1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Cannot clear Fraud.XPAntivirus from computer

Discussion in 'Malware and Virus Removal Archive' started by AlanR, 2011/06/07.

Page 1 of 2
  1. 2011/06/07
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    [Resolved] Cannot clear Fraud.XPAntivirus from computer

    Hellow again, I am in need of some guidance once more.

    Problem:
    My Search and Destroy (S&D) program is showing the following
    after a scan for a 'Check for Problems':

    Fraud.XPAntivirus (1 Entries Browser)
    Bookmark (Firefox:Alan (Default)
    Index.php (http://www.malwareremovalbot.com/inde... (in black text) and a 'Yellow Star'


    I have Clicked 'Fix Selected Problems' a few times now and I
    thought that S&D had fixed the two items...but the problem is still
    showing following a new scan directly afterwards, with or without rebooting
    my computer.

    Other findings:
    I have completed a Full scan with my 'MalwareBytes' program and this
    found no infections.

    Comments:
    I have read a number of threads on the S&D forum, the conclusion of
    which was not clear to me. Some thought that this was just an annoying
    infection. Others were claiming 'Calamity' and that even if you cleared
    the infection some of the computers ports would be left open, and so
    it would be necessary to reformat and reinstall windows???

    I find it curious that S&D have not been able to effect a defence or
    even a cure for this, given the number of people that are affected.


    So please could I ask for you guidance and help with this.

    Many thanks in advance.

    Alan
     
    AlanR,
    #1
  2. 2011/06/07
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Alan

    You should know the drill by now :)

    Please read this as indicated at the head of the forum and post the logs requested in this thread.
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2011/06/08
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Fraud.XPAntivirusbot

    Hello Peter,good to hear from you,yes I'm getting the drift of things :)

    I have completed a full system scan using 'Avast Free Edition'...No Infections.

    I have completed a scan as requested with Malwarebytes...No Infection. The log is here below:

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6809

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 9.0.8112.16421

    08/06/2011 13:47:45
    mbam-log-2011-06-08 (13-47-45).txt

    Scan type: Quick scan
    Objects scanned: 142978
    Time elapsed: 4 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    The other logs follow.
     
    AlanR,
    #3
  5. 2011/06/08
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Fraud.XPAntivirusbot

    Section 1 of 3


    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit scan 2011-06-08 14:47:14
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3250310AS rev.4.ADA
    Running: 6rkt8ue1.exe; Driver: C:\Users\Alan\AppData\Local\Temp\pxldrpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8CB5B202]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8CB5D81C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8CB5D874]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8CB5D98A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8CB5D772]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8CB5D8C4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8CB5D7C6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8CB5D938]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8CB5B226]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8CB5AFF0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8CB5B24A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8CB5DD82]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8CB5BCDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8CB5D84C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8CB5D89C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8CB5D9B4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8CB5D79E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8CB5D904]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8CB5D7F4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8CB5D962]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8CB5BBA0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8CB5B26E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8CB5B292]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8CB5B04A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8CB5B186]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8CB5B162]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8CB5B1AA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8CB5B2B6]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8CFBF902]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 10D 826CA890 4 Bytes [02, B2, B5, 8C]
    .text ntkrnlpa.exe!KeSetEvent + 1D1 826CA954 8 Bytes [1C, D8, B5, 8C, 74, D8, B5, ...] {SBB AL, 0xd8; MOV CH, 0x8c; JZ 0xffffffffffffffde; MOV CH, 0x8c}
    .text ntkrnlpa.exe!KeSetEvent + 1DD 826CA960 4 Bytes [8A, D9, B5, 8C] {MOV BL, CL; MOV CH, 0x8c}
    .text ntkrnlpa.exe!KeSetEvent + 1F5 826CA978 4 Bytes [72, D7, B5, 8C] {JB 0xffffffffffffffd9; MOV CH, 0x8c}
    .text ntkrnlpa.exe!KeSetEvent + 215 826CA998 8 Bytes [C4, D8, B5, 8C, C6, D7, B5, ...]
    .text ...
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 827F55C7 5 Bytes JMP 8CFBB2BE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject 8284E4F3 5 Bytes JMP 8CFBCD5C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82857E18 4 Bytes CALL 8CB5C34B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 8285BA8C 4 Bytes CALL 8CB5C361 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 828AFDAE 7 Bytes JMP 8CFBF906 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\System32\svchost.exe[340] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\System32\svchost.exe[340] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\svchost.exe[340] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[340] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\System32\svchost.exe[340] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\System32\svchost.exe[340] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\System32\svchost.exe[340] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\System32\svchost.exe[340] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\System32\svchost.exe[340] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\System32\svchost.exe[340] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\System32\svchost.exe[340] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00170600
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00170804
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00170A08
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001701F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001703FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 001803FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00180600
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00181014
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00180804
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00180A08
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00180C0C
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00180E10
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[428] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 001801F8
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 001803FC
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00180600
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00181014
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00180804
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00180A08
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00180C0C
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00180E10
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 001801F8
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 001A0600
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 001A0804
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 001A0A08
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001A01F8
    .text C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe[448] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001A03FC
    .text C:\Windows\system32\csrss.exe[480] KERNEL32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\wininit.exe[524] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000301F8
    .text C:\Windows\system32\wininit.exe[524] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000303FC
    .text C:\Windows\system32\wininit.exe[524] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\wininit.exe[524] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000503FC
    .text C:\Windows\system32\wininit.exe[524] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00050600
    .text C:\Windows\system32\wininit.exe[524] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00051014
    .text C:\Windows\system32\wininit.exe[524] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00050804
    .text C:\Windows\system32\wininit.exe[524] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00050A08
    .text C:\Windows\system32\wininit.exe[524] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00050C0C
    .text C:\Windows\system32\wininit.exe[524] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00050E10
    .text C:\Windows\system32\wininit.exe[524] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000501F8
    .text C:\Windows\system32\wininit.exe[524] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00060600
    .text C:\Windows\system32\wininit.exe[524] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00060804
    .text C:\Windows\system32\wininit.exe[524] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00060A08
    .text C:\Windows\system32\wininit.exe[524] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000601F8
    .text C:\Windows\system32\wininit.exe[524] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\csrss.exe[536] KERNEL32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\services.exe[568] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\services.exe[568] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\services.exe[568] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\services.exe[568] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000B03FC
    .text C:\Windows\system32\services.exe[568] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 000B0600
    .text C:\Windows\system32\services.exe[568] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 000B1014
    .text C:\Windows\system32\services.exe[568] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 000B0804
    .text C:\Windows\system32\services.exe[568] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 000B0A08
    .text C:\Windows\system32\services.exe[568] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 000B0C0C
    .text C:\Windows\system32\services.exe[568] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 000B0E10
    .text C:\Windows\system32\services.exe[568] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000B01F8
    .text C:\Windows\system32\services.exe[568] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 000C0600
    .text C:\Windows\system32\services.exe[568] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 000C0804
    .text C:\Windows\system32\services.exe[568] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 000C0A08
    .text C:\Windows\system32\services.exe[568] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000C01F8
    .text C:\Windows\system32\services.exe[568] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000C03FC
    .text C:\Windows\system32\winlogon.exe[596] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000301F8
    .text C:\Windows\system32\winlogon.exe[596] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000303FC
    .text C:\Windows\system32\winlogon.exe[596] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\winlogon.exe[596] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000503FC
    .text C:\Windows\system32\winlogon.exe[596] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00050600
    .text C:\Windows\system32\winlogon.exe[596] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00051014
    .text C:\Windows\system32\winlogon.exe[596] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00050804
    .text C:\Windows\system32\winlogon.exe[596] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00050A08
    .text C:\Windows\system32\winlogon.exe[596] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00050C0C
    .text C:\Windows\system32\winlogon.exe[596] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00050E10
    .text C:\Windows\system32\winlogon.exe[596] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000501F8
    .text C:\Windows\system32\winlogon.exe[596] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00060600
    .text C:\Windows\system32\winlogon.exe[596] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00060804
    .text C:\Windows\system32\winlogon.exe[596] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00060A08
    .text C:\Windows\system32\winlogon.exe[596] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000601F8
    .text C:\Windows\system32\winlogon.exe[596] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\lsass.exe[612] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\lsass.exe[612] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\lsass.exe[612] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000B03FC
    .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 000B0600
    .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 000B1014
    .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 000B0804
    .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 000B0A08
    .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 000B0C0C
    .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 000B0E10
    .text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000B01F8
    .text C:\Windows\system32\lsass.exe[612] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 000C0600
    .text C:\Windows\system32\lsass.exe[612] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 000C0804
    .text C:\Windows\system32\lsass.exe[612] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 000C0A08
    .text C:\Windows\system32\lsass.exe[612] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000C01F8
    .text C:\Windows\system32\lsass.exe[612] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000C03FC
    .text C:\Windows\system32\lsm.exe[620] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\lsm.exe[620] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\lsm.exe[620] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\svchost.exe[776] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[776] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[776] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\svchost.exe[776] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00190600
    .text C:\Windows\system32\svchost.exe[776] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00190804
    .text C:\Windows\system32\svchost.exe[776] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00190A08
    .text C:\Windows\system32\svchost.exe[776] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001901F8
    .text C:\Windows\system32\svchost.exe[776] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001903FC
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 001803FC
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00180600
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00181014
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00180804
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00180A08
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00180C0C
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00180E10
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 001801F8
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00190600
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00190804
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00190A08
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001901F8
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe[852] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001903FC
    .text C:\Windows\system32\svchost.exe[856] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[856] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\svchost.exe[856] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00970600
    .text C:\Windows\system32\svchost.exe[856] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00970804
    .text C:\Windows\system32\svchost.exe[856] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00970A08
    .text C:\Windows\system32\svchost.exe[856] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 009701F8
    .text C:\Windows\system32\svchost.exe[856] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 009703FC
    .text C:\Windows\System32\svchost.exe[980] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\System32\svchost.exe[980] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\svchost.exe[980] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\System32\svchost.exe[980] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\System32\svchost.exe[980] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 001C0600
    .text C:\Windows\System32\svchost.exe[980] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 001C0804
    .text C:\Windows\System32\svchost.exe[980] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 001C0A08
    .text C:\Windows\System32\svchost.exe[980] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001C01F8
    .text C:\Windows\System32\svchost.exe[980] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001C03FC
    .text C:\Windows\System32\svchost.exe[1016] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\System32\svchost.exe[1016] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\svchost.exe[1016] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\System32\svchost.exe[1016] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00E10600
    .text C:\Windows\System32\svchost.exe[1016] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00E10804
    .text C:\Windows\System32\svchost.exe[1016] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00E10A08
    .text C:\Windows\System32\svchost.exe[1016] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 00E101F8
    .text C:\Windows\System32\svchost.exe[1016] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 00E103FC
    .text C:\Windows\system32\svchost.exe[1028] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1028] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00A60600
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00A60804
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00A60A08
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 00A601F8
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 00A603FC
    .text C:\Windows\system32\AUDIODG.EXE[1152] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1180] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[1180] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[1180] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[1180] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[1180] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[1180] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[1180] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[1180] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\SLsvc.exe[1200] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1224] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1224] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1224] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[1224] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\svchost.exe[1224] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00C90600
    .text C:\Windows\system32\svchost.exe[1224] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00C90804
    .text C:\Windows\system32\svchost.exe[1224] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00C90A08
    .text C:\Windows\system32\svchost.exe[1224] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 00C901F8
    .text C:\Windows\system32\svchost.exe[1224] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 00C903FC
    .text C:\Windows\system32\svchost.exe[1408] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1408] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1408] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\svchost.exe[1408] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 000B0600
    .text C:\Windows\system32\svchost.exe[1408] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 000B0804
    .text C:\Windows\system32\svchost.exe[1408] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 000B0A08
    .text C:\Windows\system32\svchost.exe[1408] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000B01F8
    .text C:\Windows\system32\svchost.exe[1408] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000B03FC
     
    AlanR,
    #4
  6. 2011/06/08
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    GMER
    Section 2 of 3


    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1484] kernel32.dll!SetUnhandledExceptionFilter 760AA84F 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1484] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1552] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1552] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\System32\spoolsv.exe[1884] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\System32\spoolsv.exe[1884] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\System32\spoolsv.exe[1884] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\System32\spoolsv.exe[1884] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\System32\spoolsv.exe[1884] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\System32\spoolsv.exe[1884] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\System32\spoolsv.exe[1884] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\System32\spoolsv.exe[1884] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\System32\spoolsv.exe[1884] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\System32\spoolsv.exe[1884] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\System32\spoolsv.exe[1884] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\System32\spoolsv.exe[1884] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00110600
    .text C:\Windows\System32\spoolsv.exe[1884] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00110804
    .text C:\Windows\System32\spoolsv.exe[1884] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00110A08
    .text C:\Windows\System32\spoolsv.exe[1884] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001101F8
    .text C:\Windows\System32\spoolsv.exe[1884] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001103FC
    .text C:\Windows\system32\svchost.exe[1908] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000901F8
    .text C:\Windows\system32\svchost.exe[1908] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000903FC
    .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 008B03FC
    .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 008B0600
    .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 008B1014
    .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 008B0804
    .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 008B0A08
    .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 008B0C0C
    .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 008B0E10
    .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 008B01F8
    .text C:\Windows\system32\svchost.exe[1908] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00940600
    .text C:\Windows\system32\svchost.exe[1908] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00940804
    .text C:\Windows\system32\svchost.exe[1908] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00940A08
    .text C:\Windows\system32\svchost.exe[1908] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 009401F8
    .text C:\Windows\system32\svchost.exe[1908] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 009403FC
    .text C:\Windows\system32\svchost.exe[1960] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[1960] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[1960] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[1960] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\svchost.exe[1960] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00180600
    .text C:\Windows\system32\svchost.exe[1960] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00180804
    .text C:\Windows\system32\svchost.exe[1960] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00180A08
    .text C:\Windows\system32\svchost.exe[1960] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001801F8
    .text C:\Windows\system32\svchost.exe[1960] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001803FC
    .text C:\Windows\system32\SearchIndexer.exe[2052] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\SearchIndexer.exe[2052] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\SearchIndexer.exe[2052] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\SearchIndexer.exe[2052] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000F03FC
    .text C:\Windows\system32\SearchIndexer.exe[2052] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 000F0600
    .text C:\Windows\system32\SearchIndexer.exe[2052] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 000F1014
    .text C:\Windows\system32\SearchIndexer.exe[2052] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 000F0804
    .text C:\Windows\system32\SearchIndexer.exe[2052] ADVAPI32.dll!ChangeServiceConfigW 77966F81 3 Bytes JMP 000F0A08
    .text C:\Windows\system32\SearchIndexer.exe[2052] ADVAPI32.dll!ChangeServiceConfigW + 4 77966F85 1 Byte [88]
    .text C:\Windows\system32\SearchIndexer.exe[2052] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 000F0C0C
    .text C:\Windows\system32\SearchIndexer.exe[2052] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 000F0E10
    .text C:\Windows\system32\SearchIndexer.exe[2052] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000F01F8
    .text C:\Windows\system32\SearchIndexer.exe[2052] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00100600
    .text C:\Windows\system32\SearchIndexer.exe[2052] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00100804
    .text C:\Windows\system32\SearchIndexer.exe[2052] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00100A08
    .text C:\Windows\system32\SearchIndexer.exe[2052] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001001F8
    .text C:\Windows\system32\SearchIndexer.exe[2052] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001003FC
    .text C:\Windows\system32\svchost.exe[2184] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\svchost.exe[2184] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\svchost.exe[2184] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[2184] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\svchost.exe[2184] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\svchost.exe[2184] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\svchost.exe[2184] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\svchost.exe[2184] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\svchost.exe[2184] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\svchost.exe[2184] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\svchost.exe[2184] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00170600
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00170804
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00170A08
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001701F8
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001703FC
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 001803FC
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00180600
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00181014
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00180804
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00180A08
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00180C0C
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00180E10
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2216] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 001801F8
    .text C:\Windows\system32\WUDFHost.exe[2364] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\WUDFHost.exe[2364] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\WUDFHost.exe[2364] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\WUDFHost.exe[2364] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\WUDFHost.exe[2364] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\WUDFHost.exe[2364] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\WUDFHost.exe[2364] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\WUDFHost.exe[2364] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\WUDFHost.exe[2364] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\WUDFHost.exe[2364] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\WUDFHost.exe[2364] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\WUDFHost.exe[2364] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00080600
    .text C:\Windows\system32\WUDFHost.exe[2364] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00080804
    .text C:\Windows\system32\WUDFHost.exe[2364] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00080A08
    .text C:\Windows\system32\WUDFHost.exe[2364] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000801F8
    .text C:\Windows\system32\WUDFHost.exe[2364] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000803FC
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 001803FC
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00180600
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00181014
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00180804
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00180A08
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00180C0C
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00180E10
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 001801F8
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00190600
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00190804
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00190A08
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001901F8
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe[2632] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001903FC
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 000C0600
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 000C0804
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 000C0A08
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000C01F8
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000C03FC
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2640] USER32.dll!TrackPopupMenu 773514F3 5 Bytes JMP 6948C334 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Windows\system32\taskeng.exe[2724] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\taskeng.exe[2724] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\taskeng.exe[2724] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\taskeng.exe[2724] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\taskeng.exe[2724] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\taskeng.exe[2724] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\taskeng.exe[2724] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\taskeng.exe[2724] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\taskeng.exe[2724] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\taskeng.exe[2724] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\taskeng.exe[2724] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\taskeng.exe[2724] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00090600
    .text C:\Windows\system32\taskeng.exe[2724] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00090804
    .text C:\Windows\system32\taskeng.exe[2724] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00090A08
    .text C:\Windows\system32\taskeng.exe[2724] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000901F8
    .text C:\Windows\system32\taskeng.exe[2724] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000903FC
    .text C:\Users\Alan\Desktop\6rkt8ue1.exe[2872] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\taskeng.exe[3120] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\taskeng.exe[3120] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\taskeng.exe[3120] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\taskeng.exe[3120] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\taskeng.exe[3120] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\taskeng.exe[3120] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\taskeng.exe[3120] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\taskeng.exe[3120] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\taskeng.exe[3120] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\taskeng.exe[3120] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\taskeng.exe[3120] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\taskeng.exe[3120] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00080600
    .text C:\Windows\system32\taskeng.exe[3120] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00080804
    .text C:\Windows\system32\taskeng.exe[3120] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00080A08
    .text C:\Windows\system32\taskeng.exe[3120] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000801F8
    .text C:\Windows\system32\taskeng.exe[3120] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000803FC
    .text C:\Windows\system32\Dwm.exe[3136] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\Dwm.exe[3136] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\system32\Dwm.exe[3136] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\Dwm.exe[3136] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\system32\Dwm.exe[3136] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\system32\Dwm.exe[3136] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\system32\Dwm.exe[3136] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\system32\Dwm.exe[3136] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\system32\Dwm.exe[3136] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\system32\Dwm.exe[3136] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\system32\Dwm.exe[3136] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\system32\Dwm.exe[3136] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00080600
    .text C:\Windows\system32\Dwm.exe[3136] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00080804
    .text C:\Windows\system32\Dwm.exe[3136] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00080A08
    .text C:\Windows\system32\Dwm.exe[3136] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000801F8
    .text C:\Windows\system32\Dwm.exe[3136] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000803FC
    .text C:\Windows\Explorer.EXE[3220] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\Explorer.EXE[3220] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\Explorer.EXE[3220] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\Explorer.EXE[3220] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\Explorer.EXE[3220] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\Explorer.EXE[3220] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\Explorer.EXE[3220] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\Explorer.EXE[3220] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\Explorer.EXE[3220] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\Explorer.EXE[3220] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\Explorer.EXE[3220] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\Explorer.EXE[3220] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00080600
    .text C:\Windows\Explorer.EXE[3220] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00080804
    .text C:\Windows\Explorer.EXE[3220] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00080A08
    .text C:\Windows\Explorer.EXE[3220] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000801F8
    .text C:\Windows\Explorer.EXE[3220] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000803FC
    .text C:\Windows\System32\hkcmd.exe[3500] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001501F8
    .text C:\Windows\System32\hkcmd.exe[3500] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001503FC
    .text C:\Windows\System32\hkcmd.exe[3500] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\System32\hkcmd.exe[3500] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00180600
    .text C:\Windows\System32\hkcmd.exe[3500] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00180804
    .text C:\Windows\System32\hkcmd.exe[3500] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00180A08
    .text C:\Windows\System32\hkcmd.exe[3500] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001801F8
    .text C:\Windows\System32\hkcmd.exe[3500] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001803FC
    .text C:\Windows\System32\hkcmd.exe[3500] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 001A03FC
    .text C:\Windows\System32\hkcmd.exe[3500] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 001A0600
    .text C:\Windows\System32\hkcmd.exe[3500] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 001A1014
    .text C:\Windows\System32\hkcmd.exe[3500] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 001A0804
    .text C:\Windows\System32\hkcmd.exe[3500] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 001A0A08
    .text C:\Windows\System32\hkcmd.exe[3500] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 001A0C0C
    .text C:\Windows\System32\hkcmd.exe[3500] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 001A0E10
    .text C:\Windows\System32\hkcmd.exe[3500] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 001A01F8
    .text C:\Windows\System32\igfxpers.exe[3508] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001501F8
    .text C:\Windows\System32\igfxpers.exe[3508] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001503FC
    .text C:\Windows\System32\igfxpers.exe[3508] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\System32\igfxpers.exe[3508] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00170600
    .text C:\Windows\System32\igfxpers.exe[3508] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00170804
    .text C:\Windows\System32\igfxpers.exe[3508] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00170A08
    .text C:\Windows\System32\igfxpers.exe[3508] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001701F8
    .text C:\Windows\System32\igfxpers.exe[3508] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001703FC
    .text C:\Windows\System32\igfxpers.exe[3508] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 001803FC
    .text C:\Windows\System32\igfxpers.exe[3508] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00180600
    .text C:\Windows\System32\igfxpers.exe[3508] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00181014
    .text C:\Windows\System32\igfxpers.exe[3508] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00180804
    .text C:\Windows\System32\igfxpers.exe[3508] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00180A08
    .text C:\Windows\System32\igfxpers.exe[3508] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00180C0C
    .text C:\Windows\System32\igfxpers.exe[3508] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00180E10
    .text C:\Windows\System32\igfxpers.exe[3508] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 001801F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00180600
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00180804
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00180A08
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001801F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001803FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 001903FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00190600
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00191014
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00190804
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00190A08
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00190C0C
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00190E10
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3516] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 001901F8
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 001703FC
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00170600
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00171014
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00170804
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00170A08
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00170C0C
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 3 Bytes JMP 00170E10
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] ADVAPI32.dll!ChangeServiceConfig2W + 4 779671E5 1 Byte [88]
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 001701F8
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00180600
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00180804
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00180A08
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001801F8
    .text C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe[3524] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001803FC
     
    AlanR,
    #5
  7. 2011/06/08
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    GMER
    Section 3 of 3


    .text C:\Windows\system32\igfxsrvc.exe[3556] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001501F8
    .text C:\Windows\system32\igfxsrvc.exe[3556] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001503FC
    .text C:\Windows\system32\igfxsrvc.exe[3556] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\system32\igfxsrvc.exe[3556] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00170600
    .text C:\Windows\system32\igfxsrvc.exe[3556] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00170804
    .text C:\Windows\system32\igfxsrvc.exe[3556] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00170A08
    .text C:\Windows\system32\igfxsrvc.exe[3556] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001701F8
    .text C:\Windows\system32\igfxsrvc.exe[3556] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001703FC
    .text C:\Windows\system32\igfxsrvc.exe[3556] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 001803FC
    .text C:\Windows\system32\igfxsrvc.exe[3556] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00180600
    .text C:\Windows\system32\igfxsrvc.exe[3556] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00181014
    .text C:\Windows\system32\igfxsrvc.exe[3556] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00180804
    .text C:\Windows\system32\igfxsrvc.exe[3556] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00180A08
    .text C:\Windows\system32\igfxsrvc.exe[3556] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00180C0C
    .text C:\Windows\system32\igfxsrvc.exe[3556] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00180E10
    .text C:\Windows\system32\igfxsrvc.exe[3556] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 001801F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001601F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001603FC
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 001703FC
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00170600
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00171014
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00170804
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00170A08
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00170C0C
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 3 Bytes JMP 00170E10
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] ADVAPI32.dll!ChangeServiceConfig2W + 4 779671E5 1 Byte [88]
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 001701F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00180600
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00180804
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00180A08
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001801F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3572] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001803FC
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3584] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001503FC
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 001703FC
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00170600
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00171014
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00170804
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00170A08
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00170C0C
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 3 Bytes JMP 00170E10
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] ADVAPI32.dll!ChangeServiceConfig2W + 4 779671E5 1 Byte [88]
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 001701F8
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00600600
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00600804
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00600A08
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 006001F8
    .text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[3592] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 006003FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000803FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00080600
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00081014
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00080804
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00080A08
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00080C0C
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00080E10
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000801F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00090600
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00090804
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00090A08
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000901F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3600] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000903FC
    .text C:\Windows\ehome\ehtray.exe[3620] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Windows\ehome\ehtray.exe[3620] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Windows\ehome\ehtray.exe[3620] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\ehome\ehtray.exe[3620] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Windows\ehome\ehtray.exe[3620] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Windows\ehome\ehtray.exe[3620] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Windows\ehome\ehtray.exe[3620] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Windows\ehome\ehtray.exe[3620] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Windows\ehome\ehtray.exe[3620] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Windows\ehome\ehtray.exe[3620] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Windows\ehome\ehtray.exe[3620] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Windows\ehome\ehtray.exe[3620] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00080600
    .text C:\Windows\ehome\ehtray.exe[3620] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00080804
    .text C:\Windows\ehome\ehtray.exe[3620] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00080A08
    .text C:\Windows\ehome\ehtray.exe[3620] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000801F8
    .text C:\Windows\ehome\ehtray.exe[3620] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000803FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00B50600
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00B50804
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00B50A08
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 00B501F8
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 00B503FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 00B603FC
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00B60600
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00B61014
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00B60804
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00B60A08
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00B60C0C
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00B60E10
    .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3652] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 00B601F8
    .text C:\Windows\ehome\ehmsas.exe[3704] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000401F8
    .text C:\Windows\ehome\ehmsas.exe[3704] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000403FC
    .text C:\Windows\ehome\ehmsas.exe[3704] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Windows\ehome\ehmsas.exe[3704] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000603FC
    .text C:\Windows\ehome\ehmsas.exe[3704] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00060600
    .text C:\Windows\ehome\ehmsas.exe[3704] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00061014
    .text C:\Windows\ehome\ehmsas.exe[3704] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00060804
    .text C:\Windows\ehome\ehmsas.exe[3704] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00060A08
    .text C:\Windows\ehome\ehmsas.exe[3704] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00060C0C
    .text C:\Windows\ehome\ehmsas.exe[3704] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00060E10
    .text C:\Windows\ehome\ehmsas.exe[3704] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000601F8
    .text C:\Windows\ehome\ehmsas.exe[3704] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00070600
    .text C:\Windows\ehome\ehmsas.exe[3704] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00070804
    .text C:\Windows\ehome\ehmsas.exe[3704] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00070A08
    .text C:\Windows\ehome\ehmsas.exe[3704] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000701F8
    .text C:\Windows\ehome\ehmsas.exe[3704] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000703FC
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001501F8
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001503FC
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00170600
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00170804
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00170A08
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 001701F8
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 001703FC
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 001803FC
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00180600
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00181014
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00180804
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00180A08
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00180C0C
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00180E10
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3776] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 001801F8
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 001601F8
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 001603FC
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 002803FC
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00280600
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00281014
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00280804
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00280A08
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00280C0C
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00280E10
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 002801F8
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00290600
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00290804
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00290A08
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 002901F8
    .text C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe[3860] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 002903FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000803FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00080600
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00081014
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00080804
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00080A08
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00080C0C
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00080E10
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000801F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00090600
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00090804
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00090A08
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000901F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000903FC
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] ntdll.dll!LdrLoadDll 779D93A8 5 Bytes JMP 000501F8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] ntdll.dll!LdrUnloadDll 779EB740 5 Bytes JMP 000503FC
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] kernel32.dll!GetBinaryTypeW + 70 760D2247 1 Byte [62]
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] ADVAPI32.dll!CreateServiceW 77929EB4 5 Bytes JMP 000703FC
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] ADVAPI32.dll!DeleteService 7792A07E 5 Bytes JMP 00070600
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] ADVAPI32.dll!SetServiceObjectSecurity 77966CD9 5 Bytes JMP 00071014
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] ADVAPI32.dll!ChangeServiceConfigA 77966DD9 5 Bytes JMP 00070804
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] ADVAPI32.dll!ChangeServiceConfigW 77966F81 5 Bytes JMP 00070A08
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] ADVAPI32.dll!ChangeServiceConfig2A 77967099 5 Bytes JMP 00070C0C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] ADVAPI32.dll!ChangeServiceConfig2W 779671E1 5 Bytes JMP 00070E10
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] ADVAPI32.dll!CreateServiceA 779672A1 5 Bytes JMP 000701F8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] USER32.dll!SetWindowsHookExA 77336322 5 Bytes JMP 00080600
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] USER32.dll!SetWindowsHookExW 773387AD 5 Bytes JMP 00080804
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] USER32.dll!UnhookWindowsHookEx 773398DB 5 Bytes JMP 00080A08
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] USER32.dll!SetWinEventHook 77339F3A 5 Bytes JMP 000801F8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4976] USER32.dll!UnhookWinEvent 7733C06F 5 Bytes JMP 000803FC

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\services.exe[568] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00B60002
    IAT C:\Windows\system32\services.exe[568] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00B60000
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74877817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [748CA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7487BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7486F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [748775E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7486E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [748A8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7487DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7486FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7486FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [748671CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [748FCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7489C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7486D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74866853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7486687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3220] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74872AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
    AlanR,
    #6
  8. 2011/06/08
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Fraud.XPAntivirusbot

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Dell Inc.
    BIOS Manufacturer: Dell Inc.
    System Manufacturer: Dell Inc.
    System Product Name: Inspiron 530
    Logical Drives Mask: 0x000003fc

    Kernel Drivers (total 138):
    0x8261E000 \SystemRoot\system32\ntkrnlpa.exe
    0x829D8000 \SystemRoot\system32\hal.dll
    0x80402000 \SystemRoot\system32\kdcom.dll
    0x80409000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x80479000 \SystemRoot\system32\PSHED.dll
    0x8048A000 \SystemRoot\system32\BOOTVID.dll
    0x80492000 \SystemRoot\system32\CLFS.SYS
    0x804D3000 \SystemRoot\system32\CI.dll
    0x80602000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8067E000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x8068B000 \SystemRoot\system32\drivers\acpi.sys
    0x806D1000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x806DA000 \SystemRoot\system32\drivers\msisadrv.sys
    0x806E2000 \SystemRoot\system32\drivers\pci.sys
    0x80709000 \SystemRoot\System32\drivers\partmgr.sys
    0x80718000 \SystemRoot\system32\drivers\volmgr.sys
    0x80727000 \SystemRoot\System32\drivers\volmgrx.sys
    0x80771000 \SystemRoot\system32\drivers\pciide.sys
    0x80778000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x80786000 \SystemRoot\System32\drivers\mountmgr.sys
    0x80796000 \SystemRoot\system32\drivers\atapi.sys
    0x8079E000 \SystemRoot\system32\drivers\ataport.SYS
    0x807BC000 \SystemRoot\system32\drivers\fltmgr.sys
    0x807EE000 \SystemRoot\system32\drivers\fileinfo.sys
    0x87E0C000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x87E7D000 \SystemRoot\system32\drivers\ndis.sys
    0x87F88000 \SystemRoot\system32\drivers\msrpc.sys
    0x87FB3000 \SystemRoot\system32\drivers\NETIO.SYS
    0x88002000 \SystemRoot\System32\drivers\tcpip.sys
    0x880EC000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8820E000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8831E000 \SystemRoot\system32\drivers\volsnap.sys
    0x88357000 \SystemRoot\System32\Drivers\spldr.sys
    0x8835F000 \SystemRoot\System32\Drivers\mup.sys
    0x8836E000 \SystemRoot\System32\drivers\ecache.sys
    0x88395000 \SystemRoot\system32\drivers\disk.sys
    0x883A6000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x883C7000 \SystemRoot\system32\drivers\crcdisk.sys
    0x883F0000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x88200000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x88107000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x8BE01000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
    0x8C44E000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8C4EE000 \SystemRoot\System32\drivers\watchdog.sys
    0x8C4FA000 \SystemRoot\system32\DRIVERS\e1e6032.sys
    0x8C534000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x8C53F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8C57D000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x88116000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8C58C000 \SystemRoot\system32\DRIVERS\fdc.sys
    0x8C597000 \SystemRoot\system32\drivers\Afc.sys
    0x8C59F000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8C5B7000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x881A3000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8C5E6000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x881E4000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8C5F1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x805B3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x87FEE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x805D6000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x805EA000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x8CA08000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8CA18000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8CA23000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8CA2E000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8CA30000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8CA5A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8CA64000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8CA71000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8CAA6000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8CAB7000 \SystemRoot\system32\drivers\HdAudio.sys
    0x8CAF6000 \SystemRoot\system32\drivers\portcls.sys
    0x8CB23000 \SystemRoot\system32\drivers\drmk.sys
    0x8CB48000 \SystemRoot\System32\Drivers\aswSnx.SYS
    0x8CBB8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8CBC1000 \SystemRoot\System32\Drivers\Null.SYS
    0x8CBC8000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8CBD8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x8CBDF000 \SystemRoot\System32\drivers\vga.sys
    0x8CE06000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8CE27000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8CE2F000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8CE37000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8CE42000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8CE50000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8CE59000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8CE6F000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0x8CE79000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8CE8D000 \SystemRoot\system32\drivers\afd.sys
    0x8CED5000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0x8CEDA000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8CF0C000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8CF22000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8CF30000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8CF43000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8CF7F000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8CF89000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8CFA0000 \SystemRoot\System32\Drivers\aswSP.SYS
    0x8CFEA000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x8CBEB000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x8CFF7000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0x883D0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x8CE00000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x95260000 \SystemRoot\System32\win32k.sys
    0x8CBF6000 \SystemRoot\System32\drivers\Dxapi.sys
    0xA5A08000 \SystemRoot\system32\DRIVERS\monitor.sys
    0xA5A17000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xA5A20000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xA5A30000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xA5A38000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xA5A4F000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x95480000 \SystemRoot\System32\TSDDD.dll
    0x954A0000 \SystemRoot\System32\cdd.dll
    0xA5A58000 \SystemRoot\system32\drivers\luafv.sys
    0xA5A73000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
    0xA5AAB000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xA5AAE000 \SystemRoot\system32\drivers\spsys.sys
    0xA5B5E000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0xA5B6E000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0xA5B81000 \SystemRoot\system32\drivers\HTTP.sys
    0xA900B000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0xA9028000 \SystemRoot\system32\DRIVERS\bowser.sys
    0xA9041000 \SystemRoot\System32\drivers\mpsdrv.sys
    0xA9056000 \SystemRoot\system32\drivers\mrxdav.sys
    0xA9077000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xA9096000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0xA90CF000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0xA90E7000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xA910F000 \SystemRoot\System32\DRIVERS\srv.sys
    0x8D003000 \SystemRoot\system32\drivers\peauth.sys
    0x8D0E1000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x8D109000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x8D113000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x8D11F000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
    0x8D134000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
    0x8D146000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x8D1BA000 \??\C:\Users\Alan\AppData\Local\Temp\pxldrpog.sys
    0x779B0000 \Windows\System32\ntdll.dll

    Processes (total 59):
    0 System Idle Process
    4 System
    412 C:\Windows\System32\smss.exe
    480 csrss.exe
    524 C:\Windows\System32\wininit.exe
    536 csrss.exe
    568 C:\Windows\System32\services.exe
    596 C:\Windows\System32\winlogon.exe
    612 C:\Windows\System32\lsass.exe
    620 C:\Windows\System32\lsm.exe
    776 C:\Windows\System32\svchost.exe
    856 C:\Windows\System32\svchost.exe
    980 C:\Windows\System32\svchost.exe
    1016 C:\Windows\System32\svchost.exe
    1028 C:\Windows\System32\svchost.exe
    1152 C:\Windows\System32\audiodg.exe
    1180 C:\Windows\System32\svchost.exe
    1200 C:\Windows\System32\SLsvc.exe
    1224 C:\Windows\System32\svchost.exe
    1408 C:\Windows\System32\svchost.exe
    1484 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    1884 C:\Windows\System32\spoolsv.exe
    1908 C:\Windows\System32\svchost.exe
    428 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    448 C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    1960 C:\Windows\System32\svchost.exe
    1552 C:\Windows\System32\svchost.exe
    340 C:\Windows\System32\svchost.exe
    2052 C:\Windows\System32\SearchIndexer.exe
    2216 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    2364 WUDFHost.exe
    2724 C:\Windows\System32\taskeng.exe
    3120 C:\Windows\System32\taskeng.exe
    3136 C:\Windows\System32\dwm.exe
    3220 C:\Windows\explorer.exe
    3500 C:\Windows\System32\hkcmd.exe
    3508 C:\Windows\System32\igfxpers.exe
    3516 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    3524 C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
    3556 C:\Windows\System32\igfxsrvc.exe
    3572 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    3584 C:\Program Files\AVAST Software\Avast\AvastUI.exe
    3592 C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    3600 C:\Program Files\Windows Sidebar\sidebar.exe
    3620 C:\Windows\ehome\ehtray.exe
    3652 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    3704 C:\Windows\ehome\ehmsas.exe
    3776 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    3892 C:\Program Files\Windows Sidebar\sidebar.exe
    2184 C:\Windows\System32\svchost.exe
    2632 C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe
    852 C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe
    3860 C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe
    4976 C:\Program Files\Mozilla Firefox\firefox.exe
    2640 C:\Program Files\Mozilla Firefox\plugin-container.exe
    6024 C:\Windows\System32\notepad.exe
    5280 C:\Windows\System32\SearchProtocolHost.exe
    892 C:\Windows\System32\SearchFilterHost.exe
    4600 C:\Users\Alan\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`83f00000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`03f00000 (NTFS)
    \\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: ST3250310AS, Rev: 4.ADA
    PhysicalDrive1 Model Number: SeagateFreeAgent, Rev: 0132

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows Vista MBR code detected
    SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979
    465 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
    AlanR,
    #7
  9. 2011/06/08
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Fraud.XPAntivirusbot

    DDS.log

    DDS (Ver_2011-06-03.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_25
    Run by Alan at 14:54:42 on 2011-06-08
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.44.1033.18.2036.856 [GMT 1:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe
    C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe
    C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\System32\notepad.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe "
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
    TCP: Interfaces\{F90D09E9-E085-4C92-A3E8-39B9A1628BB1} : DhcpNameServer = 194.168.4.100 194.168.8.100
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\alan\appdata\roaming\mozilla\firefox\profiles\iobn5cct.default\
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-1 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-1 307928]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-1 19544]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-5-1 53592]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-1 42184]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-5-4 1153368]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [2006-7-31 580992]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-06-07 10:16:36 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{3a9b73ce-5564-4be9-99e0-d7dff8553bb3}\mpengine.dll
    2011-05-24 15:41:34 -------- d-----w- c:\users\alan\appdata\roaming\WinPatrol
    2011-05-24 15:41:24 -------- d-----w- c:\programdata\InstallMate
    2011-05-24 15:41:24 -------- d-----w- c:\program files\BillP Studios
    2011-05-23 17:15:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-11 08:51:14 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    .
    ==================== Find3M ====================
    .
    2011-05-31 18:53:44 72080 ----a-w- c:\users\alan\g2mdlhlpx.exe
    2011-05-29 08:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 08:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:03:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-10 11:59:44 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-04-14 04:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-12 21:55:52 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
    2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
    .
    ============= FINISH: 14:55:13.82 ===============
     
    AlanR,
    #8
  10. 2011/06/08
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Fraud.XPAntivirusbot

    ATTACH.txt
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-03.01)
    .
    Microsoft® Windows Vistaâ„¢ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 15/01/2009 15:05:06
    System Uptime: 08/06/2011 10:40:53 (4 hours ago)
    .
    Motherboard: Dell Inc. | | 0K216C
    Processor: Intel(R) Core(TM)2 Duo CPU E7200 @ 2.53GHz | Socket 775 | 2534/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 223 GiB total, 155.769 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 5.885 GiB free.
    E: is CDROM ()
    F: is FIXED (NTFS) - 466 GiB total, 461.244 GiB free.
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: SM Bus Controller
    Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_020D1028&REV_02\3&2411E6FE&0&FB
    Manufacturer:
    Name: SM Bus Controller
    PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_020D1028&REV_02\3&2411E6FE&0&FB
    Service:
    .
    ==== System Restore Points ===================
    .
    RP496: 28/04/2011 21:54:23 - Installed Java(TM) 6 Update 25
    RP497: 29/04/2011 10:16:42 - Removed Java(TM) 6 Update 13
    RP498: 29/04/2011 10:18:57 - Removed Java(TM) 6 Update 13
    RP499: 29/04/2011 10:21:02 - Removed Java(TM) 6 Update 13
    RP500: 29/04/2011 10:24:37 - Removed Java(TM) 6 Update 13
    RP501: 29/04/2011 10:44:43 - Removed Java(TM) 6 Update 13
    RP502: 29/04/2011 10:48:38 - Removed Java(TM) 6 Update 13
    RP503: 30/04/2011 09:35:41 - Windows Update
    RP504: 30/04/2011 09:38:11 - Windows Update
    RP505: 01/05/2011 17:45:15 - avast! Free Antivirus Setup
    RP506: 01/05/2011 17:55:40 - avast! Free Antivirus Setup
    RP507: 03/05/2011 18:14:06 - Windows Update
    RP508: 05/05/2011 16:24:16 - Scheduled Checkpoint
    RP509: 06/05/2011 19:37:14 - Windows Update
    RP510: 07/05/2011 11:30:31 - Scheduled Checkpoint
    RP511: 11/05/2011 09:47:37 - Windows Update
    RP512: 12/05/2011 14:45:01 - Windows Update
    RP513: 13/05/2011 16:20:42 - Windows Update
    RP514: 17/05/2011 15:29:25 - Windows Update
    RP515: 20/05/2011 12:59:59 - Windows Update
    RP516: 22/05/2011 14:36:17 - Scheduled Checkpoint
    RP517: 24/05/2011 16:06:24 - Windows Update
    RP518: 31/05/2011 15:04:08 - Windows Update
    RP519: 02/06/2011 12:22:46 - Scheduled Checkpoint
    RP520: 03/06/2011 17:14:14 - Windows Update
    RP521: 07/06/2011 11:15:32 - Windows Update
    .
    ==== Installed Programs ======================
    .
    7-Zip 4.65
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.4
    ArcSoft MediaImpression
    ArcSoft PhotoImpression 6
    avast! Free Antivirus
    CoffeeCup Free HTML Editor
    Dell Resource CD
    DHTML Editing Component
    Garmin Communicator Plugin
    Garmin USB Drivers
    getPlus(R) for Adobe
    GoToMeeting 4.8.0.723
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    IrfanView (remove only)
    Java Auto Updater
    Java(TM) 6 Update 13
    Java(TM) 6 Update 25
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.17)
    Mozilla Thunderbird (3.1.10)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    OpenOffice.org 3.2
    OVT Scanner X86
    PIXresizer 2.0.4
    Seagate Manager Installer
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Spelling Dictionaries Support For Adobe Reader 9
    Spybot - Search & Destroy
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
    WinPatrol
    .
    ==== Event Viewer Messages From Past Week ========
    .
    07/06/2011 13:09:30, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.100.11 for the Network Card with network address 001EC981CCB0 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
    07/06/2011 13:09:15, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 82.37.76.212 for the Network Card with network address 001EC981CCB0 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================


    Thank you Peter.
     
    AlanR,
    #9
  11. 2011/06/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ====================================================

    Looks clean, so far...

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay? ".

    =====================================================

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #10
  12. 2011/06/09
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Hi again Broni, hope all is good with you.

    Here are the reports as requested.

    Please note that I uninstalled S&D Search and Destroy before I scanned with ComboFix as I was not confident that I had disabled the 'Teatime' Resident part of the program. I did not want any problems with ComboFix. Thanks.


    RkU Version: 3.8.389.593, Type LE (SR2)
    ==============================================
    OS Name: Windows Vista
    Version 6.0.6002 (Service Pack 2)
    Number of processors #2
    ==============================================
    >Drivers
    ==============================================
    0x8BE0C000 C:\Windows\system32\DRIVERS\igdkmd32.sys 6606848 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
    0x82610000 C:\Windows\system32\ntkrnlpa.exe 3907584 bytes (Microsoft Corporation, NT Kernel & System)
    0x82610000 PnpManager 3907584 bytes
    0x82610000 RAW 3907584 bytes
    0x82610000 WMIxWDM 3907584 bytes
    0x94E30000 Win32k 2113536 bytes
    0x94E30000 C:\Windows\System32\win32k.sys 2113536 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0x8820C000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
    0x87E73000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
    0x88005000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
    0x804DD000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
    0xAEE07000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
    0xA5A9C000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
    0x8C459000 C:\Windows\System32\drivers\dxgkrnl.sys 655360 bytes (Microsoft Corporation, DirectX Graphics Kernel)
    0x88119000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
    0x8060A000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
    0x87E02000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0x8CB76000 C:\Windows\System32\Drivers\aswSnx.SYS 458752 bytes (AVAST Software, avast! Virtualization Driver)
    0x80413000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)
    0xA5B6F000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0xA88EF000 C:\Windows\System32\DRIVERS\srv.sys 323584 bytes (Microsoft Corporation, Server driver)
    0x8D1A1000 C:\Windows\System32\Drivers\aswSP.SYS 303104 bytes (AVAST Software, avast! self protection module)
    0x8072F000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
    0x8D08E000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0x80693000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
    0x8049C000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
    0x881A6000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
    0x8CAE5000 C:\Windows\system32\drivers\HdAudio.sys 258048 bytes (Microsoft Corporation, High Definition Audio Function Driver)
    0x8C54A000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0x8D144000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0x87FA9000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
    0x8C505000 C:\Windows\system32\DRIVERS\e1e6032.sys 237568 bytes (Intel Corporation, Intel(R) PRO/1000 Adapter NDIS 6 deserialized driver)
    0xA8876000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
    0x8831C000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0xA5A61000 C:\Windows\system32\drivers\aswMonFlt.sys 229376 bytes (AVAST Software, avast! File System Minifilter for Windows 2003/Vista)
    0x8CA9F000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0x829CA000 ACPI_HAL 208896 bytes
    0x829CA000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0x807C4000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0x8D0DB000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
    0x8C5C2000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
    0x8CB24000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0x87F7E000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
    0x8CA5E000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
    0xAEEFB000 C:\Windows\System32\Drivers\fastfat.SYS 163840 bytes (Microsoft Corporation, Fast FAT File System Driver)
    0xA88C7000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
    0x8836C000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
    0x806EA000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0x8CB51000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
    0x805CD000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0x883A4000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
    0xA8836000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
    0x8D007000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
    0xA8857000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0x807A6000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
    0xA5BDC000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
    0x880EF000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
    0xA5A46000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
    0xA8808000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
    0x8C5AA000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0xA88AF000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
    0x8D18A000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
    0x881E7000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0xA5A26000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
    0xAEF4A000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
    0x8D10D000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
    0x8D05A000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
    0xA8821000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
    0x8CA21000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
    0x883D9000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 86016 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
    0xAEF23000 C:\Windows\system32\DRIVERS\WUDFRd.sys 86016 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
    0x8CA0D000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0x8D07A000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
    0xA5B5C000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
    0x8D131000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0xAEF38000 C:\Windows\system32\DRIVERS\WUDFPf.sys 73728 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
    0x88393000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
    0x8CAD4000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
    0x80483000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
    0x805BD000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
    0xA5A0E000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
    0xA5B4C000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
    0x8078E000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
    0x8CA36000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
    0x8810A000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
    0x805F0000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
    0x8835D000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
    0x80711000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
    0x87FE4000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0x8C588000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0x80720000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
    0x95070000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
    0x8D123000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
    0x8D043000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
    0x80780000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0x8D1EB000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
    0x8CA92000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
    0x80686000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
    0xAEEEF000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
    0x8CA00000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0x8C4F9000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
    0x883CE000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
    0x8C597000 C:\Windows\system32\DRIVERS\fdc.sys 45056 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
    0x8CA46000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
    0x8CA51000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
    0x8D038000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
    0x8BE00000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0x8C5F1000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
    0x883EE000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
    0x8C53F000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
    0x8D070000 C:\Windows\System32\Drivers\aswTdi.SYS 40960 bytes (AVAST Software, avast! TDI Filter Driver)
    0x87FF3000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
    0x8CA88000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
    0x8D180000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
    0xAEEE5000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
    0xAEFA3000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
    0x883C5000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
    0x8CBE6000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
    0x807F6000 C:\Windows\system32\DRIVERS\hidusb.sys 36864 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
    0xA5A3D000 C:\Windows\system32\DRIVERS\kbdhid.sys 36864 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
    0x8D051000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
    0x95050000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
    0x88200000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
    0x806D9000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0x8C5A2000 C:\Windows\system32\drivers\Afc.sys 32768 bytes (Arcsoft, Inc., Arcsoft(R) ASPI Shell)
    0x8079E000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
    0x80494000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
    0x8D1F8000 C:\Windows\System32\Drivers\dump_atapi.sys 32768 bytes
    0xA5A1E000 C:\Windows\system32\DRIVERS\mouhid.sys 32768 bytes (Microsoft Corporation, HID Mouse Filter Driver)
    0x806E2000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
    0x8D028000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
    0x8D030000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
    0x88355000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
    0x8CBF6000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
    0x883F9000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
    0x8040C000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
    0x8CBEF000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
    0x80779000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
    0x8D0D6000 C:\Windows\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
    0xA5A99000 C:\Windows\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
    0x8CA5C000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0x8D000000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    ==============================================
    >Stealth
    ==============================================



    ComboFix 11-06-08.04 - Alan 09/06/2011 13:16:59.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2036.1433 [GMT 1:00]
    Running from: c:\users\Alan\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Alan\g2mdlhlpx.exe
    F:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-09 to 2011-06-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-09 12:22 . 2011-06-09 12:23 -------- d-----w- c:\users\Alan\AppData\Local\temp
    2011-06-07 10:16 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3A9B73CE-5564-4BE9-99E0-D7DFF8553BB3}\mpengine.dll
    2011-05-24 15:41 . 2011-05-24 15:41 -------- d-----w- c:\users\Alan\AppData\Roaming\WinPatrol
    2011-05-24 15:41 . 2011-05-24 15:41 -------- d-----w- c:\programdata\InstallMate
    2011-05-24 15:41 . 2011-05-24 15:41 -------- d-----w- c:\program files\BillP Studios
    2011-05-23 17:15 . 2011-05-23 17:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-11 08:51 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-29 08:11 . 2011-04-27 09:40 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 08:11 . 2011-04-27 09:40 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-10 12:10 . 2011-05-01 16:56 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:10 . 2011-05-01 16:56 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-10 12:03 . 2011-05-01 16:56 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-10 12:03 . 2011-05-01 16:56 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-10 12:02 . 2011-05-01 16:56 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-10 11:59 . 2011-05-01 16:56 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-10 11:59 . 2011-05-01 16:56 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-05-10 11:59 . 2011-05-01 16:56 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-04-30 08:37 . 2011-04-30 08:37 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-04-30 08:37 . 2011-04-30 08:37 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-04-30 08:37 . 2011-04-30 08:37 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-04-30 08:37 . 2011-04-30 08:37 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-04-30 08:37 . 2011-04-30 08:37 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-04-30 08:37 . 2011-04-30 08:37 367104 ----a-w- c:\windows\system32\html.iec
    2011-04-30 08:37 . 2011-04-30 08:37 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-04-30 08:37 . 2011-04-30 08:37 1126912 ----a-w- c:\windows\system32\wininet.dll
    2011-04-30 08:37 . 2011-04-30 08:37 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-04-30 08:37 . 2011-04-30 08:37 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-04-30 08:37 . 2011-04-30 08:37 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2011-04-30 08:37 . 2011-04-30 08:37 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-30 08:37 . 2011-04-30 08:37 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-04-30 08:37 . 2011-04-30 08:37 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-04-30 08:37 . 2011-04-30 08:37 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-04-30 08:37 . 2011-04-30 08:37 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-30 08:37 . 2011-04-30 08:37 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-04-30 08:37 . 2011-04-30 08:37 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-04-30 08:37 . 2011-04-30 08:37 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-04-30 08:37 . 2011-04-30 08:37 1797632 ----a-w- c:\windows\system32\jscript9.dll
    2011-04-30 08:37 . 2011-04-30 08:37 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-04-27 10:02 . 2011-04-27 10:02 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2011-04-14 04:07 . 2011-04-28 20:55 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-12 21:55 . 2011-04-27 13:30 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @= "{472083B0-C522-11CF-8763-00608CC02F24} "
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "WindowsWelcomeCenter "= "oobefldr.dll" [2009-04-11 2153472]
    "ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-04-22 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
    "ArcSoft Connection Service "= "c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
    "MaxMenuMgr "= "c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-25 185640]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
    "avast "= "c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    "WinPatrol "= "c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle "= 0 (0x0)
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys [2006-07-31 580992]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
    S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-25 189736]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
    FF - ProfilePath - c:\users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\iobn5cct.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - user.js: yahoo.homepage.dontask - true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-09 13:23
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-06-09 13:24:28
    ComboFix-quarantined-files.txt 2011-06-09 12:24
    .
    Pre-Run: 167,351,181,312 bytes free
    Post-Run: 167,312,867,328 bytes free
    .
    - - End Of File - - C0D573B0BD25D8837854FCFC3CCF1635
     
    Last edited: 2011/06/09
    AlanR,
    #11
  13. 2011/06/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I don't see much so far...

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #12
  14. 2011/06/09
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Computer is running Ok, I was concerned about security.

    Report 1

    OTL logfile created on: 09/06/2011 18:14:32 - Run 1
    OTL by OldTimer - Version 3.2.23.0 Folder = C:\Users\Alan\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.99 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.76% Memory free
    4.21 Gb Paging File | 3.44 Gb Available in Paging File | 81.76% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 222.77 Gb Total Space | 155.86 Gb Free Space | 69.97% Space Free | Partition Type: NTFS
    Drive D: | 10.00 Gb Total Space | 5.88 Gb Free Space | 58.85% Space Free | Partition Type: NTFS
    Drive F: | 465.76 Gb Total Space | 461.24 Gb Free Space | 99.03% Space Free | Partition Type: NTFS

    Computer Name: ALAN-PC | User Name: Alan | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/06/09 18:03:41 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\Alan\Desktop\OTL.exe
    PRC - [2011/05/10 13:10:58 | 003,459,712 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2009/09/26 00:31:32 | 000,185,640 | ---- | M] (Seagate LLC) -- C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
    PRC - [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/06/09 18:03:41 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\Alan\Desktop\OTL.exe
    MOD - [2011/05/10 13:10:55 | 000,199,792 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\snxhk.dll
    MOD - [2010/08/31 16:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2011/05/10 13:10:57 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2010/03/29 08:53:22 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
    SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
    SRV - [2009/09/26 00:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
    SRV - [2008/01/21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/05/10 13:03:54 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2011/05/10 13:03:44 | 000,307,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011/05/10 13:02:37 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011/05/10 12:59:56 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011/05/10 12:59:44 | 000,053,592 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV - [2011/05/10 12:59:35 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2008/01/21 03:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
    DRV - [2006/11/10 16:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)
    DRV - [2006/07/31 13:44:00 | 000,580,992 | ---- | M] (Omnivision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ov550i.sys -- (APL531)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========




    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    IE - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
    IE - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 51 49 3D 8D 5F 15 CB 01 [binary data]
    IE - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}:6.0.25
    FF - prefs.js..extensions.enabledItems: wrc@avast.com:20110101


    FF - HKLM\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/05/16 15:04:57 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/30 20:17:24 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 20:17:24 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.10\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/05/01 12:40:45 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.10\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

    [2010/08/19 16:43:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alan\AppData\Roaming\Mozilla\Extensions
    [2010/08/19 16:43:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alan\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
    [2011/06/09 10:42:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\iobn5cct.default\extensions
    [2009/09/08 14:04:25 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\iobn5cct.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/04/28 21:55:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/04/28 21:55:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    [2011/05/16 15:04:57 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
    [2011/04/14 05:08:00 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
    [2011/03/12 11:08:42 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
    [2011/03/12 11:08:42 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
    [2011/03/12 11:08:42 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
    [2011/03/12 11:08:42 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2011/06/09 13:22:58 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
    O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
    O4 - HKU\S-1-5-21-948891049-2262682744-2781767659-1000..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\##aswSnx private storage\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
    O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
    O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2011/06/09 13:29:43 | 000,000,067 | ---- | M] () - F:\autorun.inf -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\...com [@ = ComFile] -- Reg Error: Key error. File not found
    O37 - HKU\S-1-5-21-948891049-2262682744-2781767659-1000\...exe [@ = exefile] -- Reg Error: Key error. File not found

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.I420 - msh263.drv File not found

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/06/09 18:03:38 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Users\Alan\Desktop\OTL.exe
    [2011/06/09 13:29:21 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2011/06/09 13:24:33 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2011/06/09 13:24:30 | 000,000,000 | ---D | C] -- C:\Users\Alan\AppData\Local\temp
    [2011/06/09 13:14:40 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2011/06/09 13:14:40 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2011/06/09 13:14:40 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2011/06/09 13:14:36 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2011/06/09 13:14:34 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/06/09 11:09:25 | 004,116,569 | R--- | C] (Swearware) -- C:\Users\Alan\Desktop\ComboFix.exe
    [2011/06/08 13:39:41 | 000,607,222 | R--- | C] (Swearware) -- C:\Users\Alan\Desktop\dds.scr
    [2011/06/06 20:43:19 | 000,000,000 | ---D | C] -- C:\Users\Alan\Desktop\WirelessStuff
    [2011/05/24 16:41:34 | 000,000,000 | ---D | C] -- C:\Users\Alan\AppData\Roaming\WinPatrol
    [2011/05/24 16:41:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPatrol
    [2011/05/24 16:41:24 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate
    [2011/05/24 16:41:24 | 000,000,000 | ---D | C] -- C:\Program Files\BillP Studios
    [2007/10/15 02:35:00 | 000,040,960 | ---- | C] ( ) -- C:\Windows\OMNIUNS.EXE

    ========== Files - Modified Within 30 Days ==========

    [2011/06/09 18:03:41 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\Alan\Desktop\OTL.exe
    [2011/06/09 17:52:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2011/06/09 15:29:25 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/06/09 15:29:25 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/06/09 13:33:56 | 000,608,760 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2011/06/09 13:33:56 | 000,108,268 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2011/06/09 13:29:20 | 2136,133,632 | -HS- | M] () -- C:\hiberfil.sys
    [2011/06/09 13:22:58 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2011/06/09 11:09:28 | 004,116,569 | R--- | M] (Swearware) -- C:\Users\Alan\Desktop\ComboFix.exe
    [2011/06/09 10:54:13 | 000,139,264 | ---- | M] () -- C:\Users\Alan\Desktop\RKUnhookerLE.EXE
    [2011/06/08 13:39:42 | 000,607,222 | R--- | M] (Swearware) -- C:\Users\Alan\Desktop\dds.scr
    [2011/06/08 13:38:49 | 000,080,384 | ---- | M] () -- C:\Users\Alan\Desktop\MBRCheck.exe
    [2011/06/08 13:37:36 | 000,302,592 | ---- | M] () -- C:\Users\Alan\Desktop\6rkt8ue1.exe
    [2011/06/08 10:08:19 | 000,000,542 | ---- | M] () -- C:\Users\Alan\Documents\ChatLog Affiliates Chat Room 2011_06_08 10_08.rtf
    [2011/06/07 14:15:56 | 000,000,932 | ---- | M] () -- C:\Users\Alan\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
    [2011/06/05 19:26:18 | 000,616,129 | ---- | M] () -- C:\Users\Alan\Desktop\GT-E2550.pdf
    [2011/06/05 13:34:28 | 000,020,938 | ---- | M] () -- C:\Users\Alan\Desktop\Avonqand_prp.pdf
    [2011/06/04 18:33:13 | 000,632,646 | ---- | M] () -- C:\Users\Alan\Desktop\sfac.pdf
    [2011/06/01 15:40:41 | 001,064,316 | ---- | M] () -- C:\Users\Alan\Desktop\MillionPoundListBuildingMasteryReport.pdf
    [2011/06/01 10:38:14 | 000,024,442 | ---- | M] () -- C:\Users\Alan\Desktop\invite.gif
    [2011/05/31 21:19:52 | 054,130,245 | ---- | M] () -- C:\Users\Alan\Desktop\GimpVideos.zip
    [2011/05/31 21:17:22 | 000,462,817 | ---- | M] () -- C:\Users\Alan\Desktop\3.DomainandCP.zip
    [2011/05/31 21:08:10 | 016,223,379 | ---- | M] () -- C:\Users\Alan\Desktop\171MarketingGraphics.zip
    [2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2011/05/25 11:35:16 | 000,803,314 | ---- | M] () -- C:\Users\Alan\Desktop\OrangeSecrets-1.0.2.pdf
    [2011/05/24 21:13:44 | 000,004,141 | ---- | M] () -- C:\Users\Alan\Desktop\7StepNotepad.zip
    [2011/05/23 10:42:10 | 000,066,987 | ---- | M] () -- C:\Users\Alan\Desktop\Home4Sure.pdf
    [2011/05/18 10:02:51 | 000,000,403 | ---- | M] () -- C:\Users\Alan\Documents\ChatLog Affiliates Chat Room 2011_05_18 10_02.rtf
    [2011/05/16 15:04:58 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
    [2011/05/14 14:08:34 | 000,337,109 | ---- | M] () -- C:\Users\Alan\Desktop\7StepsManual.pdf

    ========== Files Created - No Company Name ==========

    [2011/06/09 13:14:40 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/06/09 13:14:40 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/06/09 13:14:40 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/06/09 13:14:40 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/06/09 13:14:40 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/06/09 10:54:07 | 000,139,264 | ---- | C] () -- C:\Users\Alan\Desktop\RKUnhookerLE.EXE
    [2011/06/08 13:38:48 | 000,080,384 | ---- | C] () -- C:\Users\Alan\Desktop\MBRCheck.exe
    [2011/06/08 13:37:30 | 000,302,592 | ---- | C] () -- C:\Users\Alan\Desktop\6rkt8ue1.exe
    [2011/06/08 10:08:19 | 000,000,542 | ---- | C] () -- C:\Users\Alan\Documents\ChatLog Affiliates Chat Room 2011_06_08 10_08.rtf
    [2011/06/05 19:26:18 | 000,616,129 | ---- | C] () -- C:\Users\Alan\Desktop\GT-E2550.pdf
    [2011/06/05 13:34:28 | 000,020,938 | ---- | C] () -- C:\Users\Alan\Desktop\Avonqand_prp.pdf
    [2011/06/04 18:33:13 | 000,632,646 | ---- | C] () -- C:\Users\Alan\Desktop\sfac.pdf
    [2011/06/01 15:40:41 | 001,064,316 | ---- | C] () -- C:\Users\Alan\Desktop\MillionPoundListBuildingMasteryReport.pdf
    [2011/06/01 10:38:12 | 000,024,442 | ---- | C] () -- C:\Users\Alan\Desktop\invite.gif
    [2011/05/31 21:19:11 | 054,130,245 | ---- | C] () -- C:\Users\Alan\Desktop\GimpVideos.zip
    [2011/05/31 21:17:21 | 000,462,817 | ---- | C] () -- C:\Users\Alan\Desktop\3.DomainandCP.zip
    [2011/05/31 21:08:02 | 016,223,379 | ---- | C] () -- C:\Users\Alan\Desktop\171MarketingGraphics.zip
    [2011/05/25 11:35:16 | 000,803,314 | ---- | C] () -- C:\Users\Alan\Desktop\OrangeSecrets-1.0.2.pdf
    [2011/05/24 21:13:42 | 000,004,141 | ---- | C] () -- C:\Users\Alan\Desktop\7StepNotepad.zip
    [2011/05/23 10:42:10 | 000,066,987 | ---- | C] () -- C:\Users\Alan\Desktop\Home4Sure.pdf
    [2011/05/18 10:02:51 | 000,000,403 | ---- | C] () -- C:\Users\Alan\Documents\ChatLog Affiliates Chat Room 2011_05_18 10_02.rtf
    [2011/05/14 14:08:34 | 000,337,109 | ---- | C] () -- C:\Users\Alan\Desktop\7StepsManual.pdf
    [2009/10/21 19:30:07 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2009/10/21 19:30:06 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2009/01/31 14:01:39 | 000,016,896 | ---- | C] () -- C:\Users\Alan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/01/15 21:22:26 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
    [2009/01/15 16:51:13 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
    [2009/01/15 16:21:03 | 000,000,680 | ---- | C] () -- C:\Users\Alan\AppData\Local\d3d9caps.dat
    [2008/09/07 04:28:14 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
    [2008/09/07 04:28:14 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
    [2008/09/07 04:28:14 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
    [2008/09/07 04:28:14 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
    [2006/11/02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2006/11/02 13:47:37 | 000,253,072 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 11:33:01 | 000,608,760 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2006/11/02 11:33:01 | 000,108,268 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

    ========== LOP Check ==========

    [2010/01/20 19:36:42 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\CoffeeCup Software
    [2009/07/27 14:22:31 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2011/04/16 10:39:51 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\eBookPro6
    [2009/10/08 19:56:15 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\GARMIN
    [2011/03/09 20:24:14 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\IrfanView
    [2010/03/20 14:40:09 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\Leadertech
    [2009/07/26 18:40:00 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\OpenOffice.org
    [2010/08/19 16:43:53 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\Thunderbird
    [2011/05/24 16:41:34 | 000,000,000 | ---D | M] -- C:\Users\Alan\AppData\Roaming\WinPatrol
    [2011/06/09 13:28:44 | 000,032,622 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
    [2009/04/11 07:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
    [2009/01/15 23:56:31 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
    [2011/06/09 13:24:29 | 000,009,639 | ---- | M] () -- C:\ComboFix.txt
    [2006/09/18 22:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
    [2008/09/07 04:33:53 | 000,004,435 | RH-- | M] () -- C:\dell.sdr
    [2011/06/09 13:29:20 | 2136,133,632 | -HS- | M] () -- C:\hiberfil.sys
    [2008/09/09 12:27:41 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2011/04/28 22:29:23 | 000,003,345 | ---- | M] () -- C:\JavaRa.log
    [2008/09/09 12:27:41 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2008/10/25 15:40:31 | 000,227,130 | ---- | M] () -- C:\nonav.log
    [2011/06/09 13:29:18 | 2449,948,672 | -HS- | M] () -- C:\pagefile.sys

    < %systemroot%\Fonts\*.com >
    [2006/11/02 13:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2006/11/02 13:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2006/11/02 13:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009/11/09 19:02:00 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/09/18 22:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2006/11/02 13:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011/05/10 13:10:59 | 000,040,112 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2008/01/21 03:43:21 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2008/01/21 04:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
    [2008/01/21 04:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
    [2008/01/21 04:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
    [2006/11/02 11:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
    [2006/11/02 11:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2011/04/30 09:42:59 | 000,000,574 | -HS- | M] () -- C:\Users\Alan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2011/06/08 13:37:36 | 000,302,592 | ---- | M] () -- C:\Users\Alan\Desktop\6rkt8ue1.exe
    [2011/06/09 11:09:28 | 004,116,569 | R--- | M] (Swearware) -- C:\Users\Alan\Desktop\ComboFix.exe
    [2011/04/28 23:54:59 | 002,322,184 | ---- | M] (ESET) -- C:\Users\Alan\Desktop\esetsmartinstaller_enu.exe
    [2010/12/27 19:23:50 | 000,400,384 | ---- | M] (The RaProducts Team: Paul McLain and Fred de Vries) -- C:\Users\Alan\Desktop\JavaRa.exe
    [2011/04/28 21:51:59 | 000,886,560 | ---- | M] (Sun Microsystems, Inc.) -- C:\Users\Alan\Desktop\jxpiinstall.exe
    [2011/06/08 13:38:49 | 000,080,384 | ---- | M] () -- C:\Users\Alan\Desktop\MBRCheck.exe
    [2011/06/09 18:03:41 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\Alan\Desktop\OTL.exe
    [2011/06/09 10:54:13 | 000,139,264 | ---- | M] () -- C:\Users\Alan\Desktop\RKUnhookerLE.EXE
    [2011/04/28 22:15:10 | 000,879,028 | ---- | M] () -- C:\Users\Alan\Desktop\SecurityCheck.exe
    [2011/04/26 11:46:07 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Alan\Desktop\TFC.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >
    [2009/11/09 19:11:38 | 000,008,192 | ---- | M] () -- C:\Windows\security\database\edb.chk
    [2009/11/09 19:11:08 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edb.log
    [2009/11/09 19:11:08 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00001.jrs
    [2009/11/09 19:11:08 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00002.jrs
    [2009/11/09 19:11:08 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbtmp.log
    [2009/11/09 19:11:08 | 001,056,768 | ---- | M] () -- C:\Windows\security\database\tmp.edb

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2010/12/06 12:20:50 | 000,000,402 | -HS- | M] () -- C:\Users\Alan\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >
     
    AlanR,
    #13
  15. 2011/06/09
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Report 2

    OTL Extras logfile created on: 09/06/2011 18:14:32 - Run 1
    OTL by OldTimer - Version 3.2.23.0 Folder = C:\Users\Alan\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.99 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.76% Memory free
    4.21 Gb Paging File | 3.44 Gb Available in Paging File | 81.76% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 222.77 Gb Total Space | 155.86 Gb Free Space | 69.97% Space Free | Partition Type: NTFS
    Drive D: | 10.00 Gb Total Space | 5.88 Gb Free Space | 58.85% Space Free | Partition Type: NTFS
    Drive F: | 465.76 Gb Total Space | 461.24 Gb Free Space | 99.03% Space Free | Partition Type: NTFS

    Computer Name: ALAN-PC | User Name: Alan | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1 ",%*
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Classes\<extension>]
    .bat [@ = batfile] -- Reg Error: Key error. File not found
    .cmd [@ = cmdfile] -- Reg Error: Key error. File not found
    .com [@ = ComFile] -- Reg Error: Key error. File not found
    .exe [@ = exefile] -- Reg Error: Key error. File not found
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
    .pif [@ = piffile] -- Reg Error: Key error. File not found
    .vbs [@ = VBSFile] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1 ",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- "C:\PROGRA~1\COFFEE~2\COFFEE~1\coffee.exe" "%1" (CoffeeCup Software)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1 "
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "VistaSp2" = Reg Error: Unknown registry data type -- File not found

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{007811BF-E310-4285-BFC6-55DB29B3EDDE}" = WinPatrol
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{26A24AE4-039D-4CA4-87B4-2F83216013F0}" = Java(TM) 6 Update 13
    "{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 25
    "{27F00C63-449B-2FAB-CBE8-24AB80E17449}" = Acrobat.com
    "{2A30052B-831C-41D3-8044-3C0388066350}" = Seagate Manager Installer
    "{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
    "{31AE724F-7E99-426A-8B0B-A2C5A33DA204}" = ArcSoft MediaImpression
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{6B566EFE-DC1D-471F-93DD-84832663F140}" = OVT Scanner X86
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.4
    "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
    "{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
    "{BEFBEDDF-1417-4C8A-92FB-F003C0D41199}" = OpenOffice.org 3.2
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus(R) for Adobe
    "{D56401D6-E356-4CA5-97A3-024D666F5E5C}" = ArcSoft PhotoImpression 6
    "{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
    "{EFF87108-C9D0-43F1-BEE1-28DA87778F1A}" = Garmin Communicator Plugin
    "45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
    "7-Zip" = 7-Zip 4.65
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "avast" = avast! Free Antivirus
    "CoffeeCup Free HTML Editor" = CoffeeCup Free HTML Editor
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "InstallShield_{2A30052B-831C-41D3-8044-3C0388066350}" = Seagate Manager Installer
    "IrfanView" = IrfanView (remove only)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Mozilla Firefox (3.6.17)" = Mozilla Firefox (3.6.17)
    "Mozilla Thunderbird (3.1.10)" = Mozilla Thunderbird (3.1.10)
    "PIXresizer_is1" = PIXresizer 2.0.4

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-948891049-2262682744-2781767659-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "GoToMeeting" = GoToMeeting 4.8.0.723

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 05/06/2011 14:16:56 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 06/06/2011 10:51:55 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 07/06/2011 06:11:24 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 07/06/2011 14:51:07 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 08/06/2011 04:10:15 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 08/06/2011 08:57:17 | Computer Name = Alan-PC | Source = Application Error | ID = 1000
    Description = Faulting application 6rkt8ue1.exe, version 1.0.15.15640, time stamp
    0x4de220a0, faulting module 6rkt8ue1.exe, version 1.0.15.15640, time stamp 0x4de220a0,
    exception code 0xc0000005, fault offset 0x0000c676, process id 0x116c, application
    start time 0x01cc25db3f92e9c0.

    Error - 08/06/2011 09:02:13 | Computer Name = Alan-PC | Source = Perflib | ID = 1010
    Description =

    Error - 09/06/2011 05:31:57 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 09/06/2011 06:54:55 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 09/06/2011 08:31:07 | Computer Name = Alan-PC | Source = WinMgmt | ID = 10
    Description =

    [ System Events ]
    Error - 06/05/2011 16:30:51 | Computer Name = Alan-PC | Source = Service Control Manager | ID = 7011
    Description =

    Error - 11/05/2011 08:09:42 | Computer Name = Alan-PC | Source = Dhcp | ID = 1002
    Description = The IP address lease 82.37.76.212 for the Network Card with network
    address 001EC981CCB0 has been denied by the DHCP server 192.168.100.1 (The DHCP
    Server sent a DHCPNACK message).

    Error - 11/05/2011 08:09:54 | Computer Name = Alan-PC | Source = Dhcp | ID = 1002
    Description = The IP address lease 192.168.100.11 for the Network Card with network
    address 001EC981CCB0 has been denied by the DHCP server 192.168.100.1 (The DHCP
    Server sent a DHCPNACK message).

    Error - 07/06/2011 08:09:15 | Computer Name = Alan-PC | Source = Dhcp | ID = 1002
    Description = The IP address lease 82.37.76.212 for the Network Card with network
    address 001EC981CCB0 has been denied by the DHCP server 192.168.100.1 (The DHCP
    Server sent a DHCPNACK message).

    Error - 07/06/2011 08:09:30 | Computer Name = Alan-PC | Source = Dhcp | ID = 1002
    Description = The IP address lease 192.168.100.11 for the Network Card with network
    address 001EC981CCB0 has been denied by the DHCP server 192.168.100.1 (The DHCP
    Server sent a DHCPNACK message).

    Error - 09/06/2011 08:08:35 | Computer Name = Alan-PC | Source = Dhcp | ID = 1002
    Description = The IP address lease 82.37.76.212 for the Network Card with network
    address 001EC981CCB0 has been denied by the DHCP server 192.168.100.1 (The DHCP
    Server sent a DHCPNACK message).

    Error - 09/06/2011 08:12:20 | Computer Name = Alan-PC | Source = Dhcp | ID = 1002
    Description = The IP address lease 192.168.100.11 for the Network Card with network
    address 001EC981CCB0 has been denied by the DHCP server 192.168.100.1 (The DHCP
    Server sent a DHCPNACK message).

    Error - 09/06/2011 08:15:50 | Computer Name = Alan-PC | Source = Service Control Manager | ID = 7030
    Description =

    Error - 09/06/2011 08:20:53 | Computer Name = Alan-PC | Source = Service Control Manager | ID = 7030
    Description =

    Error - 09/06/2011 08:23:00 | Computer Name = Alan-PC | Source = Service Control Manager | ID = 7030
    Description =


    < End of report >


    Thanks Broni
     
    AlanR,
    #14
  16. 2011/06/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very well :)

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
     
    broni,
    #15
  17. 2011/06/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OTL log looks clean.

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
    broni,
    #16
  18. 2011/06/09
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Here is the report for SecurityCheck.exe

    Results of screen317's Security Check version 0.99.7
    Windows Vista Service Pack 2 (UAC is enabled)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:
    Windows Firewall Enabled!
    avast! Free Antivirus
    ESET Online Scanner v3
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:
    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 13
    Java(TM) 6 Update 25
    Out of date Java installed!
    Adobe Flash Player 10.3.181.14
    Adobe Reader 9.4.4
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.6.17)
    Mozilla Thunderbird (3.1.10) Thunderbird Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent
    WinPatrol winpatrol.exe is disabled!
    system32 AvastSvc.exe -?-
    AVAST Software Avast AvastUI.exe
    ``````````End of Log````````````

    ....................................................................................................................

    The Temp cleaner cleared 214Mb for me...thanks

    ....................................................................................................................

    Here is the report for ESET online scanner.

    Oh dear!,oh dear!... it fell at the last fence!!

    C:\Users\Alan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\6e45fa36-2a098ee5 Java/TrojanDownloader.OpenStream.NCA trojan
    C:\Windows.old\Documents and Settings\Alan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\6e45fa36-2a098ee5 Java/TrojanDownloader.OpenStream.NCA trojan
     
    Last edited: 2011/06/09
    AlanR,
    #17
  19. 2011/06/09
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    Broni, we had dealings with the Java on my last problem that you helped me with...
    Entitled: RunDll (error loading) Vista Home Premium... (If that helps at all)

    Alan
     
    AlanR,
    #18
  20. 2011/06/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL

:Services

:Reg

:Files
C:\Users\Alan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\6e45fa36-2a098ee5 
C:\Windows.old\Documents and Settings\Alan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\6e45fa36-2a098ee5

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ====================================================

    What is the exact problem with Java?

    You need to update it anyway and uninstall old versions.
    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ====================================================

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    ==================================================
     
    broni,
    #19
  21. 2011/06/10
    AlanR

    AlanR Well-Known Member Thread Starter

    Joined:
    2008/02/28
    Messages:
    48
    Likes Received:
    0
    OTL

    Broni, I had a problem with OTL on this run. OTL went through the process and then it reported that the process was complete, and offered me a click to reboot which I did...but the program locked at that and no report was issued. I rebooted the Computer manually a few minutes later.

    Am I to presume that OTL activated all of the code that we pasted it? How do we prove it with no report?...So I await your further instructions on this please.

    ....................................................................................................................

    Java

    Your Question:
    What is the exact problem with Java?

    Answer:

    I/We updated Java during the period that you helped me last in April? at that time, when it came to uninstall the older update, I kept getting a strange pop up window, leading to (if I remember correctly) a Microsoft page of some kind. You told me to leave it alone where it is.

    I will go through updating Java again after I hear from you regarding the OTL problem, in case that needs sorting first.

    Thanks Broni.
     
    Last edited: 2011/06/10
    AlanR,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...