1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijack log / DDS / Attach / Ark - Whitesmoke Trojan/Malware

Discussion in 'Virus & Other Malware Removal' started by ohiobowtech, Jan 13, 2011.

Thread Status:
Not open for further replies.
  1. ohiobowtech

    ohiobowtech Thread Starter

    Joined:
    Jan 13, 2011
    Messages:
    14
    Hello...I have the Whitesmoke trojan/malware. Thanks for the help!!!!!

    Hijack log
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 4:37:53 PM, on 1/13/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\DISC\DiscStreamHub.exe
    C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8075
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: C:\WINDOWS\system32\gyy2vn.dll - {B2B220C1-A503-59BD-F413-01B53A2C8953} - C:\WINDOWS\system32\gyy2vn.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
    O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [uPc+MV0NdNaGuo] rundll32.exe C:\WINDOWS\system32\uk82if6.dll, SystemServer
    O4 - HKLM\..\Run: [HNUOQOXRotgc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gitqfus5e.exe
    O4 - HKLM\..\Run: [HNUOQOXRota] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
    O4 - HKLM\..\Run: [HNUOQOXRprc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\login.exe
    O4 - HKLM\..\Run: [HNUOQOXRpuc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe
    O4 - HKLM\..\Run: [MKfre] C:\WINDOWS\wininst.exe
    O4 - HKLM\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
    O4 - HKLM\..\Run: [MKZe] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [MKaZ] C:\WINDOWS\cmd.exe
    O4 - HKLM\..\Run: [HNUOQOXRrrb] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe
    O4 - HKLM\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
    O4 - HKLM\..\Run: [Gruyaq] rundll32.exe "C:\WINDOWS\uvosodamapesepe.dll",Startup
    O4 - HKLM\..\Run: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
    O4 - HKLM\..\Run: [MKfPc] C:\WINDOWS\win32.exe
    O4 - HKLM\..\Run: [HNUOQOXRotc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hexdump.exe
    O4 - HKLM\..\Run: [MKevc] C:\WINDOWS\setup.exe
    O4 - HKLM\..\Run: [HNUOQOXRnoc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\debug.exe
    O4 - HKLM\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
    O4 - HKLM\..\Run: [HNUOQOXRnsc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\drweb.exe
    O4 - HKLM\..\Run: [MKcrc] C:\WINDOWS\login.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
    O4 - HKCU\..\Run: [gionnovn] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ssmmxvwrn\hjjojjvusbs.exe
    O4 - HKCU\..\Run: [Wyoqiquyiwifapoy] rundll32.exe "C:\WINDOWS\rherat.dll",Startup
    O4 - HKCU\..\Run: [uPc+MV0NdNaGuo] rundll32.exe C:\WINDOWS\system32\uk82if6.dll, SystemServer
    O4 - HKCU\..\Run: [HNUOQOXRotgc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gitqfus5e.exe
    O4 - HKCU\..\Run: [rfjpkegn] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\luvlyixey\hyavubfusbs.exe
    O4 - HKCU\..\Run: [HNUOQOXRota] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
    O4 - HKCU\..\Run: [HNUOQOXRprc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\login.exe
    O4 - HKCU\..\Run: [HNUOQOXRpuc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe
    O4 - HKCU\..\Run: [MKfre] C:\WINDOWS\wininst.exe
    O4 - HKCU\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
    O4 - HKCU\..\Run: [MKZe] C:\WINDOWS\avp.exe
    O4 - HKCU\..\Run: [MKaZ] C:\WINDOWS\cmd.exe
    O4 - HKCU\..\Run: [HNUOQOXRrrb] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe
    O4 - HKCU\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
    O4 - HKCU\..\Run: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
    O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win32.exe
    O4 - HKCU\..\Run: [HNUOQOXRotc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hexdump.exe
    O4 - HKCU\..\Run: [MKevc] C:\WINDOWS\setup.exe
    O4 - HKCU\..\Run: [HNUOQOXRnoc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\debug.exe
    O4 - HKCU\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
    O4 - HKCU\..\Run: [HNUOQOXRnsc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\drweb.exe
    O4 - HKCU\..\Run: [MKcrc] C:\WINDOWS\login.exe
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Launch Whitesmoke Translator.lnk = C:\Program Files\Whitesmoke Translator\WSTrayDictMode.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O20 - Winlogon Notify: mpstreg - mpstreg.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: iwuiahf87sfy8ushfijsjgfgf - {B2B220C1-A503-59BD-F413-01B53A2C8953} - C:\WINDOWS\system32\gyy2vn.dll (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

    --
    End of file - 12885 bytes



    DDS log

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by HP_Administrator at 16:48:25.42 on Thu 01/13/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.643 [GMT -5:00]

    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\ehome\mcrdsvc.exe
    c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\DISC\DiscStreamHub.exe
    C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
    uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8075
    mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: c:\windows\system32\gyy2vn.dll: {b2b220c1-a503-59bd-f413-01b53a2c8953} - c:\windows\system32\gyy2vn.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
    uRun: [gionnovn] c:\docume~1\hp_adm~1\locals~1\temp\ssmmxvwrn\hjjojjvusbs.exe
    uRun: [Wyoqiquyiwifapoy] rundll32.exe "c:\windows\rherat.dll",Startup
    uRun: [uPc+MV0NdNaGuo] rundll32.exe c:\windows\system32\uk82if6.dll, SystemServer
    uRun: [HNUOQOXRotgc] c:\docume~1\hp_adm~1\locals~1\temp\gitqfus5e.exe
    uRun: [rfjpkegn] c:\docume~1\hp_adm~1\locals~1\temp\luvlyixey\hyavubfusbs.exe
    uRun: [HNUOQOXRota] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
    uRun: [HNUOQOXRprc] c:\docume~1\hp_adm~1\locals~1\temp\login.exe
    uRun: [HNUOQOXRpuc] c:\docume~1\hp_adm~1\locals~1\temp\lsass.exe
    uRun: [MKfre] c:\windows\wininst.exe
    uRun: [MKdw+] c:\windows\nvsvc32.exe
    uRun: [MKZe] c:\windows\avp.exe
    uRun: [MKaZ] c:\windows\cmd.exe
    uRun: [HNUOQOXRrrb] c:\docume~1\hp_adm~1\locals~1\temp\taskmgr.exe
    uRun: [MKetc] c:\windows\sysedit.exe
    uRun: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
    uRun: [MKfPc] c:\windows\win32.exe
    uRun: [HNUOQOXRotc] c:\docume~1\hp_adm~1\locals~1\temp\hexdump.exe
    uRun: [MKevc] c:\windows\setup.exe
    uRun: [HNUOQOXRnoc] c:\docume~1\hp_adm~1\locals~1\temp\debug.exe
    uRun: [MKerb] c:\windows\taskmgr.exe
    uRun: [HNUOQOXRnsc] c:\docume~1\hp_adm~1\locals~1\temp\drweb.exe
    uRun: [MKcrc] c:\windows\login.exe
    uRun: [MKcrc] c:\windows\login.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
    mRun: [DISCover] c:\program files\disc\DISCover.exe
    mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
    mRun: [PCDrProfiler]
    mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
    mRun: [<NO NAME>]
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [uPc+MV0NdNaGuo] rundll32.exe c:\windows\system32\uk82if6.dll, SystemServer
    mRun: [HNUOQOXRotgc] c:\docume~1\hp_adm~1\locals~1\temp\gitqfus5e.exe
    mRun: [HNUOQOXRota] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
    mRun: [HNUOQOXRprc] c:\docume~1\hp_adm~1\locals~1\temp\login.exe
    mRun: [HNUOQOXRpuc] c:\docume~1\hp_adm~1\locals~1\temp\lsass.exe
    mRun: [MKfre] c:\windows\wininst.exe
    mRun: [MKdw+] c:\windows\nvsvc32.exe
    mRun: [MKZe] c:\windows\avp.exe
    mRun: [MKaZ] c:\windows\cmd.exe
    mRun: [HNUOQOXRrrb] c:\docume~1\hp_adm~1\locals~1\temp\taskmgr.exe
    mRun: [MKetc] c:\windows\sysedit.exe
    mRun: [Gruyaq] rundll32.exe "c:\windows\uvosodamapesepe.dll",Startup
    mRun: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
    mRun: [MKfPc] c:\windows\win32.exe
    mRun: [HNUOQOXRotc] c:\docume~1\hp_adm~1\locals~1\temp\hexdump.exe
    mRun: [MKevc] c:\windows\setup.exe
    mRun: [HNUOQOXRnoc] c:\docume~1\hp_adm~1\locals~1\temp\debug.exe
    mRun: [MKerb] c:\windows\taskmgr.exe
    mRun: [HNUOQOXRnsc] c:\docume~1\hp_adm~1\locals~1\temp\drweb.exe
    mRun: [MKcrc] c:\windows\login.exe
    dRun: [Ÿ]
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    uPolicies-explorer: NoFolderOptions = 1 (0x1)
    uPolicies-system: DisableRegistryTools = 1 (0x1)
    IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    Trusted Zone: trymedia.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: mpstreg - mpstreg.dll
    STS: c:\windows\system32\gyy2vn.dll: {b2b220c1-a503-59bd-f413-01b53a2c8953} - c:\windows\system32\gyy2vn.dll

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-16 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-16 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-16 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-18 308136]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2005-12-23 468768]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]

    =============== Created Last 30 ================

    2011-01-13 21:34:13 3017 ----a-w- c:\windows\ocihigafekutege.dll
    2011-01-13 20:58:45 3017 ----a-w- c:\windows\icihubimudutibo.dll
    2011-01-13 20:54:11 3017 ----a-w- c:\windows\iwivupil.dll
    2011-01-13 20:44:16 3017 ----a-w- c:\windows\avupidura.dll
    2011-01-13 20:39:31 3017 ----a-w- c:\windows\asoqeluwe.dll
    2011-01-12 22:31:24 3017 ----a-w- c:\windows\ohojivuluyetof.dll
    2011-01-12 22:00:42 3017 ----a-w- c:\windows\adufovav.dll
    2011-01-12 21:56:39 3017 ----a-w- c:\windows\uhacalolacihir.dll
    2011-01-12 21:39:38 10752 ----a-w- c:\windows\system32\mpstreg.dll
    2011-01-12 21:37:55 3017 ----a-w- c:\windows\uwoyutezezuq.dll
    2011-01-12 21:21:39 -------- d-----w- c:\windows\system32\%APPDATA%
    2011-01-12 21:19:44 3017 ----a-w- c:\windows\edoleriw.dll
    2011-01-12 15:07:28 3017 ----a-w- c:\windows\apejuger.dll
    2011-01-12 13:00:15 0 ----a-w- c:\windows\Xpepupewad.bin
    2011-01-12 13:00:14 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}
    2011-01-12 12:58:36 -------- d-----w- c:\program files\Yontoo Layers Client
    2011-01-12 12:58:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
    2011-01-12 12:58:29 30000 ----a-w- c:\windows\system32\uk82if6.dll
    2010-12-27 16:00:08 -------- d-----w- c:\program files\iPod
    2010-12-27 16:00:02 -------- d-----w- c:\program files\iTunes
    2010-12-20 21:16:46 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
    2010-12-20 21:16:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
    2010-12-20 21:16:41 38912 ----a-w- c:\windows\system32\drivers\avc.sys
    2010-12-20 21:16:41 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
    2010-12-20 21:16:36 48128 ----a-w- c:\windows\system32\drivers\61883.sys
    2010-12-20 21:16:36 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
    2010-12-15 12:36:15 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 12:35:37 45568 ------w- c:\windows\system32\dllcache\wab.exe

    ==================== Find3M ====================

    2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

    ============= FINISH: 16:50:56.75 ===============


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-13 18:29:26
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SP2504C rev.VT100-38
    Running: b7s52e9n.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwxyafod.sys



    GMER log


    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
    .text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
    .text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
    .text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
    .text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
    .text C:\WINDOWS\Explorer.EXE[124] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
    .text C:\WINDOWS\Explorer.EXE[124] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
    .text C:\WINDOWS\Explorer.EXE[124] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
    .text C:\WINDOWS\Explorer.EXE[124] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
    .text C:\WINDOWS\Explorer.EXE[124] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
    .text C:\WINDOWS\Explorer.EXE[124] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
    .text C:\WINDOWS\Explorer.EXE[124] WININET.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
    .text C:\WINDOWS\Explorer.EXE[124] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
    .text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\ehome\ehtray.exe[292] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\ehome\ehtray.exe[292] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\ehome\ehtray.exe[292] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\ehome\ehtray.exe[292] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\ctfmon.exe[540] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\ctfmon.exe[540] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\ctfmon.exe[540] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\ctfmon.exe[540] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\winlogon.exe[696] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\winlogon.exe[696] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\lsass.exe[752] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\lsass.exe[752] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\svchost.exe[944] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\svchost.exe[944] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\svchost.exe[1004] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\svchost.exe[1004] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\System32\svchost.exe[1096] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\System32\svchost.exe[1096] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\System32\svchost.exe[1096] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\System32\svchost.exe[1096] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
    .text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
    .text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
    .text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
    .text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
    .text C:\WINDOWS\system32\rundll32.exe[1140] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
    .text C:\WINDOWS\system32\rundll32.exe[1140] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
    .text C:\WINDOWS\system32\rundll32.exe[1140] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
    .text C:\WINDOWS\system32\rundll32.exe[1140] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
    .text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\svchost.exe[1196] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\svchost.exe[1196] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\svchost.exe[1196] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\svchost.exe[1240] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\spoolsv.exe[1600] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\spoolsv.exe[1600] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text K:\b7s52e9n.exe[2780] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
    .text K:\b7s52e9n.exe[2780] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
    .text K:\b7s52e9n.exe[2780] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
    .text K:\b7s52e9n.exe[2780] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
    .text K:\b7s52e9n.exe[2780] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
    .text K:\b7s52e9n.exe[2780] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
    .text K:\b7s52e9n.exe[2780] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
    .text K:\b7s52e9n.exe[2780] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
    .text K:\b7s52e9n.exe[2780] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
    .text K:\b7s52e9n.exe[2780] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
    .text K:\b7s52e9n.exe[2780] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
    .text K:\b7s52e9n.exe[2780] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
    .text K:\b7s52e9n.exe[2780] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
    .text K:\b7s52e9n.exe[2780] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
    .text K:\b7s52e9n.exe[2780] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
    .text K:\b7s52e9n.exe[2780] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
    .text K:\b7s52e9n.exe[2780] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
    .text K:\b7s52e9n.exe[2780] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
    .text K:\b7s52e9n.exe[2780] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
    .text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
    .text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
    .text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
    .text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
    .text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
    .text C:\WINDOWS\system32\notepad.exe[5916] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
    .text C:\WINDOWS\system32\notepad.exe[5916] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
    .text C:\WINDOWS\system32\notepad.exe[5916] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
    .text C:\WINDOWS\system32\notepad.exe[5916] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] 0xE2 0x63 0x26 0xF1 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] 0x6A 0x9C 0xD6 0x61 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] 0x25 0xDA 0xEC 0x7E ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] 0x3E 0x1E 0x9E 0xE0 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] 0xF5 0x1D 0x4D 0x73 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] 0xB0 0x18 0xED 0xA7 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] 0x97 0x20 0x4E 0x9A ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] 0xAA 0x52 0xC6 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] 0x51 0xFA 0x6E 0x91 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] 0x3D 0xCE 0xEA 0x26 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] 0xF8 0x31 0x0F 0xA9 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] 0xFA 0xEA 0x66 0x7F ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\[email protected] C:\usxxxxxxxx.exe\usxxxxxxxx.exe

    ---- Files - GMER 1.0.15 ----

    File C:\usxxxxxxxx.exe 0 bytes
    File C:\usxxxxxxxx.exe\config.bin 140940 bytes
    File C:\usxxxxxxxx.exe\usxxxxxxxx.exe 526566 bytes executable

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/974541

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice