\Windows\system32\wuauclt.exe[5948] USER32.dll!SetWindowsHookExA 770C6322 5 Bytes JMP 000A0600
    .text C:\Windows\system32\wuauclt.exe[5948] USER32.dll!SetWindowsHookExW 770C87AD 5 Bytes JMP 000A0804
    .text C:\Windows\system32\wuauclt.exe[5948] USER32.dll!UnhookWindowsHookEx 770C98DB 5 Bytes JMP 000A0A08
    .text C:\Windows\system32\wuauclt.exe[5948] USER32.dll!SetWinEventHook 770C9F3A 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\wuauclt.exe[5948] USER32.dll!UnhookWinEvent 770CC06F 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!CreateServiceW 77039EB4 5 Bytes JMP 000B03FC
    .text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!DeleteService 7703A07E 5 Bytes JMP 000B0600
    .text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!SetServiceObjectSecurity 77076CD9 5 Bytes JMP 000B1014
    .text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!ChangeServiceConfigA 77076DD9 5 Bytes JMP 000B0804
    .text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!ChangeServiceConfigW 77076F81 5 Bytes JMP 000B0A08
    .text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!ChangeServiceConfig2A 77077099 5 Bytes JMP 000B0C0C
    .text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!ChangeServiceConfig2W 770771E1 5 Bytes JMP 000B0E10
    .text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!CreateServiceA 770772A1 5 Bytes JMP 000B01F8
    .text E:\GMER.exe[5984] kernel32.dll!GetBinaryTypeW + 70 76912247 1 Byte [62]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\services.exe[640] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00010002
    IAT C:\Windows\system32\services.exe[640] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00010000
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74CD7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74D2A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74CDBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74CCF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74CD75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74CCE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74D08395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74CDDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74CCFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74CCFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74CC71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74D5CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74CFC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74CCD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74CC6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74CC687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74CD2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [025E27E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [025E1B60] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [025E2B60] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
    IAT C:\Windows\Explorer.EXE[956] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [025E11D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\BthPort\Parameters\Keys\001fe2f0debe (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\BthPort\Parameters\Keys\001fe2f0debe (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\001fe2f0debe (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\BthPort\Parameters\Keys\001fe2f0debe (not active ControlSet)
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\001fe2f0debe
    Reg HKLM\SYSTEM\ControlSet006\Services\BthPort\Parameters\Keys\001fe2f0debe (not active ControlSet)

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- EOF - GMER 1.0.15 ----
     
    michaelac,
    #8
  10. 2011/06/06
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    okay so GMER was more like 6 posts! hehehehe
     
    michaelac,
    #9
  11. 2011/06/06
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Acer
    BIOS Manufacturer: Acer
    System Manufacturer: Acer
    System Product Name: Aspire 6920
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 160):
    0x82C1A000 \SystemRoot\system32\ntkrnlpa.exe
    0x82FD4000 \SystemRoot\system32\hal.dll
    0x87713000 \SystemRoot\system32\kdcom.dll
    0x80404000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x80474000 \SystemRoot\system32\PSHED.dll
    0x80485000 \SystemRoot\system32\BOOTVID.dll
    0x8048D000 \SystemRoot\system32\CLFS.SYS
    0x804CE000 \SystemRoot\system32\CI.dll
    0x805AE000 \SystemRoot\System32\drivers\lenqa.sys
    0x8060E000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8067F000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x8068D000 \SystemRoot\system32\drivers\acpi.sys
    0x806D3000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x806DC000 \SystemRoot\system32\drivers\msisadrv.sys
    0x806E4000 \SystemRoot\system32\drivers\pci.sys
    0x8070B000 \SystemRoot\System32\drivers\partmgr.sys
    0x8071A000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x8071D000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x80727000 \SystemRoot\system32\drivers\volmgr.sys
    0x80736000 \SystemRoot\System32\drivers\volmgrx.sys
    0x80780000 \SystemRoot\system32\drivers\intelide.sys
    0x80787000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x80795000 \SystemRoot\System32\drivers\mountmgr.sys
    0x807A5000 \SystemRoot\System32\Drivers\UBHelper.sys
    0x83206000 \SystemRoot\system32\DRIVERS\iaStor.sys
    0x832CE000 \SystemRoot\system32\drivers\atapi.sys
    0x832D6000 \SystemRoot\system32\drivers\ataport.SYS
    0x832F4000 \SystemRoot\system32\drivers\msahci.sys
    0x832FE000 \SystemRoot\system32\drivers\fltmgr.sys
    0x83330000 \SystemRoot\system32\drivers\fileinfo.sys
    0x83340000 \SystemRoot\system32\DRIVERS\psdfilter.sys
    0x83349000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x8334E000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x83403000 \SystemRoot\system32\drivers\ndis.sys
    0x8350E000 \SystemRoot\system32\drivers\msrpc.sys
    0x83539000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8360C000 \SystemRoot\System32\drivers\tcpip.sys
    0x836F6000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x88C00000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x88D10000 \SystemRoot\system32\drivers\volsnap.sys
    0x88D49000 \SystemRoot\System32\Drivers\spldr.sys
    0x88D51000 \SystemRoot\System32\Drivers\mup.sys
    0x88D60000 \SystemRoot\System32\drivers\ecache.sys
    0x88D87000 \SystemRoot\system32\drivers\disk.sys
    0x88D98000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x88DB9000 \SystemRoot\system32\drivers\crcdisk.sys
    0x88DCF000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x88DDA000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x88DE3000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x88DF2000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x8CA05000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
    0x8D0C0000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8D160000 \SystemRoot\System32\drivers\watchdog.sys
    0x8D16C000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x8D177000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8D1B5000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8D40D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8D49A000 \SystemRoot\system32\DRIVERS\L1E60x86.sys
    0x8D60A000 \SystemRoot\system32\DRIVERS\NETw4v32.sys
    0x8D882000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x8D886000 \SystemRoot\system32\DRIVERS\itecir.sys
    0x8D8DF000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8D8F2000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
    0x8D8FC000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8D907000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8D936000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8D938000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8D943000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8D95B000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
    0x8D963000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0x8D969000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8D998000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8D9D9000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8D9E4000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8D4AB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8D4B6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8D4D9000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8D4E8000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8D4FC000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x8D511000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8D9FB000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8D521000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8D54B000 \SystemRoot\system32\DRIVERS\circlass.sys
    0x8D600000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8D559000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8D566000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8D59B000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x90200000 \SystemRoot\system32\drivers\RTKVHDA.sys
    0x8D5AC000 \SystemRoot\system32\drivers\portcls.sys
    0x8D5D9000 \SystemRoot\system32\drivers\drmk.sys
    0x90405000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0x9052B000 \SystemRoot\system32\drivers\modem.sys
    0x90538000 \SystemRoot\system32\DRIVERS\hidir.sys
    0x90543000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x90553000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x9055A000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x90563000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x9056B000 \SystemRoot\System32\Drivers\aswSnx.SYS
    0x905DB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x905E4000 \SystemRoot\System32\Drivers\Null.SYS
    0x905EB000 \SystemRoot\System32\Drivers\Beep.SYS
    0x905F2000 \SystemRoot\System32\drivers\vga.sys
    0x8D1C4000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8D400000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8D1E5000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8D1ED000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x837D9000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x837E7000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x83574000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x837F0000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0x8358A000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8359E000 \SystemRoot\system32\drivers\afd.sys
    0x90400000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0x833BF000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x835E6000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x833F1000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x807AD000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x807C0000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x903FA000 \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys
    0x83600000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x805BC000 \SystemRoot\System32\Drivers\dfsc.sys
    0x90A03000 \SystemRoot\System32\Drivers\aswSP.SYS
    0x90A4D000 \SystemRoot\system32\drivers\vfs101x.sys
    0x90A5A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x90A71000 \SystemRoot\System32\Drivers\usbvideo.sys
    0x90A92000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x90AA8000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x90AB5000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0x93850000 \SystemRoot\System32\win32k.sys
    0x90B7D000 \SystemRoot\System32\drivers\Dxapi.sys
    0x90B87000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x93A70000 \SystemRoot\System32\TSDDD.dll
    0x93A90000 \SystemRoot\System32\cdd.dll
    0x90B96000 \SystemRoot\system32\drivers\luafv.sys
    0x90BB1000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
    0x90BE9000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0x83711000 \SystemRoot\system32\drivers\WudfPf.sys
    0xAFC07000 \SystemRoot\system32\drivers\spsys.sys
    0xAFCB7000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0xAFCC7000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0xAFCF1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xAFCFB000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0xAFD0E000 \SystemRoot\system32\drivers\HTTP.sys
    0xAFD7B000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0xAFD98000 \SystemRoot\system32\DRIVERS\bowser.sys
    0xAFDB1000 \SystemRoot\System32\drivers\mpsdrv.sys
    0xAFDC6000 \SystemRoot\system32\drivers\mrxdav.sys
    0x8372B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x8374A000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0xAFDE7000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x83783000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xB2E02000 \SystemRoot\System32\DRIVERS\srv.sys
    0xB2E51000 \??\C:\Windows\system32\drivers\int15.sys
    0xB2E58000 \SystemRoot\system32\drivers\peauth.sys
    0xB2F36000 \SystemRoot\system32\DRIVERS\PSDNServ.sys
    0xB2F3F000 \SystemRoot\system32\DRIVERS\PSDVdisk.sys
    0xB2F51000 \SystemRoot\System32\Drivers\secdrv.SYS
    0xB2F5B000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xB2F67000 \??\C:\Users\George\AppData\Local\Temp\agriykob.sys
    0x77D50000 \Windows\System32\ntdll.dll

    Processes (total 73):
    0 System Idle Process
    4 System
    480 C:\Windows\System32\smss.exe
    552 csrss.exe
    596 C:\Windows\System32\wininit.exe
    604 csrss.exe
    640 C:\Windows\System32\services.exe
    652 C:\Windows\System32\lsass.exe
    660 C:\Windows\System32\lsm.exe
    688 C:\Windows\System32\winlogon.exe
    844 C:\Windows\System32\svchost.exe
    928 C:\Windows\System32\svchost.exe
    972 C:\Windows\System32\svchost.exe
    1068 C:\Windows\System32\svchost.exe
    1136 C:\Windows\System32\svchost.exe
    1172 C:\Windows\System32\svchost.exe
    1248 C:\Windows\System32\audiodg.exe
    1304 C:\Windows\System32\svchost.exe
    1328 C:\Windows\System32\SLsvc.exe
    1368 C:\Windows\System32\svchost.exe
    1496 C:\Windows\System32\vfsFPService.exe
    1548 C:\Windows\System32\svchost.exe
    1664 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    2004 C:\Windows\System32\spoolsv.exe
    2012 C:\Windows\System32\taskeng.exe
    124 C:\Windows\System32\svchost.exe
    300 C:\Windows\System32\rundll32.exe
    812 C:\Windows\System32\dwm.exe
    956 C:\Windows\explorer.exe
    2052 C:\Windows\System32\taskeng.exe
    2256 C:\Program Files\Windows Defender\MSASCui.exe
    2268 C:\Windows\RtHDVCpl.exe
    2288 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    2304 C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
    2324 C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
    2472 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    2528 C:\Windows\PLFSetI.exe
    2668 C:\Windows\System32\hkcmd.exe
    2720 C:\Windows\System32\igfxpers.exe
    2772 C:\Windows\System32\igfxsrvc.exe
    2820 C:\Windows\System32\agrsmsvc.exe
    2880 C:\Program Files\Bonjour\mDNSResponder.exe
    2916 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    2928 C:\Windows\System32\svchost.exe
    2968 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
    3048 C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe
    3092 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    3100 C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    3232 C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
    3312 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    3432 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    3512 C:\Program Files\Canon\IJPLM\ijplmsvc.exe
    3580 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    3628 C:\ACER\Mobility Center\MobilityService.exe
    3660 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
    3768 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    3812 C:\Windows\System32\svchost.exe
    3848 C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    3872 C:\Program Files\Acer\Acer VCM\RS_Service.exe
    3896 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    3932 C:\Windows\System32\svchost.exe
    3996 C:\Windows\System32\svchost.exe
    4032 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
    1200 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
    2664 unsecapp.exe
    2692 WmiPrvSE.exe
    2892 C:\Windows\System32\wbem\unsecapp.exe
    3984 C:\Program Files\Windows Media Player\wmpnscfg.exe
    3060 C:\Program Files\Windows Media Player\wmpnetwk.exe
    4448 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    5148 C:\Windows\System32\svchost.exe
    5948 C:\Windows\System32\wuauclt.exe
    5472 E:\MBRCHECK.EXE

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`40100000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001f`1c500000 (NTFS)

    PhysicalDrive0 Model Number: ST9250827AS, Rev: 3.AAA

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Acer MBR code detected
    SHA1: 32C70BE973F8E85AEDC1594C905FB8D402DF20D6


    Done!
     
    michaelac,
    #10
  12. 2011/06/06
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    .
    DDS (Ver_2011-06-01.06) - NTFSx86
    Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_21
    Run by George at 0:57:57 on 2011-06-07
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2038.586 [GMT 10:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\vfsFPService.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
    C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Windows\PLFSetI.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
    C:\Users\George\AppData\Local\Temp\RtkBtMnt.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Acer\Mobility Center\MobilityService.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    C:\Program Files\Acer\Acer VCM\RS_Service.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page =
    uStart Page = hxxp://google.com/
    uSearch Bar =
    mStart Page = hxxp://www.yahoo.com
    mDefault_Page_URL = hxxp://www.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    mSearchAssistant = hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=9e1f60f900000000000000215c11d57b&tlver=1.4.19.19&affID=17159
    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
    BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - No File
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
    TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
    TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
    TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
    TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    uRun: [<NO NAME>]
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [Google Update] "c:\users\george\appdata\local\google\update\GoogleUpdate.exe" /c
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
    mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [PLFSetI] c:\windows\PLFSetI.exe
    mRun: [eRecoveryService]
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    StartupFolder: c:\users\george\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\george\appdata\roaming\dropbox\bin\Dropbox.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
    IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
    IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
    IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
    IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3}
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC}
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{30980EAB-51C5-4D73-93CF-0E7DB106F340} : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{94B7C318-37E5-49C3-81D3-309B28D937FF} : DhcpNameServer = 192.168.1.254
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\george\appdata\roaming\mozilla\firefox\profiles\rvvnwmxv.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=toolbar2&q=
    FF - component: c:\program files\nokia\nokia ovi suite\connectors\bookmarks connector\firefoxextension\components\FirefoxExtension.dll
    FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
    FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
    FF - component: c:\users\george\appdata\roaming\mozilla\firefox\profiles\rvvnwmxv.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\FFExternalAlert.dll
    FF - component: c:\users\george\appdata\roaming\mozilla\firefox\profiles\rvvnwmxv.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\RadioWMPCore.dll
    FF - component: c:\users\george\appdata\roaming\mozilla\firefox\profiles\rvvnwmxv.default\extensions\{ea0969b3-6e12-4ac0-b6c9-148e81247954}\components\FFExternalAlert.dll
    FF - component: c:\users\george\appdata\roaming\mozilla\firefox\profiles\rvvnwmxv.default\extensions\{ea0969b3-6e12-4ac0-b6c9-148e81247954}\components\RadioWMPCore.dll
    FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\users\george\appdata\local\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\users\george\appdata\local\yahoo!\browserplus\2.7.1\plugins\npybrowserplus_2.7.1.dll
    FF - plugin: c:\users\george\appdata\roaming\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\users\george\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-23 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-4-23 307928]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-23 19544]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-4-23 53592]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-7 42184]
    R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-2-26 21752]
    R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-3-21 24576]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-2-25 49152]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-2-26 131072]
    R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-4-23 233472]
    R2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-4-22 599344]
    R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2010-3-8 62496]
    R3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-4-22 40752]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
    S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-3-30 39272]
    S3 fsssvc;Windows Live Family Safety Service; "c:\program files\windows live\family safety\fsssvc.exe" --> c:\program files\windows live\family safety\fsssvc.exe [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-4-19 39984]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 wlcrasvc;Windows Live Mesh remote connections service; "c:\program files\windows live\mesh\wlcrasvc.exe" --> c:\program files\windows live\mesh\wlcrasvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-06-06 12:01:05 -------- d-----w- c:\users\george\appdata\roaming\Easy Duplicate Finder
    2011-06-06 12:01:04 -------- d-----w- c:\program files\Easy Duplicate Finder
    2011-06-06 11:43:50 -------- d-----w- c:\program files\CCleaner
    2011-06-06 11:07:33 -------- d-----w- c:\program files\Speccy
    2011-06-06 10:14:40 0 ---ha-w- c:\users\george\appdata\local\BITC94C.tmp
    2011-06-05 00:34:22 -------- d-----w- c:\users\george\appdata\local\{925B0B60-95C9-4C54-9964-ADE39756A0BA}
    2011-06-04 01:05:51 -------- d-----w- c:\users\george\appdata\local\{A686B731-3B09-47F4-8F0A-38B778114EE7}
    2011-06-02 23:34:17 -------- d-----w- c:\users\george\appdata\local\{EBD21878-629A-4D59-9A9B-40E3C3D64929}
    2011-06-02 01:09:37 -------- d-----w- c:\users\george\appdata\local\{23067270-1C23-477B-A728-F629B61DF02F}
    2011-06-02 00:24:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-01 12:42:29 -------- d-----w- c:\users\george\appdata\local\{688775B0-5EAB-4A63-84B8-B9FA0258D571}
    2011-05-31 23:48:52 -------- d-----w- c:\users\george\appdata\local\{343D2174-F8FA-4BA4-9DFC-F63B11BD714B}
    2011-05-31 01:09:35 -------- d-----w- c:\users\george\appdata\local\{AE35FD9D-1EA4-42B6-9927-1CAC4E3E52DF}
    2011-05-31 00:08:45 -------- d-----w- c:\programdata\mD28258LfMkB28258
    2011-05-30 10:37:25 -------- d-----w- c:\users\george\appdata\local\{802C0B1E-18CA-4E7F-A59B-A49A57071062}
    2011-05-30 02:52:08 -------- d-----w- c:\users\george\appdata\local\Apple Computer
    2011-05-29 22:46:50 -------- d-----w- c:\users\george\appdata\local\{080676DE-4AF4-435C-A0E8-747B2BB1568C}
    2011-05-29 22:36:44 -------- d-----w- c:\users\george\appdata\local\{03B0E936-C4E4-4D50-80B5-CD50D1F712FF}
    2011-05-29 05:36:19 -------- d-----w- c:\users\george\appdata\local\{B195D1E5-9631-4C6E-B47D-936D575D6300}
    2011-05-28 08:38:36 -------- d-----w- c:\users\george\appdata\local\{0AF3B556-AB9A-4661-B3FB-95ED52B72CBB}
    2011-05-28 03:35:28 7071056 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{718c3e05-ef65-434f-bb6b-c5ca8d1e737d}\mpengine.dll
    2011-05-28 02:58:41 -------- d-----w- c:\users\george\appdata\local\{225BE2B5-0C91-4528-9B95-00493C492A09}
    2011-05-26 23:27:59 -------- d-----w- c:\users\george\appdata\local\{AE60E562-3421-42B6-948B-1B45F623BA5D}
    2011-05-26 03:55:40 -------- d-----w- c:\users\george\appdata\local\{0D97B890-EB9D-4393-A5D2-EB2D8CF7BEB8}
    2011-05-25 15:55:04 -------- d-----w- c:\users\george\appdata\local\{598FB95C-9F24-4C00-8FA3-6597CFE8687C}
    2011-05-25 03:54:42 -------- d-----w- c:\users\george\appdata\local\{90E25865-86C3-4823-9CD8-866F704E1ED7}
    2011-05-24 12:47:32 -------- d-----w- c:\users\george\appdata\local\{C164CD42-3CBC-48AF-B7F0-D644C3C0B040}
    2011-05-24 00:08:18 -------- d-----w- C:\Adobe
    2011-05-15 12:57:19 -------- d-----w- c:\program files\iPod(153)
    2011-05-15 12:57:09 -------- d-----w- c:\program files\iTunes(154)
    2011-05-13 09:55:36 55808 ---ha-w- c:\users\george\appdata\roaming\ntuser.dat
    2011-05-13 09:55:33 -------- d-----w- c:\programdata\aM34811JgHmH34811
    2011-05-13 09:55:17 -------- d-----w- c:\users\george\appdata\roaming\xoqv2geo1mxjalo3mbjnc3hyndnppwaq2
    .
    ==================== Find3M ====================
    .
    2011-05-28 23:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-28 23:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:03:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-10 11:59:44 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-04-27 11:50:17 429448 ----a-w- c:\users\george\Setup-MsgPlus-501.exe
    2011-03-12 21:55:52 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
    2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
    .
    ============= FINISH: 0:58:51.75 ===============
     
    michaelac,
    #11
  13. 2011/06/06
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-01.06)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 24/04/2009 4:22:18 AM
    System Uptime: 6/06/2011 11:43:19 PM (1 hours ago)
    .
    Motherboard: Acer | | Aspire 6920
    Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | U2E1 | 1000/167mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 111 GiB total, 24.924 GiB free.
    D: is FIXED (NTFS) - 105 GiB total, 6.115 GiB free.
    E: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    .
    Acer Crystal Eye Webcam 2.0.5
    Acer eAudio Management
    Acer eDataSecurity Management
    Acer Empowering Technology
    Acer ePower Management
    Acer eRecovery Management
    Acer eSettings Management
    Acer GameZone Console 2.0.1.1
    Acer GridVista
    Acer Mobility Center Plug-In
    Acer ScreenSaver
    Acer VCM
    Acrobat.com
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.4
    Adobe Shockwave Player 11.5
    Agere Systems HDA Modem
    Alice Greenfingers
    AoA Audio Extractor
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
    avast! Free Antivirus
    AVS Update Manager 1.0
    AVS Video Converter 6
    AVS4YOU Software Navigator 1.3
    Azada
    Backspin Billiards
    Bonjour
    Canon Easy-WebPrint EX
    Canon Inkjet Printer/Scanner/Fax Extended Survey Program
    Canon MP Navigator EX 3.1
    Canon MX340 series MP Drivers
    Canon Speed Dial Utility
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    CCleaner
    Compatibility Pack for the 2007 Office system
    D3DX10
    Diner Dash Flo on the Go
    Dropbox
    eSobi v2
    FlashGet 1.9.6.1073
    Flip Words 2
    Google Chrome
    Google Talk Plugin
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    Intel® Matrix Storage Manager
    ITECIR Driver
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 21
    Jewel Quest Solitaire
    JMicron JMB38X Flash Media Controller
    Junk Mail filter update
    K-Lite Codec Pack 5.4.4 (Full)
    Launch Manager
    LightScribe 1.4.142.1
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Messenger Companion
    Messenger Plus! 5
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office Live Add-in 1.5
    Microsoft Office XP Professional with FrontPage
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Mozilla Firefox 4.0.1 (x86 en-US)
    Mozilla Firefox 4.0b8 (x86 en-US)
    MSVC80_x86
    MSVC80_x86_v2
    MSVC90_x86
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Mystery Solitaire - Secret Island
    Nokia Connectivity Cable Driver
    Nokia Maps Updater 1.0.8
    Nokia Ovi Player
    Nokia Ovi Suite
    Nokia Ovi Suite Software Updater
    Nokia PC Suite
    Nokia Software Updater
    Nokia_Multimedia_Common_Components_2_5
    NTI Backup Now 5
    NTI Backup Now Standard
    NTI Media Maker 8
    OGA Notifier 2.0.0048.0
    Orbit Downloader
    Orion
    Ovi Desktop Sync Engine
    OviMPlatform
    PC Connectivity Solution
    PhotoNow!
    PowerDirector
    QuickTime
    Real Alternative 2.0.2
    Realtek High Definition Audio Driver
    Replay Video Capture
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Segoe UI
    Skype Toolbars
    Skype™ 5.1
    Sonic RecordNow! Deluxe
    Sonic Update Manager
    Speccy
    Suite
    Synaptics Pointing Device Driver
    The KMPlayer (remove only)
    Turbo Pizza
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Validity Sensors software
    vShare Plugin
    WIDCOMM Bluetooth Software 6.0.1.5000
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Messenger
    Windows Live Messenger Companion Core
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Remote Client
    Windows Live Remote Client Resources
    Windows Live Remote Service
    Windows Live Remote Service Resources
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Media Player Firefox Plugin
    WinRAR archiver
    Yahoo! BrowserPlus 2.7.1
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar
    YouTube Downloader 2.6.5
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/06/2011 9:15:33 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    6/06/2011 9:10:07 PM, Error: EventLog [6008] - The previous system shutdown at 9:08:05 PM on 6/06/2011 was unexpected.
    6/06/2011 8:16:27 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Empowering Technology Service service to connect.
    6/06/2011 8:15:26 PM, Error: Service Control Manager [7031] - The Empowering Technology Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    6/06/2011 8:13:34 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Live ID Sign-in Assistant service to connect.
    6/06/2011 8:13:34 PM, Error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/06/2011 8:13:22 PM, Error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:13:22 PM, Error: Service Control Manager [7034] - The Raw Socket Service service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:13:22 PM, Error: Service Control Manager [7034] - The NTI Backup Now 5 Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:13:22 PM, Error: Service Control Manager [7034] - The NTI Backup Now 5 Backup Service service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:13:22 PM, Error: Service Control Manager [7034] - The MobilityService service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:13:22 PM, Error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:13:22 PM, Error: Service Control Manager [7034] - The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:13:22 PM, Error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:13:22 PM, Error: Service Control Manager [7034] - The Canon Inkjet Printer/Scanner/Fax Extended Survey Program service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:13:22 PM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    6/06/2011 8:13:22 PM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    6/06/2011 8:13:21 PM, Error: Service Control Manager [7034] - The Validity Fingerprint Service service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:13:21 PM, Error: Service Control Manager [7034] - The NTI Backup Now 5 Agent Service service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:13:21 PM, Error: Service Control Manager [7034] - The eDataSecurity Service service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:13:21 PM, Error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:13:21 PM, Error: Service Control Manager [7034] - The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).
    6/06/2011 8:12:17 PM, Error: EventLog [6008] - The previous system shutdown at 3:49:41 PM on 5/06/2011 was unexpected.
    5/06/2011 3:49:41 PM, Error: EventLog [6008] - The previous system shutdown at 3:47:43 PM on 5/06/2011 was unexpected.
    5/06/2011 12:44:03 PM, Error: Service Control Manager [7034] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 3 time(s).
    5/06/2011 12:43:53 PM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    5/06/2011 12:42:39 PM, Error: EventLog [6008] - The previous system shutdown at 12:41:33 PM on 5/06/2011 was unexpected.
    5/06/2011 12:39:09 PM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    5/06/2011 12:33:17 PM, Error: EventLog [6008] - The previous system shutdown at 12:31:54 PM on 5/06/2011 was unexpected.
    5/06/2011 11:56:01 AM, Error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).
    5/06/2011 10:42:13 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    5/06/2011 10:42:13 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
    5/06/2011 1:32:04 AM, Error: EventLog [6008] - The previous system shutdown at 1:30:22 AM on 5/06/2011 was unexpected.
    4/06/2011 6:09:19 PM, Error: EventLog [6008] - The previous system shutdown at 6:08:00 PM on 4/06/2011 was unexpected.
    4/06/2011 11:05:36 AM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    4/06/2011 11:05:36 AM, Error: Service Control Manager [7031] - The Certificate Propagation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    4/06/2011 11:05:36 AM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/06/2011 11:05:36 AM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    31/05/2011 10:26:41 AM, Error: EventLog [6008] - The previous system shutdown at 10:25:06 AM on 31/05/2011 was unexpected.
    1/06/2011 4:47:33 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 00215C11D57B has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
    1/06/2011 10:40:00 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.1.1.2 for the Network Card with network address 00215C11D57B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
     
    michaelac,
    #12
  14. 2011/06/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard :)

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ======================================================

    Your MBAM log says "No action taken" after each line.
    Please, re-run it, FIX all issues and post new log.

    Then...

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
    broni,
    #13
  15. 2011/06/06
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    ahh I may have posted the first scan before I came here.... here is the one I did when I found this site.


    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6784

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19048

    6/06/2011 11:40:38 PM
    mbam-log-2011-06-06 (23-40-38).txt

    Scan type: Quick scan
    Objects scanned: 198467
    Time elapsed: 11 minute(s), 4 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 4
    Registry Values Infected: 4
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\Users\George\AppData\Local\oninirum.dll (Trojan.Hiloti) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\4ECYTQ9SIC (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\J40NOZ44HU (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gkeruzacuf (Trojan.Hiloti) -> Value: Gkeruzacuf -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Malware Protection (Rogue.Spypro) -> Value: Malware Protection -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cranezuduqiy (Trojan.Agent.U) -> Value: Cranezuduqiy -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ECYTQ9SIC (Trojan.FakeAlert.SA) -> Value: 4ECYTQ9SIC -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\George\AppData\Local\oninirum.dll (Trojan.Hiloti) -> Delete on reboot.
    c:\Users\George\local settings\application data\oninirum.dll (Trojan.Hiloti) -> Delete on reboot.
     
    Last edited: 2011/06/06
    michaelac,
    #14
  16. 2011/06/06
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    2011/06/07 13:55:38.0738 4932 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24
    2011/06/07 13:55:39.0986 4932 ================================================================================
    2011/06/07 13:55:39.0986 4932 SystemInfo:
    2011/06/07 13:55:39.0986 4932
    2011/06/07 13:55:39.0986 4932 OS Version: 6.0.6002 ServicePack: 2.0
    2011/06/07 13:55:39.0986 4932 Product type: Workstation
    2011/06/07 13:55:39.0986 4932 ComputerName: GEORGE-LAPTOP
    2011/06/07 13:55:39.0986 4932 UserName: George
    2011/06/07 13:55:39.0986 4932 Windows directory: C:\Windows
    2011/06/07 13:55:39.0986 4932 System windows directory: C:\Windows
    2011/06/07 13:55:39.0986 4932 Processor architecture: Intel x86
    2011/06/07 13:55:39.0986 4932 Number of processors: 2
    2011/06/07 13:55:39.0986 4932 Page size: 0x1000
    2011/06/07 13:55:39.0986 4932 Boot type: Normal boot
    2011/06/07 13:55:39.0986 4932 ================================================================================
    2011/06/07 13:55:40.0735 4932 Initialize success
    2011/06/07 13:55:44.0915 2112 ================================================================================
    2011/06/07 13:55:44.0915 2112 Scan started
    2011/06/07 13:55:44.0915 2112 Mode: Manual;
    2011/06/07 13:55:44.0915 2112 ================================================================================
    2011/06/07 13:55:47.0739 2112 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    2011/06/07 13:55:47.0801 2112 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
    2011/06/07 13:55:47.0879 2112 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
    2011/06/07 13:55:47.0926 2112 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
    2011/06/07 13:55:47.0989 2112 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
    2011/06/07 13:55:48.0129 2112 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
    2011/06/07 13:55:48.0238 2112 AgereSoftModem (38325c6aa8eae011897d61ce48ec6435) C:\Windows\system32\DRIVERS\AGRSM.sys
    2011/06/07 13:55:48.0316 2112 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
    2011/06/07 13:55:48.0394 2112 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    2011/06/07 13:55:48.0457 2112 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
    2011/06/07 13:55:48.0519 2112 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
    2011/06/07 13:55:48.0597 2112 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
    2011/06/07 13:55:48.0675 2112 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
    2011/06/07 13:55:48.0722 2112 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
    2011/06/07 13:55:48.0800 2112 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
    2011/06/07 13:55:48.0862 2112 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
    2011/06/07 13:55:48.0940 2112 aswFsBlk (7f08d9c504b015d81a8abd75c80028c5) C:\Windows\system32\drivers\aswFsBlk.sys
    2011/06/07 13:55:48.0987 2112 aswMonFlt (9bdc8e9ce17b773f69d2c6696c768c4f) C:\Windows\system32\drivers\aswMonFlt.sys
    2011/06/07 13:55:49.0065 2112 aswRdr (ac48bdd4cd5d44af33087c06d6e9511c) C:\Windows\system32\drivers\aswRdr.sys
    2011/06/07 13:55:49.0174 2112 aswSnx (b64134316fcd1f20e0f10ef3e65bd522) C:\Windows\system32\drivers\aswSnx.sys
    2011/06/07 13:55:49.0346 2112 aswSP (d6788e3211afa9951ed7a4d617f68a4f) C:\Windows\system32\drivers\aswSP.sys
    2011/06/07 13:55:49.0408 2112 aswTdi (4d100c45517809439c7b6dd98997fa00) C:\Windows\system32\drivers\aswTdi.sys
    2011/06/07 13:55:49.0486 2112 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    2011/06/07 13:55:49.0549 2112 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    2011/06/07 13:55:49.0720 2112 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    2011/06/07 13:55:49.0829 2112 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
    2011/06/07 13:55:49.0923 2112 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
    2011/06/07 13:55:49.0970 2112 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    2011/06/07 13:55:50.0017 2112 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    2011/06/07 13:55:50.0095 2112 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    2011/06/07 13:55:50.0126 2112 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    2011/06/07 13:55:50.0157 2112 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    2011/06/07 13:55:50.0266 2112 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    2011/06/07 13:55:50.0329 2112 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
    2011/06/07 13:55:50.0375 2112 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    2011/06/07 13:55:50.0438 2112 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
    2011/06/07 13:55:50.0516 2112 BthPort (5a3abaa2f8eece7aefb942773766e3db) C:\Windows\system32\Drivers\BTHport.sys
    2011/06/07 13:55:50.0625 2112 BTHUSB (94e2941280e3756a5e0bcb467865c43a) C:\Windows\system32\Drivers\BTHUSB.sys
    2011/06/07 13:55:50.0719 2112 btwaudio (636f45a8500c1438cfa7dee15fc5c184) C:\Windows\system32\drivers\btwaudio.sys
    2011/06/07 13:55:50.0797 2112 btwavdt (bf9256ff01b093a5d90bb7a35ec90410) C:\Windows\system32\drivers\btwavdt.sys
    2011/06/07 13:55:50.0843 2112 btwrchid (0ab8c1ac177afb27309e1072faf34a37) C:\Windows\system32\DRIVERS\btwrchid.sys
    2011/06/07 13:55:50.0921 2112 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    2011/06/07 13:55:50.0999 2112 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    2011/06/07 13:55:51.0046 2112 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\DRIVERS\circlass.sys
    2011/06/07 13:55:51.0140 2112 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    2011/06/07 13:55:51.0280 2112 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
    2011/06/07 13:55:51.0358 2112 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
    2011/06/07 13:55:51.0405 2112 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
    2011/06/07 13:55:51.0452 2112 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
    2011/06/07 13:55:51.0499 2112 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
    2011/06/07 13:55:51.0670 2112 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
    2011/06/07 13:55:51.0764 2112 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    2011/06/07 13:55:51.0842 2112 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
    2011/06/07 13:55:51.0935 2112 DritekPortIO (5c918d413f5837e67a85775c9873775e) C:\PROGRA~1\LAUNCH~1\DPortIO.sys
    2011/06/07 13:55:52.0013 2112 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    2011/06/07 13:55:52.0091 2112 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
    2011/06/07 13:55:52.0201 2112 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
    2011/06/07 13:55:52.0263 2112 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    2011/06/07 13:55:52.0435 2112 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
    2011/06/07 13:55:52.0528 2112 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
    2011/06/07 13:55:52.0715 2112 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    2011/06/07 13:55:52.0809 2112 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    2011/06/07 13:55:52.0871 2112 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
    2011/06/07 13:55:53.0043 2112 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    2011/06/07 13:55:53.0105 2112 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    2011/06/07 13:55:53.0152 2112 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
    2011/06/07 13:55:53.0261 2112 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    2011/06/07 13:55:53.0355 2112 fssfltr (d909075fa72c090f27aa926c32cb4612) C:\Windows\system32\DRIVERS\fssfltr.sys
    2011/06/07 13:55:53.0464 2112 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    2011/06/07 13:55:53.0527 2112 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
    2011/06/07 13:55:53.0589 2112 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
    2011/06/07 13:55:53.0683 2112 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
    2011/06/07 13:55:53.0761 2112 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    2011/06/07 13:55:53.0807 2112 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    2011/06/07 13:55:53.0839 2112 HidIr (d8df3722d5e961baa1292aa2f12827e2) C:\Windows\system32\DRIVERS\hidir.sys
    2011/06/07 13:55:53.0901 2112 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    2011/06/07 13:55:54.0010 2112 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
    2011/06/07 13:55:54.0088 2112 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    2011/06/07 13:55:54.0151 2112 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
    2011/06/07 13:55:54.0213 2112 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    2011/06/07 13:55:54.0322 2112 iaStor (e5a0034847537eaee3c00349d5c34c5f) C:\Windows\system32\DRIVERS\iaStor.sys
    2011/06/07 13:55:54.0385 2112 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
    2011/06/07 13:55:54.0525 2112 igfx (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
    2011/06/07 13:55:54.0634 2112 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    2011/06/07 13:55:54.0775 2112 int15 (c6e5276c00ebdeb096bb5ef4b797d1b6) C:\Windows\system32\drivers\int15.sys
    2011/06/07 13:55:54.0931 2112 IntcAzAudAddService (92bcc487f16892cda495dbd8160272d9) C:\Windows\system32\drivers\RTKVHDA.sys
    2011/06/07 13:55:54.0993 2112 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
    2011/06/07 13:55:55.0055 2112 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
    2011/06/07 13:55:55.0165 2112 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    2011/06/07 13:55:55.0258 2112 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
    2011/06/07 13:55:55.0305 2112 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    2011/06/07 13:55:55.0352 2112 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    2011/06/07 13:55:55.0445 2112 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
    2011/06/07 13:55:55.0523 2112 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    2011/06/07 13:55:55.0601 2112 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    2011/06/07 13:55:55.0664 2112 itecir (20425664e2e196d339ca877e0387c023) C:\Windows\system32\DRIVERS\itecir.sys
    2011/06/07 13:55:55.0726 2112 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    2011/06/07 13:55:55.0804 2112 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    2011/06/07 13:55:55.0867 2112 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
    2011/06/07 13:55:55.0945 2112 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
    2011/06/07 13:55:56.0023 2112 L1E (24abddeb766c8459f9d562eb083b6cb8) C:\Windows\system32\DRIVERS\L1E60x86.sys
    2011/06/07 13:55:56.0163 2112 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    2011/06/07 13:55:56.0272 2112 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
    2011/06/07 13:55:56.0335 2112 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
    2011/06/07 13:55:56.0397 2112 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
    2011/06/07 13:55:56.0475 2112 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    2011/06/07 13:55:56.0537 2112 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
    2011/06/07 13:55:56.0600 2112 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
    2011/06/07 13:55:56.0725 2112 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    2011/06/07 13:55:56.0787 2112 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    2011/06/07 13:55:56.0834 2112 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    2011/06/07 13:55:56.0881 2112 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    2011/06/07 13:55:56.0959 2112 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    2011/06/07 13:55:57.0005 2112 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
    2011/06/07 13:55:57.0052 2112 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    2011/06/07 13:55:57.0130 2112 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    2011/06/07 13:55:57.0224 2112 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    2011/06/07 13:55:57.0302 2112 mrxsmb (5fe5cf325f5b02ebc60832d3440cb414) C:\Windows\system32\DRIVERS\mrxsmb.sys
    2011/06/07 13:55:57.0380 2112 mrxsmb10 (30b9c769446af379a2afb72b0392604d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    2011/06/07 13:55:57.0442 2112 mrxsmb20 (fea239b3ec4877e2b7e23204af589ddf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    2011/06/07 13:55:57.0505 2112 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
    2011/06/07 13:55:57.0551 2112 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
    2011/06/07 13:55:57.0692 2112 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    2011/06/07 13:55:57.0754 2112 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    2011/06/07 13:55:57.0848 2112 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    2011/06/07 13:55:57.0910 2112 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    2011/06/07 13:55:57.0973 2112 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    2011/06/07 13:55:58.0051 2112 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    2011/06/07 13:55:58.0144 2112 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    2011/06/07 13:55:58.0207 2112 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    2011/06/07 13:55:58.0285 2112 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    2011/06/07 13:55:58.0363 2112 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    2011/06/07 13:55:58.0456 2112 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    2011/06/07 13:55:58.0519 2112 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    2011/06/07 13:55:58.0565 2112 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    2011/06/07 13:55:58.0643 2112 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    2011/06/07 13:55:58.0690 2112 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    2011/06/07 13:55:58.0753 2112 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    2011/06/07 13:55:58.0831 2112 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    2011/06/07 13:55:59.0049 2112 NETw4v32 (caaea35dae7f4c19db05481dac22c2ba) C:\Windows\system32\DRIVERS\NETw4v32.sys
    2011/06/07 13:55:59.0221 2112 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    2011/06/07 13:55:59.0299 2112 nmwcd (48fb907b069524f2dc7ba62a0762850c) C:\Windows\system32\drivers\ccdcmb.sys
    2011/06/07 13:55:59.0377 2112 nmwcdc (2914ceb789964141ac6e22c6bc980c42) C:\Windows\system32\drivers\ccdcmbo.sys
    2011/06/07 13:55:59.0486 2112 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    2011/06/07 13:55:59.0548 2112 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    2011/06/07 13:55:59.0642 2112 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    2011/06/07 13:55:59.0798 2112 NTIDrvr (2757d2ba59aee155209e24942ab127c9) C:\Windows\system32\DRIVERS\NTIDrvr.sys
    2011/06/07 13:55:59.0876 2112 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    2011/06/07 13:55:59.0938 2112 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    2011/06/07 13:55:59.0985 2112 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
    2011/06/07 13:56:00.0032 2112 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
    2011/06/07 13:56:00.0141 2112 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
    2011/06/07 13:56:00.0359 2112 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
    2011/06/07 13:56:00.0469 2112 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
    2011/06/07 13:56:00.0547 2112 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    2011/06/07 13:56:00.0609 2112 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
    2011/06/07 13:56:00.0703 2112 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\Windows\system32\DRIVERS\pccsmcfd.sys
    2011/06/07 13:56:00.0827 2112 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    2011/06/07 13:56:00.0890 2112 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
    2011/06/07 13:56:00.0937 2112 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
    2011/06/07 13:56:01.0030 2112 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    2011/06/07 13:56:01.0249 2112 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    2011/06/07 13:56:01.0295 2112 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
    2011/06/07 13:56:01.0451 2112 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    2011/06/07 13:56:01.0545 2112 PSDFilter (ab94285ff6c6bc5433407d8d182a4bb4) C:\Windows\system32\DRIVERS\psdfilter.sys
    2011/06/07 13:56:01.0623 2112 PSDNServ (2aaf9a5d7a63d26bfaea853c5f2292bc) C:\Windows\system32\DRIVERS\PSDNServ.sys
    2011/06/07 13:56:01.0685 2112 psdvdisk (0eb8cec99855beae5b0d02c2302619ef) C:\Windows\system32\DRIVERS\PSDVdisk.sys
    2011/06/07 13:56:01.0763 2112 PxHelp20 (3a1a60b98ee567503c31bbff7ed96a79) C:\Windows\system32\Drivers\PxHelp20.sys
    2011/06/07 13:56:01.0857 2112 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
    2011/06/07 13:56:01.0935 2112 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    2011/06/07 13:56:02.0044 2112 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    2011/06/07 13:56:02.0075 2112 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    2011/06/07 13:56:02.0169 2112 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    2011/06/07 13:56:02.0278 2112 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    2011/06/07 13:56:02.0356 2112 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    2011/06/07 13:56:02.0419 2112 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    2011/06/07 13:56:02.0543 2112 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    2011/06/07 13:56:02.0621 2112 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
    2011/06/07 13:56:02.0684 2112 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    2011/06/07 13:56:02.0746 2112 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
    2011/06/07 13:56:02.0871 2112 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
    2011/06/07 13:56:02.0996 2112 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    2011/06/07 13:56:03.0058 2112 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    2011/06/07 13:56:03.0167 2112 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    2011/06/07 13:56:03.0292 2112 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
    2011/06/07 13:56:03.0355 2112 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
    2011/06/07 13:56:03.0448 2112 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    2011/06/07 13:56:03.0635 2112 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
    2011/06/07 13:56:03.0682 2112 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
    2011/06/07 13:56:03.0729 2112 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
    2011/06/07 13:56:03.0838 2112 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
    2011/06/07 13:56:03.0979 2112 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
    2011/06/07 13:56:04.0025 2112 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
    2011/06/07 13:56:04.0088 2112 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
    2011/06/07 13:56:04.0197 2112 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    2011/06/07 13:56:04.0259 2112 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    2011/06/07 13:56:04.0337 2112 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
    2011/06/07 13:56:04.0384 2112 srv2 (a5940ca32ed206f90be9fabdf6e92de4) C:\Windows\system32\DRIVERS\srv2.sys
    2011/06/07 13:56:04.0525 2112 srvnet (37aa1d560d5fa486c4b11c2f276ada61) C:\Windows\system32\DRIVERS\srvnet.sys
    2011/06/07 13:56:04.0649 2112 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    2011/06/07 13:56:04.0759 2112 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    2011/06/07 13:56:04.0837 2112 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    2011/06/07 13:56:04.0883 2112 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    2011/06/07 13:56:04.0961 2112 SynTP (93d33a3a0a4516584a1394c7821bae2e) C:\Windows\system32\DRIVERS\SynTP.sys
    2011/06/07 13:56:05.0133 2112 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
    2011/06/07 13:56:05.0273 2112 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
    2011/06/07 13:56:05.0398 2112 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
    2011/06/07 13:56:05.0461 2112 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    2011/06/07 13:56:05.0507 2112 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    2011/06/07 13:56:05.0570 2112 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    2011/06/07 13:56:05.0695 2112 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    2011/06/07 13:56:05.0835 2112 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    2011/06/07 13:56:05.0929 2112 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    2011/06/07 13:56:06.0007 2112 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    2011/06/07 13:56:06.0100 2112 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
    2011/06/07 13:56:06.0163 2112 UBHelper (f763e070843ee2803de1395002b42938) C:\Windows\system32\drivers\UBHelper.sys
    2011/06/07 13:56:06.0256 2112 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    2011/06/07 13:56:06.0397 2112 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
    2011/06/07 13:56:06.0443 2112 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
    2011/06/07 13:56:06.0490 2112 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    2011/06/07 13:56:06.0553 2112 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    2011/06/07 13:56:06.0615 2112 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    2011/06/07 13:56:06.0709 2112 upperdev (e526a166e6acafd0a9b3841d3941669e) C:\Windows\system32\DRIVERS\usbser_lowerflt.sys
    2011/06/07 13:56:06.0787 2112 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\Windows\system32\Drivers\usbaapl.sys
    2011/06/07 13:56:06.0880 2112 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
    2011/06/07 13:56:06.0958 2112 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    2011/06/07 13:56:07.0036 2112 USBCCID (32c068eaf37c92d7194eee1faa1e7853) C:\Windows\system32\DRIVERS\usbccid.sys
    2011/06/07 13:56:07.0099 2112 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    2011/06/07 13:56:07.0145 2112 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    2011/06/07 13:56:07.0192 2112 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    2011/06/07 13:56:07.0255 2112 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
    2011/06/07 13:56:07.0301 2112 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
    2011/06/07 13:56:07.0333 2112 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
    2011/06/07 13:56:07.0395 2112 usbser (d575246188f63de0accf6eac5fb59e6a) C:\Windows\system32\drivers\usbser.sys
    2011/06/07 13:56:07.0457 2112 UsbserFilt (6f3e3c6811b930d2414552a2e4a40f36) C:\Windows\system32\DRIVERS\usbser_lowerfltj.sys
    2011/06/07 13:56:07.0504 2112 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    2011/06/07 13:56:07.0645 2112 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
    2011/06/07 13:56:07.0707 2112 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
    2011/06/07 13:56:07.0816 2112 vfs101x (4d45a93a7dd638ca2db0a86fbfbf42d1) C:\Windows\system32\drivers\vfs101x.sys
    2011/06/07 13:56:07.0894 2112 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
    2011/06/07 13:56:07.0941 2112 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    2011/06/07 13:56:08.0003 2112 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
    2011/06/07 13:56:08.0066 2112 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
    2011/06/07 13:56:08.0113 2112 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
    2011/06/07 13:56:08.0159 2112 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    2011/06/07 13:56:08.0222 2112 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    2011/06/07 13:56:08.0300 2112 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    2011/06/07 13:56:08.0393 2112 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
    2011/06/07 13:56:08.0487 2112 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    2011/06/07 13:56:08.0581 2112 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/06/07 13:56:08.0596 2112 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/06/07 13:56:08.0721 2112 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
    2011/06/07 13:56:08.0799 2112 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
    2011/06/07 13:56:09.0080 2112 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
    2011/06/07 13:56:09.0236 2112 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
    2011/06/07 13:56:09.0314 2112 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    2011/06/07 13:56:09.0423 2112 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
    2011/06/07 13:56:09.0470 2112 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
    2011/06/07 13:56:09.0626 2112 MBR (0x1B8) (7ef1d8f60c825021753283b6f782aa6f) \Device\Harddisk0\DR0
    2011/06/07 13:56:09.0626 2112 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/06/07 13:56:09.0641 2112 ================================================================================
    2011/06/07 13:56:09.0641 2112 Scan finished
    2011/06/07 13:56:09.0641 2112 ================================================================================
    2011/06/07 13:56:09.0673 5796 Detected object count: 1
    2011/06/07 13:56:09.0673 5796 Actual detected object count: 1
    2011/06/07 14:00:48.0569 5796 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
    2011/06/07 14:00:48.0616 5796 \Device\Harddisk0\DR0 - ok
    2011/06/07 14:00:48.0616 5796 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
    2011/06/07 14:01:03.0358 1660 Deinitialize success
     
    michaelac,
    #15
  17. 2011/06/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Well done :)

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log ", save it to your desktop and post in your next reply:
    [​IMG]

    ===================================================

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay? ".
     
    broni,
    #16
  18. 2011/06/07
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-06-07 20:35:55
    -----------------------------
    20:35:55.193 OS Version: Windows 6.0.6002 Service Pack 2
    20:35:55.193 Number of processors: 2 586 0xF0D
    20:35:55.193 ComputerName: GEORGE-LAPTOP UserName: George
    20:35:58.812 Initialize success
    20:36:07.735 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    20:36:07.735 Disk 0 Vendor: ST925082 3.AA Size: 238475MB BusType: 3
    20:36:07.766 Disk 0 MBR read successfully
    20:36:07.766 Disk 0 MBR scan
    20:36:07.766 Disk 0 unknown MBR code
    20:36:07.782 Disk 0 scanning sectors +488394752
    20:36:07.813 Disk 0 scanning C:\Windows\system32\drivers
    20:36:13.070 Service scanning
    20:36:14.896 Disk 0 trace - called modules:
    20:36:14.942 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
    20:36:14.942 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86edaa50]
    20:36:14.942 3 CLASSPNP.SYS[88fa28b3] -> nt!IofCallDriver -> [0x85e306c8]
    20:36:14.958 5 acpi.sys[8068e6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85e35028]
    20:36:14.958 Scan finished successfully
    20:36:34.411 Disk 0 MBR has been saved successfully to "C:\Users\George\My Dropbox\Shared-HLV\MBR.dat "
    20:36:34.411 The log file has been saved successfully to "C:\Users\George\My Dropbox\Shared-HLV\aswMBR.txt "
     
    michaelac,
    #17
  19. 2011/06/07
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    RkU Version: 3.8.389.593, Type LE (SR2)
    ==============================================
    OS Name: Windows Vista
    Version 6.0.6002 (Service Pack 2)
    Number of processors #2
    ==============================================
    >Drivers
    ==============================================
    0x8CA07000 C:\Windows\system32\DRIVERS\igdkmd32.sys 7057408 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
    0x8D60F000 C:\Windows\system32\DRIVERS\NETwLv32.sys 6680576 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
    0x82E12000 C:\Windows\system32\ntkrnlpa.exe 3907584 bytes (Microsoft Corporation, NT Kernel & System)
    0x81AF0000 C:\Windows\System32\win32k.sys 2113536 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0x92A00000 C:\Windows\system32\drivers\RTKVHDA.sys 2072576 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
    0x92C01000 C:\Windows\system32\DRIVERS\AGRSM.sys 1204224 bytes (Agere Systems, SoftModem Device Driver)
    0x88E05000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
    0x83A09000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
    0x88C07000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
    0x804D8000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
    0xB0C65000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
    0x936BA000 C:\Windows\System32\Drivers\dump_iaStor.sys 819200 bytes
    0x83808000 C:\Windows\system32\DRIVERS\iaStor.sys 819200 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
    0xAE40C000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
    0x8D0C2000 C:\Windows\System32\drivers\dxgkrnl.sys 655360 bytes (Microsoft Corporation, DirectX Graphics Kernel)
    0x8D408000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
    0x83950000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0x80607000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
    0x92D67000 C:\Windows\System32\Drivers\aswSnx.SYS 458752 bytes (AVAST Software, avast! Virtualization Driver)
    0x8040E000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)
    0xAE513000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0x8DC72000 C:\Windows\system32\DRIVERS\itecir.sys 364544 bytes (ITE Tech. Inc. , ITE Consumer IR Driver for eHome)
    0xB0C0F000 C:\Windows\System32\DRIVERS\srv.sys 323584 bytes (Microsoft Corporation, Server driver)
    0x93608000 C:\Windows\System32\Drivers\aswSP.SYS 303104 bytes (AVAST Software, avast! self protection module)
    0x8072F000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
    0x83B7A000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0x80686000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
    0x80497000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
    0x8DD84000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
    0x8D179000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0x807A6000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0x83B3F000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
    0x88D45000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
    0x88F15000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0x937B6000 C:\Windows\system32\drivers\aswMonFlt.sys 229376 bytes (AVAST Software, avast! File System Minifilter for Windows 2003/Vista)
    0x8D547000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0x831CC000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0x83900000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0x83BC2000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
    0x8DD55000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
    0x8DCF3000 C:\Windows\system32\DRIVERS\SynTP.sys 192512 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
    0x8D58D000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0x83B14000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
    0x8D502000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
    0xAE4CC000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
    0x88D96000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
    0x88F65000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
    0x806DD000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0x8D5BA000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
    0x8D4A6000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0x88F9D000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
    0xAE5CB000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
    0x93676000 C:\Windows\System32\Drivers\usbvideo.sys 135168 bytes (Microsoft Corporation, USB Video Class Driver)
    0x8D5DF000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
    0x88D26000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0x838D8000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
    0xAE580000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
    0x88CF1000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
    0x9379B000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
    0x88D0C000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
    0xAE59D000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
    0x8DD2F000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0x88D7E000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
    0x807E2000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
    0x8DDD0000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0x9365F000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
    0x93697000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
    0x839C1000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
    0x88DD4000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
    0xAE5B6000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
    0x8D4DD000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
    0x8D4C9000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0x88DEA000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
    0x8DCCB000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
    0xAE500000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
    0x839E5000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0xB0D4C000 C:\Windows\system32\DRIVERS\PSDVdisk.sys 73728 bytes (Egis Incorporated, Acer eDataSecurity Management PSD Virtual Disk Driver)
    0x88F8C000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
    0x8D495000 C:\Windows\system32\DRIVERS\L1E60x86.sys 69632 bytes (Atheros Communications, Inc., Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller)
    0x8D57C000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
    0x8047E000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
    0x83932000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
    0x92D3F000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
    0xAE4BC000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
    0x8078E000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
    0x8D4F2000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
    0x88FE8000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
    0x9378C000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
    0x88F56000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
    0x80704000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
    0x8D600000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0x8D1B7000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0x80720000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
    0x81D30000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
    0x8D52C000 C:\Windows\system32\DRIVERS\circlass.sys 57344 bytes (Microsoft Corporation, Consumer IR Class Driver for eHome)
    0x839D7000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
    0x8D1D9000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
    0x80780000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0x80678000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
    0x936AD000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
    0x92D27000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
    0x8D53A000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
    0x93652000 C:\Windows\system32\drivers\vfs101x.sys 53248 bytes (Validity Sensors, Inc., Validity Fingerprint Scanner USB Driver)
    0xB0D68000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
    0x92DEE000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0x8D162000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
    0xB0D74000 C:\Users\George\AppData\Local\Temp\aswMBR.sys 45056 bytes
    0x92D34000 C:\Windows\system32\DRIVERS\hidir.sys 45056 bytes (Microsoft Corporation, Infrared Miniport Driver for Input Devices)
    0x8DCE8000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
    0x8DD24000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
    0x8D1CE000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
    0x8DDE7000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0x8DDC5000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
    0x88FD4000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
    0x8D16E000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
    0x8D1F0000 C:\Windows\System32\Drivers\aswTdi.SYS 40960 bytes (AVAST Software, avast! TDI Filter Driver)
    0x80716000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
    0x8DCDE000 C:\Windows\system32\DRIVERS\DKbFltr.sys 40960 bytes (Dritek System Inc., Dritek PS2 Keyboard Filter Driver)
    0x93782000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
    0x838F6000 C:\Windows\system32\drivers\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
    0x8DDF4000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
    0xAE4F6000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
    0x83BF4000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
    0xB0D5E000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
    0xB0D7F000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
    0x88FBE000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
    0x92DD7000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
    0x92D56000 C:\Windows\system32\DRIVERS\kbdhid.sys 36864 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
    0x83942000 C:\Windows\system32\DRIVERS\psdfilter.sys 36864 bytes (Egis Incorporated, Acer eDataSecurity Management PSD Filter Driver)
    0xB0D43000 C:\Windows\system32\DRIVERS\PSDNServ.sys 36864 bytes (Egis Incorporated, Acer eDataSecurity Management PSD Named Pipe Driver)
    0x8D1E7000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
    0x81D10000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
    0x88FDF000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
    0x88FF7000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
    0x806CC000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0x838D0000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
    0x8048F000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
    0x92D5F000 C:\Windows\system32\DRIVERS\mouhid.sys 32768 bytes (Microsoft Corporation, HID Mouse Filter Driver)
    0x806D5000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
    0x8DD47000 C:\Windows\system32\DRIVERS\NTIDrvr.sys 32768 bytes (NewTech Infosystems, Inc., NTI CD-ROM Filter Driver)
    0x8D400000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
    0x8D1C6000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
    0x88F4E000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
    0x8079E000 C:\Windows\System32\Drivers\UBHelper.sys 32768 bytes (NewTech Infosystems Corporation, NTI CDROM Filter Driver)
    0x92DE7000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
    0x92D4F000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
    0xB0C5E000 C:\Windows\system32\drivers\int15.sys 28672 bytes (Acer, Inc., int15)
    0x80779000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
    0x80407000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
    0x92DE0000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
    0x8DD4F000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
    0x92DFA000 C:\Windows\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
    0x8394B000 C:\Windows\System32\Drivers\PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
    0x8DC6E000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
    0x92BFA000 C:\PROGRA~1\LAUNCH~1\DPortIO.sys 16384 bytes (Dritek System Inc., General Port I/O)
    0x937EE000 C:\Windows\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
    0x80713000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
    0x8DDF2000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0x8DD22000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    ==============================================
    >Stealth
    ==============================================
     
    michaelac,
    #18
  20. 2011/06/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looks good :)

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #19
  21. 2011/06/07
    michaelac

    michaelac Inactive Thread Starter

    Joined:
    2011/06/06
    Messages:
    29
    Likes Received:
    0
    ComboFix 11-06-06.07 - George 08/06/2011 12:07:06.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2038.724 [GMT 10:00]
    Running from: c:\users\George\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\George\AppData\Roaming\ntuser.dat
    c:\users\George\g2mdlhlpx.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-08 to 2011-06-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-08 02:18 . 2011-06-08 02:18 -------- d-----w- c:\users\George\AppData\Local\temp
    2011-06-08 02:18 . 2011-06-08 02:18 -------- d-----w- c:\users\Herbalife\AppData\Local\temp
    2011-06-08 02:18 . 2011-06-08 02:18 -------- d-----w- c:\users\Evan\AppData\Local\temp
    2011-06-08 02:18 . 2011-06-08 02:18 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-06-08 01:20 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E1C82F4A-E817-49BF-9D9F-EEDE10D7BB54}\mpengine.dll
    2011-06-07 06:30 . 2011-06-07 06:30 -------- d-----w- c:\program files\Defraggler
    2011-06-07 05:51 . 2011-06-07 05:51 -------- d-----w- c:\program files\Common Files\Intel
    2011-06-07 05:36 . 2011-06-07 05:36 -------- d-----w- c:\program files\SystemRequirementsLab
    2011-06-07 04:29 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-06-06 11:43 . 2011-06-06 11:43 -------- d-----w- c:\program files\CCleaner
    2011-06-06 11:07 . 2011-06-06 11:07 -------- d-----w- c:\program files\Speccy
    2011-06-06 10:14 . 2011-06-06 10:14 0 ---ha-w- c:\users\George\AppData\Local\BITC94C.tmp
    2011-06-02 00:24 . 2011-06-02 00:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-31 00:08 . 2011-06-05 03:15 -------- d-----w- c:\programdata\mD28258LfMkB28258
    2011-05-30 02:52 . 2011-05-30 02:52 -------- d-----w- c:\users\George\AppData\Local\Apple Computer
    2011-05-24 00:08 . 2011-05-24 00:08 -------- d-----w- C:\Adobe
    2011-05-18 13:21 . 2011-05-18 13:21 -------- d-----w- c:\program files\Real
    2011-05-18 03:54 . 2011-05-18 03:54 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
    2011-05-15 12:57 . 2011-05-15 12:58 -------- d-----w- c:\program files\iTunes(154)
    2011-05-13 09:55 . 2011-05-21 00:01 -------- d-----w- c:\programdata\aM34811JgHmH34811
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-28 23:11 . 2011-04-19 07:52 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-28 23:11 . 2011-04-19 07:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-24 09:14 . 2009-10-03 05:54 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-10 12:10 . 2010-06-29 13:38 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:10 . 2009-04-23 01:56 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-10 12:03 . 2011-03-23 08:11 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-10 12:03 . 2009-04-23 01:57 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-10 12:02 . 2009-04-23 01:57 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-10 11:59 . 2009-04-23 01:57 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-10 11:59 . 2009-04-23 01:56 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-05-10 11:59 . 2009-04-23 01:57 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-03-30 22:39 . 2010-06-24 00:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-03-12 21:55 . 2011-04-27 22:41 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-03-10 17:03 . 2011-04-13 02:27 1162240 ----a-w- c:\windows\system32\mfc42u.dll
    2011-03-10 17:03 . 2011-04-13 02:27 1136640 ----a-w- c:\windows\system32\mfc42.dll
    2011-04-30 01:53 . 2011-03-23 23:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @= "{472083B0-C522-11CF-8763-00608CC02F24} "
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @= "{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\George\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @= "{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\George\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @= "{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\George\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @= "{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\George\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @= "{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} "
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-03-05 06:38 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-05-16 213936]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl "= "RtHDVCpl.exe" [2008-03-11 5296128]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-04 1037608]
    "ePower_DMC "= "c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-03-12 397312]
    "eDataSecurity Loader "= "c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 526896]
    "IAAnotif "= "c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-10-03 178712]
    "PLFSetI "= "c:\windows\PLFSetI.exe" [2007-10-23 200704]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
    "avast "= "c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-05-10 3459712]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    .
    c:\users\George\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\George\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-26 24176560]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-24 723760]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA "= 0 (0x0)
    "EnableUIADesktopToggle "= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux6 "=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @= "Service "
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring "=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1683990558-1774061058-3973947450-1000]
    "EnableNotifications "=dword:00000001
    "EnableNotificationsRef "=dword:00000002
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 135664]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-02-26 131072]
    R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2009-12-18 11336]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 135664]
    R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-16 3668480]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
    S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-02-26 21752]
    S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
    S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-02-25 49152]
    S2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [2008-01-10 233472]
    S2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-04-22 599344]
    S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2010-03-07 62496]
    S3 NETwLv32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [2010-10-06 6639616]
    S3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-04-22 40752]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc2184e61cf292.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 23:54]
    .
    2011-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 23:54]
    .
    2011-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1683990558-1774061058-3973947450-1000Core.job
    - c:\users\George\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-13 23:54]
    .
    2011-06-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1683990558-1774061058-3973947450-1000UA.job
    - c:\users\George\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-13 23:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    mStart Page = hxxp://www.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 10.1.1.1
    FF - ProfilePath - c:\users\George\AppData\Roaming\Mozilla\Firefox\Profiles\rvvnwmxv.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=toolbar2&q=
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-eRecoveryService - (no file)
    SafeBoot-WudfPf
    SafeBoot-WudfRd
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-08 12:18
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    .
    Completion time: 2011-06-08 12:22:32
    ComboFix-quarantined-files.txt 2011-06-08 02:22
    .
    Pre-Run: 26,011,230,208 bytes free
    Post-Run: 25,915,449,344 bytes free
    .
    Current=5 Default=5 Failed=1 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
    - - End Of File - - 13BACE1278723B7094B094DAE77A167F
     
    michaelac,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...