Hijack log / DDS / Attach / Ark - Whitesmoke Trojan/Malware

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ohiobowtech

Thread Starter
Joined
Jan 13, 2011
Messages
14
Hello...I have the Whitesmoke trojan/malware. Thanks for the help!!!!!

Hijack log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:37:53 PM, on 1/13/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8075
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: C:\WINDOWS\system32\gyy2vn.dll - {B2B220C1-A503-59BD-F413-01B53A2C8953} - C:\WINDOWS\system32\gyy2vn.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [uPc+MV0NdNaGuo] rundll32.exe C:\WINDOWS\system32\uk82if6.dll, SystemServer
O4 - HKLM\..\Run: [HNUOQOXRotgc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gitqfus5e.exe
O4 - HKLM\..\Run: [HNUOQOXRota] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
O4 - HKLM\..\Run: [HNUOQOXRprc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\login.exe
O4 - HKLM\..\Run: [HNUOQOXRpuc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe
O4 - HKLM\..\Run: [MKfre] C:\WINDOWS\wininst.exe
O4 - HKLM\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
O4 - HKLM\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [MKaZ] C:\WINDOWS\cmd.exe
O4 - HKLM\..\Run: [HNUOQOXRrrb] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe
O4 - HKLM\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
O4 - HKLM\..\Run: [Gruyaq] rundll32.exe "C:\WINDOWS\uvosodamapesepe.dll",Startup
O4 - HKLM\..\Run: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
O4 - HKLM\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [HNUOQOXRotc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hexdump.exe
O4 - HKLM\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKLM\..\Run: [HNUOQOXRnoc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\debug.exe
O4 - HKLM\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
O4 - HKLM\..\Run: [HNUOQOXRnsc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\drweb.exe
O4 - HKLM\..\Run: [MKcrc] C:\WINDOWS\login.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
O4 - HKCU\..\Run: [gionnovn] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ssmmxvwrn\hjjojjvusbs.exe
O4 - HKCU\..\Run: [Wyoqiquyiwifapoy] rundll32.exe "C:\WINDOWS\rherat.dll",Startup
O4 - HKCU\..\Run: [uPc+MV0NdNaGuo] rundll32.exe C:\WINDOWS\system32\uk82if6.dll, SystemServer
O4 - HKCU\..\Run: [HNUOQOXRotgc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gitqfus5e.exe
O4 - HKCU\..\Run: [rfjpkegn] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\luvlyixey\hyavubfusbs.exe
O4 - HKCU\..\Run: [HNUOQOXRota] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
O4 - HKCU\..\Run: [HNUOQOXRprc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\login.exe
O4 - HKCU\..\Run: [HNUOQOXRpuc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe
O4 - HKCU\..\Run: [MKfre] C:\WINDOWS\wininst.exe
O4 - HKCU\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
O4 - HKCU\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKCU\..\Run: [MKaZ] C:\WINDOWS\cmd.exe
O4 - HKCU\..\Run: [HNUOQOXRrrb] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe
O4 - HKCU\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
O4 - HKCU\..\Run: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [HNUOQOXRotc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hexdump.exe
O4 - HKCU\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKCU\..\Run: [HNUOQOXRnoc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\debug.exe
O4 - HKCU\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
O4 - HKCU\..\Run: [HNUOQOXRnsc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\drweb.exe
O4 - HKCU\..\Run: [MKcrc] C:\WINDOWS\login.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Launch Whitesmoke Translator.lnk = C:\Program Files\Whitesmoke Translator\WSTrayDictMode.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: mpstreg - mpstreg.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: iwuiahf87sfy8ushfijsjgfgf - {B2B220C1-A503-59BD-F413-01B53A2C8953} - C:\WINDOWS\system32\gyy2vn.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

--
End of file - 12885 bytes



DDS log

DDS (Ver_10-12-12.02) - NTFSx86
Run by HP_Administrator at 16:48:25.42 on Thu 01/13/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.643 [GMT -5:00]

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\DISC\DiscStreamHub.exe
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8075
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: c:\windows\system32\gyy2vn.dll: {b2b220c1-a503-59bd-f413-01b53a2c8953} - c:\windows\system32\gyy2vn.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
uRun: [gionnovn] c:\docume~1\hp_adm~1\locals~1\temp\ssmmxvwrn\hjjojjvusbs.exe
uRun: [Wyoqiquyiwifapoy] rundll32.exe "c:\windows\rherat.dll",Startup
uRun: [uPc+MV0NdNaGuo] rundll32.exe c:\windows\system32\uk82if6.dll, SystemServer
uRun: [HNUOQOXRotgc] c:\docume~1\hp_adm~1\locals~1\temp\gitqfus5e.exe
uRun: [rfjpkegn] c:\docume~1\hp_adm~1\locals~1\temp\luvlyixey\hyavubfusbs.exe
uRun: [HNUOQOXRota] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
uRun: [HNUOQOXRprc] c:\docume~1\hp_adm~1\locals~1\temp\login.exe
uRun: [HNUOQOXRpuc] c:\docume~1\hp_adm~1\locals~1\temp\lsass.exe
uRun: [MKfre] c:\windows\wininst.exe
uRun: [MKdw+] c:\windows\nvsvc32.exe
uRun: [MKZe] c:\windows\avp.exe
uRun: [MKaZ] c:\windows\cmd.exe
uRun: [HNUOQOXRrrb] c:\docume~1\hp_adm~1\locals~1\temp\taskmgr.exe
uRun: [MKetc] c:\windows\sysedit.exe
uRun: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
uRun: [MKfPc] c:\windows\win32.exe
uRun: [HNUOQOXRotc] c:\docume~1\hp_adm~1\locals~1\temp\hexdump.exe
uRun: [MKevc] c:\windows\setup.exe
uRun: [HNUOQOXRnoc] c:\docume~1\hp_adm~1\locals~1\temp\debug.exe
uRun: [MKerb] c:\windows\taskmgr.exe
uRun: [HNUOQOXRnsc] c:\docume~1\hp_adm~1\locals~1\temp\drweb.exe
uRun: [MKcrc] c:\windows\login.exe
uRun: [MKcrc] c:\windows\login.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [uPc+MV0NdNaGuo] rundll32.exe c:\windows\system32\uk82if6.dll, SystemServer
mRun: [HNUOQOXRotgc] c:\docume~1\hp_adm~1\locals~1\temp\gitqfus5e.exe
mRun: [HNUOQOXRota] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
mRun: [HNUOQOXRprc] c:\docume~1\hp_adm~1\locals~1\temp\login.exe
mRun: [HNUOQOXRpuc] c:\docume~1\hp_adm~1\locals~1\temp\lsass.exe
mRun: [MKfre] c:\windows\wininst.exe
mRun: [MKdw+] c:\windows\nvsvc32.exe
mRun: [MKZe] c:\windows\avp.exe
mRun: [MKaZ] c:\windows\cmd.exe
mRun: [HNUOQOXRrrb] c:\docume~1\hp_adm~1\locals~1\temp\taskmgr.exe
mRun: [MKetc] c:\windows\sysedit.exe
mRun: [Gruyaq] rundll32.exe "c:\windows\uvosodamapesepe.dll",Startup
mRun: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
mRun: [MKfPc] c:\windows\win32.exe
mRun: [HNUOQOXRotc] c:\docume~1\hp_adm~1\locals~1\temp\hexdump.exe
mRun: [MKevc] c:\windows\setup.exe
mRun: [HNUOQOXRnoc] c:\docume~1\hp_adm~1\locals~1\temp\debug.exe
mRun: [MKerb] c:\windows\taskmgr.exe
mRun: [HNUOQOXRnsc] c:\docume~1\hp_adm~1\locals~1\temp\drweb.exe
mRun: [MKcrc] c:\windows\login.exe
dRun: [Ÿ]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: mpstreg - mpstreg.dll
STS: c:\windows\system32\gyy2vn.dll: {b2b220c1-a503-59bd-f413-01b53a2c8953} - c:\windows\system32\gyy2vn.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-16 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-16 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-16 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-18 308136]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2005-12-23 468768]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]

=============== Created Last 30 ================

2011-01-13 21:34:13 3017 ----a-w- c:\windows\ocihigafekutege.dll
2011-01-13 20:58:45 3017 ----a-w- c:\windows\icihubimudutibo.dll
2011-01-13 20:54:11 3017 ----a-w- c:\windows\iwivupil.dll
2011-01-13 20:44:16 3017 ----a-w- c:\windows\avupidura.dll
2011-01-13 20:39:31 3017 ----a-w- c:\windows\asoqeluwe.dll
2011-01-12 22:31:24 3017 ----a-w- c:\windows\ohojivuluyetof.dll
2011-01-12 22:00:42 3017 ----a-w- c:\windows\adufovav.dll
2011-01-12 21:56:39 3017 ----a-w- c:\windows\uhacalolacihir.dll
2011-01-12 21:39:38 10752 ----a-w- c:\windows\system32\mpstreg.dll
2011-01-12 21:37:55 3017 ----a-w- c:\windows\uwoyutezezuq.dll
2011-01-12 21:21:39 -------- d-----w- c:\windows\system32\%APPDATA%
2011-01-12 21:19:44 3017 ----a-w- c:\windows\edoleriw.dll
2011-01-12 15:07:28 3017 ----a-w- c:\windows\apejuger.dll
2011-01-12 13:00:15 0 ----a-w- c:\windows\Xpepupewad.bin
2011-01-12 13:00:14 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}
2011-01-12 12:58:36 -------- d-----w- c:\program files\Yontoo Layers Client
2011-01-12 12:58:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
2011-01-12 12:58:29 30000 ----a-w- c:\windows\system32\uk82if6.dll
2010-12-27 16:00:08 -------- d-----w- c:\program files\iPod
2010-12-27 16:00:02 -------- d-----w- c:\program files\iTunes
2010-12-20 21:16:46 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
2010-12-20 21:16:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2010-12-20 21:16:41 38912 ----a-w- c:\windows\system32\drivers\avc.sys
2010-12-20 21:16:41 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
2010-12-20 21:16:36 48128 ----a-w- c:\windows\system32\drivers\61883.sys
2010-12-20 21:16:36 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2010-12-15 12:36:15 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 12:35:37 45568 ------w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 16:50:56.75 ===============


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-13 18:29:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SP2504C rev.VT100-38
Running: b7s52e9n.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwxyafod.sys



GMER log


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
.text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
.text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
.text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
.text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
.text C:\WINDOWS\Explorer.EXE[124] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
.text C:\WINDOWS\Explorer.EXE[124] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
.text C:\WINDOWS\Explorer.EXE[124] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
.text C:\WINDOWS\Explorer.EXE[124] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
.text C:\WINDOWS\Explorer.EXE[124] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
.text C:\WINDOWS\Explorer.EXE[124] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
.text C:\WINDOWS\Explorer.EXE[124] WININET.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
.text C:\WINDOWS\Explorer.EXE[124] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
.text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\ehome\ehtray.exe[292] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\ehome\ehtray.exe[292] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\ehome\ehtray.exe[292] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\ehome\ehtray.exe[292] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\ctfmon.exe[540] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\ctfmon.exe[540] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\ctfmon.exe[540] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\ctfmon.exe[540] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\winlogon.exe[696] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\winlogon.exe[696] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\lsass.exe[752] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\lsass.exe[752] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\svchost.exe[944] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\svchost.exe[944] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\svchost.exe[1004] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\svchost.exe[1004] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\System32\svchost.exe[1096] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\System32\svchost.exe[1096] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\System32\svchost.exe[1096] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\System32\svchost.exe[1096] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
.text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
.text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
.text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
.text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
.text C:\WINDOWS\system32\rundll32.exe[1140] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
.text C:\WINDOWS\system32\rundll32.exe[1140] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
.text C:\WINDOWS\system32\rundll32.exe[1140] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
.text C:\WINDOWS\system32\rundll32.exe[1140] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
.text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\svchost.exe[1196] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\svchost.exe[1196] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\svchost.exe[1196] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\svchost.exe[1240] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\spoolsv.exe[1600] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\spoolsv.exe[1600] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\spoolsv.exe[1600] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\spoolsv.exe[1600] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text K:\b7s52e9n.exe[2780] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
.text K:\b7s52e9n.exe[2780] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
.text K:\b7s52e9n.exe[2780] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
.text K:\b7s52e9n.exe[2780] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
.text K:\b7s52e9n.exe[2780] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
.text K:\b7s52e9n.exe[2780] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
.text K:\b7s52e9n.exe[2780] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
.text K:\b7s52e9n.exe[2780] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
.text K:\b7s52e9n.exe[2780] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
.text K:\b7s52e9n.exe[2780] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
.text K:\b7s52e9n.exe[2780] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
.text K:\b7s52e9n.exe[2780] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
.text K:\b7s52e9n.exe[2780] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
.text K:\b7s52e9n.exe[2780] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
.text K:\b7s52e9n.exe[2780] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
.text K:\b7s52e9n.exe[2780] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
.text K:\b7s52e9n.exe[2780] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
.text K:\b7s52e9n.exe[2780] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
.text K:\b7s52e9n.exe[2780] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\eHome\ehmsas.exe[4340] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\eHome\ehmsas.exe[4340] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
.text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
.text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
.text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
.text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
.text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
.text C:\WINDOWS\system32\notepad.exe[5916] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
.text C:\WINDOWS\system32\notepad.exe[5916] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
.text C:\WINDOWS\system32\notepad.exe[5916] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
.text C:\WINDOWS\system32\notepad.exe[5916] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] 0x97 0x20 0x4E 0x9A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] 0xAA 0x52 0xC6 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] 0xF8 0x31 0x0F 0xA9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] 0xFA 0xEA 0x66 0x7F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\[email protected] C:\usxxxxxxxx.exe\usxxxxxxxx.exe

---- Files - GMER 1.0.15 ----

File C:\usxxxxxxxx.exe 0 bytes
File C:\usxxxxxxxx.exe\config.bin 140940 bytes
File C:\usxxxxxxxx.exe\usxxxxxxxx.exe 526566 bytes executable

---- EOF - GMER 1.0.15 ----
 

Attachments

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top