1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IE and mozilla redirecting, plus random audio playback

Discussion in 'Virus & Other Malware Removal' started by jackedwards, Mar 24, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. jackedwards

    jackedwards Thread Starter

    Joined:
    Mar 24, 2011
    Messages:
    11
    recently, my laptop (an old E-machine running Windows XP) picked up the vile "windowssafemode" virus. after malwarebytes and some simple fiddling with registry values proved futile, i performed a system restore to a recovery point dating a couple of days prior to when the computer started showing symptoms, then i ran malwarebytes once more. this rid me of the annoying false error/alert messages that are the calling cards of this virus.

    now, however, i've come to find that both of my browsers automatically redirect me to bogus "anti-spyware" pages and the like whenever i click on links (i should note that i am able to get around such redirects by manually typing addresses into the browsers' address bars), and that strange audio files, none of which i put on the laptop, will play at random, even if my comp is sitting idle.

    i have tried rerunning malwarebytes and also used avast! and ad-aware, all of which picked up suspicious and infected files. while the random audio seems to have abated slightly, i don't seem to have gotten rid of the malware.

    there is a thread elsewhere on this site that describes my experience to a T: http://forums.techguy.org/virus-other-malware-removal/974131-nasty-ie-firefox-browser-redirect.html

    however, i decided to start a new thread in hopes that someone could walk me through a clean-up process and review the specific logs that my own computer spits out to help ensure that i've completely killed all the remaining nasties.

    thanks in advance!
     
  2. jackedwards

    jackedwards Thread Starter

    Joined:
    Mar 24, 2011
    Messages:
    11
    i should have included this earlier. again, i know this has been/is being covered on other threads, but i'd really appreciate if someone could take a look at my symptoms and logs and walk me through a clean-up process (or point me directly to a thread whose directions i should follow to the letter, given the info i've provided here):

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:38:07 PM, on 3/28/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Digital Media Reader\shwicon2k.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Belkin\F5D8013\Belkinwcui.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Belkin F5D8013 N Wireless Notebook Card Utility.lnk = C:\Program Files\Belkin\F5D8013\Belkinwcui.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1291299555113
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 6299 bytes
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    If you follow the advice in the sticky at the top of the forum, you get better help

    follow advice here and post the logs those programs make
     
  4. jackedwards

    jackedwards Thread Starter

    Joined:
    Mar 24, 2011
    Messages:
    11
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:50:33 PM, on 3/29/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Digital Media Reader\shwicon2k.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Belkin\F5D8013\Belkinwcui.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Admin\My Documents\Downloads\nm3rnmlq.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Belkin F5D8013 N Wireless Notebook Card Utility.lnk = C:\Program Files\Belkin\F5D8013\Belkinwcui.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1291299555113
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 6335 bytes

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Admin at 19:51:12.00 on Tue 03/29/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.410 [GMT -4:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Digital Media Reader\shwicon2k.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Belkin\F5D8013\Belkinwcui.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Admin\My Documents\Downloads\nm3rnmlq.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Admin\My Documents\Downloads\dds.com
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [<NO NAME>]
    mRun: [SunKist] c:\program files\digital media reader\shwicon2k.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8013\Belkinwcui.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1291299555113
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Notify: igfxcui - igfxsrvc.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\fma07xqv.default\
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-3-23 64512]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-23 371544]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-12-12 301528]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-12-12 19544]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-12 42184]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-22 1405384]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-12-17 632792]
    R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2007-7-28 537216]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-4 136176]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-3-22 15232]
    S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [2010-12-1 198144]
    .
    =============== Created Last 30 ================
    .
    2011-03-28 23:35:32 388096 ----a-r- c:\docume~1\admin\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-03-28 23:35:28 -------- d-----w- c:\program files\Trend Micro
    2011-03-24 02:57:22 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-03-24 01:28:20 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-03-24 00:24:55 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-03-24 00:09:09 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-03-24 00:02:05 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{FE41BDC7-CD33-4350-8A15-26EFBE20A0FE}
    2011-03-24 00:01:04 -------- d-----w- c:\program files\Lavasoft
    2011-03-12 03:42:12 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-03-12 03:42:12 -------- d-----w- c:\windows\system32\wbem\Repository
    .
    ==================== Find3M ====================
    .
    2011-02-23 14:04:21 40648 ----a-w- c:\windows\avastSS.scr
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 19:52:01.37 ===============
     

    Attached Files:

  5. jackedwards

    jackedwards Thread Starter

    Joined:
    Mar 24, 2011
    Messages:
    11
    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-03-29 19:45:38
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HITACHI_DK23FB-40 rev.00M1A0A1
    Running: nm3rnmlq.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\uflcraoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xB8C969CA]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xB8CEBA68]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xB8CB6AF5]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xB8C98EAC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xB8C98F04]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xB8C9901A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xB8CB64A9]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xB8C98E02]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xB8C98F54]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xB8C98E56]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xB8C98FC8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xB8C969EE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xB8CB71BB]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xB8CB7471]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xB8C9929E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB8CB7026]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB8CB6E91]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xB8CEBB18]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xB8C967B8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xB8C96A12]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xB8C99412]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xB8C974AA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xB8C98EDC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xB8C98F2C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xB8C99044]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xB8CB6805]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xB8C98E2E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xB8C990D6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xB8C98F94]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xB8C98E84]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xB8C991BA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xB8C98FF2]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xB8CEBBB0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xB8CB6D0C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xB8C97370]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xB8CB6B5E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB8CF3E26]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xB8CB5B1C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xB8C96A36]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xB8C96A5A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xB8C96812]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xB8C9694E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xB8CB72C2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xB8C9692A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xB8C96972]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xB8C96A7E]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB8D008DE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + 34D 804E29B9 3 Bytes [3E, CF, B8]
    PAGE ntoskrnl.exe!ObInsertObject 805650BA 5 Bytes JMP B8CFDD38 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BB08 4 Bytes CALL B8C97E25 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntoskrnl.exe!ZwCreateProcessEx 8058124C 7 Bytes JMP B8D008E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A038B 5 Bytes JMP B8CFC29E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    INITc VolSnap.sys F7819BD0 4 Bytes [36, 9A, 4D, 80]
    INITc VolSnap.sys F7819BF8 4 Bytes [94, 87, 4E, 80] {XCHG ESP, EAX; XCHG [ESI-0x80], ECX}
    INITc VolSnap.sys F7819C20 4 Bytes [A0, C1, 4D, 80]
    INITc VolSnap.sys F7819C48 4 Bytes [B0, C8, 4D, 80]
    INITc VolSnap.sys F7819C70 4 Bytes [09, BF, 4D, 80]
    INITc ...
    ? C:\DOCUME~1\Admin\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A00E4
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0120
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A00A8
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A0030
    .text C:\Program Files\Belkin\F5D8013\Belkinwcui.exe[412] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A006C
    .text C:\WINDOWS\system32\spoolsv.exe[432] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\spoolsv.exe[432] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\spoolsv.exe[432] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\spoolsv.exe[432] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\spoolsv.exe[432] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\spoolsv.exe[432] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\spoolsv.exe[432] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\spoolsv.exe[432] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\spoolsv.exe[432] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\spoolsv.exe[432] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\spoolsv.exe[432] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\spoolsv.exe[432] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\spoolsv.exe[432] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\spoolsv.exe[432] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\spoolsv.exe[432] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\svchost.exe[672] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[672] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[672] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\svchost.exe[672] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\svchost.exe[672] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\svchost.exe[672] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\svchost.exe[672] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\svchost.exe[672] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\svchost.exe[672] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\svchost.exe[672] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\svchost.exe[672] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\svchost.exe[672] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\svchost.exe[672] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\svchost.exe[672] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\svchost.exe[672] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\winlogon.exe[716] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00070030
    .text C:\WINDOWS\system32\winlogon.exe[716] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0007006C
    .text C:\WINDOWS\system32\winlogon.exe[716] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\winlogon.exe[716] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\winlogon.exe[716] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\winlogon.exe[716] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\winlogon.exe[716] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\winlogon.exe[716] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\winlogon.exe[716] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\winlogon.exe[716] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\winlogon.exe[716] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\winlogon.exe[716] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\winlogon.exe[716] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\winlogon.exe[716] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\winlogon.exe[716] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\services.exe[760] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\services.exe[760] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003201D4
    .text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003200E4
    .text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00320120
    .text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0032015C
    .text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00320198
    .text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00320030
    .text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0032006C
    .text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003200A8
    .text C:\WINDOWS\system32\lsass.exe[772] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\lsass.exe[772] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\lsass.exe[772] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\lsass.exe[772] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\lsass.exe[772] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\lsass.exe[772] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\lsass.exe[772] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[940] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\svchost.exe[940] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\svchost.exe[940] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\svchost.exe[940] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\svchost.exe[940] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\svchost.exe[940] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003900E4
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390120
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003900A8
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00390030
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0039006C
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A01D4
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A00E4
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0120
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A015C
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0198
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A0030
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A006C
    .text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1120] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A00A8
    .text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\svchost.exe[1292] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\svchost.exe[1292] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\svchost.exe[1292] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\svchost.exe[1292] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\svchost.exe[1292] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00140030
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0014006C
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003801D4
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003800E4
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380120
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0038015C
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380198
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00380030
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0038006C
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003800A8
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003900E4
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390120
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003900A8
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00390030
    .text C:\WINDOWS\System32\WLTRYSVC.EXE[1320] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0039006C
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00140030
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0014006C
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
    .text C:\WINDOWS\System32\bcmwltry.exe[1344] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1356] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
    .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1492] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 008F01D4
    .text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 008F00E4
    .text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 008F0120
    .text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 008F015C
    .text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 008F0198
    .text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 008F0030
    .text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 008F006C
    .text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 008F00A8
    .text C:\WINDOWS\Explorer.EXE[1656] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003300E4
    .text C:\WINDOWS\Explorer.EXE[1656] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00330120
    .text C:\WINDOWS\Explorer.EXE[1656] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003300A8
    .text C:\WINDOWS\Explorer.EXE[1656] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00330030
    .text C:\WINDOWS\Explorer.EXE[1656] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0033006C
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00140030
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0014006C
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003800E4
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380120
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003800A8
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00380030
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0038006C
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C
    .text C:\Program Files\Digital Media Reader\shwicon2k.exe[1884] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8
    .text C:\WINDOWS\system32\igfxtray.exe[1892] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00140030
    .text C:\WINDOWS\system32\igfxtray.exe[1892] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0014006C
    .text C:\WINDOWS\system32\igfxtray.exe[1892] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003800E4
    .text C:\WINDOWS\system32\igfxtray.exe[1892] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380120
    .text C:\WINDOWS\system32\igfxtray.exe[1892] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003800A8
    .text C:\WINDOWS\system32\igfxtray.exe[1892] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00380030
    .text C:\WINDOWS\system32\igfxtray.exe[1892] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0038006C
    .text C:\WINDOWS\system32\igfxtray.exe[1892] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4
    .text C:\WINDOWS\system32\igfxtray.exe[1892] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4
    .text C:\WINDOWS\system32\igfxtray.exe[1892] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120
    .text C:\WINDOWS\system32\igfxtray.exe[1892] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C
    .text C:\WINDOWS\system32\igfxtray.exe[1892] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198
    .text C:\WINDOWS\system32\igfxtray.exe[1892] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030
    .text C:\WINDOWS\system32\igfxtray.exe[1892] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C
    .text C:\WINDOWS\system32\igfxtray.exe[1892] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8
    .text C:\WINDOWS\system32\hkcmd.exe[1916] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00140030
    .text C:\WINDOWS\system32\hkcmd.exe[1916] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0014006C
    .text C:\WINDOWS\system32\hkcmd.exe[1916] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003801D4
    .text C:\WINDOWS\system32\hkcmd.exe[1916] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003800E4
    .text C:\WINDOWS\system32\hkcmd.exe[1916] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380120
    .text C:\WINDOWS\system32\hkcmd.exe[1916] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0038015C
    .text C:\WINDOWS\system32\hkcmd.exe[1916] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380198
    .text C:\WINDOWS\system32\hkcmd.exe[1916] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00380030
    .text C:\WINDOWS\system32\hkcmd.exe[1916] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0038006C
    .text C:\WINDOWS\system32\hkcmd.exe[1916] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003800A8
    .text C:\WINDOWS\system32\hkcmd.exe[1916] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003900E4
    .text C:\WINDOWS\system32\hkcmd.exe[1916] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390120
    .text C:\WINDOWS\system32\hkcmd.exe[1916] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003900A8
    .text C:\WINDOWS\system32\hkcmd.exe[1916] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00390030
    .text C:\WINDOWS\system32\hkcmd.exe[1916] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0039006C
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
    .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1928] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
    .text C:\WINDOWS\system32\ctfmon.exe[1952] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A0030
    .text C:\WINDOWS\system32\ctfmon.exe[1952] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A006C
    .text C:\WINDOWS\system32\ctfmon.exe[1952] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C01D4
    .text C:\WINDOWS\system32\ctfmon.exe[1952] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\ctfmon.exe[1952] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\ctfmon.exe[1952] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C015C
    .text C:\WINDOWS\system32\ctfmon.exe[1952] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0198
    .text C:\WINDOWS\system32\ctfmon.exe[1952] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\ctfmon.exe[1952] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\ctfmon.exe[1952] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\ctfmon.exe[1952] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D00E4
    .text C:\WINDOWS\system32\ctfmon.exe[1952] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0120
    .text C:\WINDOWS\system32\ctfmon.exe[1952] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D00A8
    .text C:\WINDOWS\system32\ctfmon.exe[1952] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D0030
    .text C:\WINDOWS\system32\ctfmon.exe[1952] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D006C
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1960] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1960] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1960] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1960] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1960] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1960] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1960] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1960] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1960] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1960] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003701D4
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003700E4
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00370120
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0037015C
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00370198
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00370030
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0037006C
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003700A8
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003800E4
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380120
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003800A8
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00380030
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[2460] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0038006C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 015801D4
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 015800E4
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 01580120
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0158015C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 01580198
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 01580030
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0158006C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 015800A8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 013C000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0139000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0138000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] WS2_32.dll!send 71AB4C27 5 Bytes JMP 013A000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 013B000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00FB00E4
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00FB0120
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00FB00A8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00FB0030
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2600] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 00FB006C
    .text C:\WINDOWS\System32\alg.exe[2800] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\System32\alg.exe[2800] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\System32\alg.exe[2800] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\System32\alg.exe[2800] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0120
    .text C:\WINDOWS\System32\alg.exe[2800] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\System32\alg.exe[2800] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B0030
    .text C:\WINDOWS\System32\alg.exe[2800] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B006C
    .text C:\WINDOWS\System32\alg.exe[2800] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C01D4
    .text C:\WINDOWS\System32\alg.exe[2800] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\System32\alg.exe[2800] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0120
    .text C:\WINDOWS\System32\alg.exe[2800] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C015C
    .text C:\WINDOWS\System32\alg.exe[2800] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0198
    .text C:\WINDOWS\System32\alg.exe[2800] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C0030
    .text C:\WINDOWS\System32\alg.exe[2800] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C006C
    .text C:\WINDOWS\System32\alg.exe[2800] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2808] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 005D01D4
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 005D00E4
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 005D0120
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 005D015C
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 005D0198
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 005D0030
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 005D006C
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 005D00A8
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 005E00E4
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 005E0120
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 005E00A8
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 005E0030
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 005E006C
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3236] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A00E4
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0120
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A00A8
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A0030
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3700] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A006C

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:124] 82B0BE84
    Thread System [4:128] 82B0E084

    ---- EOF - GMER 1.0.15 ----
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    that isn't showing any of the signs, I would have expected it to show
    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully
    Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

    Download ComboFix from Here or Hereto your Desktop.
    As you download it rename it to username123.exe


    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

    Please tell us if it has cured the problems or if there are any outstanding issues
     
  7. jackedwards

    jackedwards Thread Starter

    Joined:
    Mar 24, 2011
    Messages:
    11
    thanks for recommending that i run combofix, derek. i've only done a minimal amount of poking around, but i haven't run into any browser redirects since.

    i'll post the combofix log below; however, i wanted to mention that combofix appeared to create a second notepad log on my desktop named "catchme" that contains the following brief text:

    File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
    File list cleared
    File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
    File list cleared

    any idea what that might be all about?

    anyways, here's the log combofix generated:

    ComboFix 11-03-23.04 - Admin 03/30/2011 21:37:28.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.460 [GMT -4:00]
    Running from: c:\documents and settings\Admin\Desktop\username123.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    - REDUCED FUNCTIONALITY MODE -
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-28 23:35 . 2011-03-28 23:35 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-03-28 23:35 . 2011-03-28 23:35 -------- d-----w- c:\program files\Trend Micro
    2011-03-24 02:57 . 2011-03-24 02:57 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-03-24 01:28 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-03-24 00:24 . 2011-03-22 08:05 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-03-24 00:09 . 2011-03-24 00:09 -------- dc----w- c:\windows\system32\DRVSTORE
    2011-03-24 00:09 . 2011-03-22 08:05 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-03-24 00:02 . 2011-03-24 00:02 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{FE41BDC7-CD33-4350-8A15-26EFBE20A0FE}
    2011-03-24 00:01 . 2011-03-24 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2011-03-24 00:01 . 2011-03-24 00:01 -------- d-----w- c:\program files\Lavasoft
    2011-03-12 03:42 . 2011-03-12 03:42 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-03-06 18:20 . 2011-03-06 18:20 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-23 14:04 . 2010-12-13 03:27 40648 ----a-w- c:\windows\avastSS.scr
    2011-02-23 14:04 . 2010-12-13 03:27 190016 ----a-w- c:\windows\system32\aswBoot.exe
    2011-02-23 13:56 . 2010-12-13 03:27 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-02-23 13:55 . 2010-12-13 03:27 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-02-23 13:55 . 2010-12-13 03:27 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-02-23 13:55 . 2010-12-13 03:27 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-02-23 13:55 . 2010-12-13 03:27 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-02-23 13:54 . 2010-12-13 03:27 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-02-23 13:54 . 2010-12-13 03:27 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58 . 2009-04-16 23:17 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2009-04-16 23:17 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-04 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-26 139264]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-10 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-10 114688]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    Belkin F5D8013 N Wireless Notebook Card Utility.lnk - c:\program files\Belkin\F5D8013\Belkinwcui.exe [2007-9-17 1732608]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/23/2011 8:09 PM 64512]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/23/2011 9:28 PM 371544]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/12/2010 11:27 PM 301528]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/12/2010 11:27 PM 19544]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/22/2011 4:05 AM 1405384]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [12/17/2010 8:43 PM 632792]
    R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [7/28/2007 4:48 PM 537216]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/4/2010 3:11 AM 136176]
    S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [12/1/2010 1:52 PM 198144]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-22 08:05]
    .
    2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-04 07:11]
    .
    2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-04 07:11]
    .
    2011-03-29 c:\windows\Tasks\RMSchedule.job
    - c:\program files\Registry Mechanic\RegMech.exe [2010-12-18 22:05]
    .
    2011-03-31 c:\windows\Tasks\User_Feed_Synchronization-{47392DD1-1BD7-498D-84C3-3A0286276927}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\fma07xqv.default\
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-30 21:45
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(692)
    c:\windows\System32\BCMLogon.dll
    .
    Completion time: 2011-03-30 21:55:55
    ComboFix-quarantined-files.txt 2011-03-31 01:55
    .
    Pre-Run: 30,115,008,512 bytes free
    Post-Run: 30,215,798,784 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    .
    - - End Of File - - DB4C75A2BEB802AC588F2383FA46B000
     
  8. jackedwards

    jackedwards Thread Starter

    Joined:
    Mar 24, 2011
    Messages:
    11
    i was unable to install a recovery console during the combofix process.
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    delete that version of combofix from desktop & download a new updated version from same location

    that was showiing a TDSS rootkit that combofix dealt with


    read here
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    scroll down to the bottom where ist says manually installing the recovery console. Do that bit before runninmg combofix again
     
  10. jackedwards

    jackedwards Thread Starter

    Joined:
    Mar 24, 2011
    Messages:
    11
    can i trouble you to direct me to where i can find the latest version combofix first, though? the location i downloaded from originally ( http://www.infospyware.net/antimalware/combofix/ ) appears to contain only one version of the program. thanks again.
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    the original location will always have the latest version
     
  12. jackedwards

    jackedwards Thread Starter

    Joined:
    Mar 24, 2011
    Messages:
    11
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    the same place you downloaded it from
    either Here or Here
     
  14. jackedwards

    jackedwards Thread Starter

    Joined:
    Mar 24, 2011
    Messages:
    11
    ComboFix 11-03-31.01 - Admin 03/31/2011 21:37:35.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.422 [GMT -4:00]
    Running from: c:\documents and settings\Admin\Desktop\username123.exe
    Command switches used :: c:\documents and settings\Admin\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-28 23:35 . 2011-03-28 23:35 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-03-28 23:35 . 2011-03-28 23:35 -------- d-----w- c:\program files\Trend Micro
    2011-03-24 02:57 . 2011-03-24 02:57 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-03-24 01:28 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-03-24 00:24 . 2011-03-22 08:05 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-03-24 00:09 . 2011-03-24 00:09 -------- dc----w- c:\windows\system32\DRVSTORE
    2011-03-24 00:09 . 2011-03-22 08:05 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-03-24 00:02 . 2011-03-24 00:02 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{FE41BDC7-CD33-4350-8A15-26EFBE20A0FE}
    2011-03-24 00:01 . 2011-03-24 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2011-03-24 00:01 . 2011-03-24 00:01 -------- d-----w- c:\program files\Lavasoft
    2011-03-12 03:42 . 2011-03-12 03:42 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-03-06 18:20 . 2011-03-06 18:20 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-23 14:04 . 2010-12-13 03:27 40648 ----a-w- c:\windows\avastSS.scr
    2011-02-23 14:04 . 2010-12-13 03:27 190016 ----a-w- c:\windows\system32\aswBoot.exe
    2011-02-23 13:56 . 2010-12-13 03:27 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-02-23 13:55 . 2010-12-13 03:27 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-02-23 13:55 . 2010-12-13 03:27 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-02-23 13:55 . 2010-12-13 03:27 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-02-23 13:55 . 2010-12-13 03:27 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-02-23 13:54 . 2010-12-13 03:27 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-02-23 13:54 . 2010-12-13 03:27 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58 . 2009-04-16 23:17 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2009-04-16 23:17 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    .
    .
    ((((((((((((((((((((((((((((( [email protected]_01.45.51 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2004-08-04 12:00 . 2011-03-31 01:34 40190 c:\windows\system32\perfc009.dat
    + 2004-08-04 12:00 . 2011-04-01 01:22 40190 c:\windows\system32\perfc009.dat
    + 2004-08-04 12:00 . 2011-04-01 01:22 311842 c:\windows\system32\perfh009.dat
    - 2004-08-04 12:00 . 2011-03-31 01:34 311842 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-04 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-26 139264]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-10 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-10 114688]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    Belkin F5D8013 N Wireless Notebook Card Utility.lnk - c:\program files\Belkin\F5D8013\Belkinwcui.exe [2007-9-17 1732608]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/23/2011 8:09 PM 64512]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/23/2011 9:28 PM 371544]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/12/2010 11:27 PM 301528]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/12/2010 11:27 PM 19544]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [12/17/2010 8:43 PM 632792]
    R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [7/28/2007 4:48 PM 537216]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/4/2010 3:11 AM 136176]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/22/2011 4:05 AM 1405384]
    S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [12/1/2010 1:52 PM 198144]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-22 08:05]
    .
    2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-04 07:11]
    .
    2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-04 07:11]
    .
    2011-03-29 c:\windows\Tasks\RMSchedule.job
    - c:\program files\Registry Mechanic\RegMech.exe [2010-12-18 22:05]
    .
    2011-04-01 c:\windows\Tasks\User_Feed_Synchronization-{47392DD1-1BD7-498D-84C3-3A0286276927}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\fma07xqv.default\
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-31 21:45
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(688)
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'explorer.exe'(2640)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-03-31 21:49:38
    ComboFix-quarantined-files.txt 2011-04-01 01:49
    ComboFix2.txt 2011-03-31 01:56
    .
    Pre-Run: 30,066,556,928 bytes free
    Post-Run: 30,058,610,688 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 2A517783337570B7A46CA65324068583
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    that looks fine now
    have all the problems stopped
    go to windows update & make sure you can update windows
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/987787

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice