1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

New auction desktop computer full of bugs, need some help please

Discussion in 'Virus & Other Malware Removal' started by katonca, Dec 8, 2011.

Thread Status:
Not open for further replies.
Page 1 of 5
Advertisement
  1. katonca

    katonca Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    13,674
    Hello, I purchased a used desktop computer a little while back to replace my aging system. The new (to me) computer seems to have some nasty bugs in the system. I'm having a difficult time getting it to run right. The current problem involves constant redirects and freezing.

    I've attached my system info and a HijackThis report. I've tried to download DDS by sUBs and GMER but constant redirects have kept this from happening. If needs be I'll download it to my other computer and put it on a CD and run it on the auction comp.

    Thank you for taking a look.

    ==========================================================================================

    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows XP Home Edition, Service Pack 2, 32 bit
    Processor: AMD Athlon(tm) XP 2500+, x86 Family 6 Model 10 Stepping 0
    Processor Count: 1
    RAM: 735 Mb
    Graphics Card: VIA/S3G UniChrome IGP, 32 Mb
    Hard Drives: C: Total - 78520 MB, Free - 59210 MB;
    Motherboard: , KM266A-8235
    Antivirus: AVG Anti-Virus Free Edition 2012, Updated: Yes, On-Demand Scanner: Enabled

    =========================================================================================

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:18:40 PM, on 12/8/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16850)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\System32\ping.exe
    C:\Documents and Settings\user\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Privacy Suite Scheduler] "C:\Program Files\CyberScrub Privacy Suite\Launch.exe" "C:\Program Files\CyberScrub Privacy Suite\scheduler.exe" /SYSTRAY
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - S-1-5-18 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'Default user')
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
    O4 - Global Startup: Play Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F7D4101\V1\PBN.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Search - ?p=ZCxdm492MTUS
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.att.net
    O15 - Trusted Zone: http://*.att.net
    O15 - Trusted Zone: *.sbcglobal.net
    O15 - Trusted Zone: http://*.sbcglobal.net
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} (ScreenShare Control) - http://go2boss.amvonet.com/lms/3.2.1/moodle/screenshare//DesktopShare.cab
    O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
    O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.gamehouse.com/games/mjolauncher.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C77F4508-1F9C-4CF9-8B97-C3242D6E1741}: NameServer = 4.2.2.2,4.2.2.1
    O18 - Filter hijack: text/html - {429bace4-a810-4875-b1ef-9e88d0c579cb} - C:\WINDOWS\system32\dsound3dd.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: getPlus(R) Installer - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
    O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

    --
    End of file - 9077 bytes
     
    katonca, Dec 8, 2011
    #1
  3. katonca

    katonca Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    13,674
    I got the dds to open and run. Here is the DDS.txt and the Attach txt is attached. I'll try and run GMER tonight.

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
    Run by user at 17:04:39 on 2011-12-08
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.735.156 [GMT -5:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: Sunbelt Personal Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\System32\ping.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.toast.net/start/
    uSearch Page =
    uSearch Bar =
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mDefault_Search_URL = hxxp://www.google.com/ie
    mSearch Page = hxxp://www.google.com
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant =
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: {2D51D869-C36B-42BD-AE68-0A81BC771FA5} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    TB: {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No File
    TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Privacy Suite Scheduler] "c:\program files\cyberscrub privacy suite\launch.exe" "c:\program files\cyberscrub privacy suite\scheduler.exe" /SYSTRAY
    uRun: [Privacy Suite RiskMonitor]
    mRun: [VTTimer] VTTimer.exe
    mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    mRun: [PCTVOICE] pctspk.exe
    mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\user\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\playwi~1.lnk - c:\program files\belkin\f7d4101\v1\PBN.exe
    IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
    IE: &Search - ?p=ZCxdm492MTUS
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: mswsock.dll
    Trusted Zone: att.net
    Trusted Zone: sbcglobal.net
    Trusted Zone: yahoo.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxp://go2boss.amvonet.com/lms/3.2.1/moodle/screenshare//DesktopShare.cab
    DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
    DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
    DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.gamehouse.com/games/mjolauncher.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbc/TrueInstallSBC.exe
    TCP: DhcpNameServer = 192.168.2.1 192.168.2.1 65.170.161.10 66.242.35.130
    TCP: Interfaces\{B725FDF2-E3AF-489F-A02B-16D3151A8B39} : DhcpNameServer = 192.168.2.1 192.168.2.1 65.170.161.10 66.242.35.130
    TCP: Interfaces\{C77F4508-1F9C-4CF9-8B97-C3242D6E1741} : NameServer = 4.2.2.2,4.2.2.1
    Filter: text/html - {429bace4-a810-4875-b1ef-9e88d0c579cb} -
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\q4cvij8e.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.toast.net/start/
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npkimi.dll
    FF - plugin: c:\program files\nos\bin\np_gp.dll
    FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: XUL Cache: {43a853c6-1e29-4b13-a860-1ed94ceb81c3} - %profile%\extensions\{43a853c6-1e29-4b13-a860-1ed94ceb81c3}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-9-23 270888]
    R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-6 366152]
    R2 SbPF.Launcher;SbPF.Launcher;c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [2008-10-31 95528]
    R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [2008-10-31 1365288]
    R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2009-11-6 642432]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-6 22216]
    R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-9-23 65576]
    R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-12-8 41272]
    S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2010-9-23 816672]
    S3 getPlus(R) Installer;getPlus(R) Installer;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-29 59552]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
    S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys --> c:\windows\system32\drivers\wg111v3.sys [?]
    S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
    .
    =============== Created Last 30 ================
    .
    2011-12-08 17:58:15 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-12-07 21:09:16 -------- d-----w- c:\documents and settings\user\application data\IObit
    2011-12-07 21:03:01 -------- d-----w- c:\documents and settings\all users\application data\IObit
    2011-12-07 21:02:57 -------- d-----w- c:\program files\IObit
    2011-12-07 01:15:38 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-07 01:15:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-05 23:01:18 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-12-05 14:57:36 -------- d-----w- c:\documents and settings\user\local settings\application data\Deployment
    2011-12-04 14:20:35 -------- d--h--w- C:\VritualRoot
    2011-12-04 01:37:40 -------- d-----w- c:\documents and settings\all users\application data\CPA_VA
    2011-12-03 19:31:37 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
    2011-12-03 19:22:09 -------- d-----w- c:\documents and settings\all users\application data\Comodo
    2011-12-03 19:21:57 1700352 ----a-w- c:\windows\system32\gdiplus.dll
    2011-12-03 19:21:03 -------- d-----w- c:\documents and settings\all users\application data\Comodo Downloader
    2011-12-03 01:30:30 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-12-03 01:30:30 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-11-22 19:19:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    ==================== Find3M ====================
    .
    2011-10-05 01:41:40 784 ----a-w- c:\windows\trz17.tmp
    .
    ============= FINISH: 17:07:01.90 ===============
     

    Attached Files:

    katonca, Dec 8, 2011
    #2
  4. katonca

    katonca Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    13,674
    GMER is running right now. it's been running for a couple of hours so I'll post the log tomorrow.
     
    katonca, Dec 8, 2011
    #3
  5. katonca

    katonca Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    13,674
    Here is the result of the GMER scan. It reported a rootkit was found:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-09 08:30:48
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 HDS728080PLAT20 rev.PF2OA21B
    Running: zes4x8h8.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\pxtdipow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwClose [0xF3E20160]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateFile [0xF3E1F868]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateKey [0xF3E1C320]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcess [0xF3E1EE90]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcessEx [0xF3E1ED9C]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateThread [0xF3E1F3FC]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteFile [0xF3E20210]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteKey [0xF3E1C786]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteValueKey [0xF3E1C846]
    SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwLoadDriver [0xF7ADA01C]
    SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwMapViewOfSection [0xF7ADA168]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenFile [0xF3E1FB54]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenKey [0xF3E1C5CA]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwResumeThread [0xF3E1F4EC]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetInformationFile [0xF3E1FE8C]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetValueKey [0xF3E1C9BC]
    SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwWriteFile [0xF3E1FDE0]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text mrxsmb.sys F2A69000 7 Bytes [66, 3B, 06, 0F, 83, FD, B4]
    .text mrxsmb.sys F2A69009 14 Bytes [8D, 4E, 10, 8B, 01, 3B, C1, ...]
    .text mrxsmb.sys F2A69018 170 Bytes [85, C0, 0F, 84, F0, B4, 00, ...]
    .text mrxsmb.sys F2A690C4 110 Bytes [08, 80, 48, 35, 40, 8B, 45, ...]
    .text mrxsmb.sys F2A69133 127 Bytes [56, 57, 6A, 0A, BF, 5C, 91, ...]
    .text ...
    ? C:\WINDOWS\system32\DRIVERS\mrxsmb.sys suspicious PE modification

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\system32\ctfmon.exe[392] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\system32\ctfmon.exe[392] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00130F54
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00130FE0
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00130D24
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00130DB0
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00130E3C
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00130EC8
    .text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\Explorer.EXE[568] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\Explorer.EXE[568] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\Explorer.EXE[568] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00080F54
    .text C:\WINDOWS\Explorer.EXE[568] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00080FE0
    .text C:\WINDOWS\Explorer.EXE[568] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00080D24
    .text C:\WINDOWS\Explorer.EXE[568] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00080DB0
    .text C:\WINDOWS\Explorer.EXE[568] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00080E3C
    .text C:\WINDOWS\Explorer.EXE[568] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00080EC8
    .text C:\WINDOWS\Explorer.EXE[568] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
    .text C:\WINDOWS\Explorer.EXE[568] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
    .text C:\WINDOWS\Explorer.EXE[568] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001601A8
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00160090
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00160694
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!CreateProcessW 7C802332 5 Bytes JMP 001602C0
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!CreateProcessA 7C802367 5 Bytes JMP 00160234
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00160004
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0016011C
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001604F0
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!CreateThread 7C810647 5 Bytes JMP 0016057C
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001603D8
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0016034C
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!WinExec 7C86158D 5 Bytes JMP 00160464
    .text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00160608
    .text C:\WINDOWS\system32\csrss.exe[588] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001607AC
    .text C:\WINDOWS\system32\csrss.exe[588] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00160720
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00070004
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0007011C
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000704F0
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0007057C
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000703D8
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0007034C
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070464
    .text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00070608
    .text C:\WINDOWS\system32\winlogon.exe[612] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000707AC
    .text C:\WINDOWS\system32\winlogon.exe[612] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00070720
    .text C:\WINDOWS\system32\winlogon.exe[612] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000708C4
    .text C:\WINDOWS\system32\winlogon.exe[612] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00070838
    .text C:\WINDOWS\system32\winlogon.exe[612] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00070950
    .text C:\WINDOWS\system32\winlogon.exe[612] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00070F54
    .text C:\WINDOWS\system32\winlogon.exe[612] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00070FE0
    .text C:\WINDOWS\system32\winlogon.exe[612] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00070D24
    .text C:\WINDOWS\system32\winlogon.exe[612] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00070DB0
    .text C:\WINDOWS\system32\winlogon.exe[612] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00070E3C
    .text C:\WINDOWS\system32\winlogon.exe[612] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00070EC8
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\system32\services.exe[656] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\system32\services.exe[656] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\system32\services.exe[656] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\system32\lsass.exe[676] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\system32\lsass.exe[676] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\system32\lsass.exe[676] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
    .text C:\WINDOWS\system32\lsass.exe[676] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
    .text C:\WINDOWS\system32\lsass.exe[676] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
    .text C:\WINDOWS\system32\lsass.exe[676] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00080F54
    .text C:\WINDOWS\system32\lsass.exe[676] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00080FE0
    .text C:\WINDOWS\system32\lsass.exe[676] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00080D24
    .text C:\WINDOWS\system32\lsass.exe[676] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00080DB0
    .text C:\WINDOWS\system32\lsass.exe[676] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00080E3C
    .text C:\WINDOWS\system32\lsass.exe[676] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00080EC8
    .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\system32\svchost.exe[820] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\system32\svchost.exe[820] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
    .text C:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
    .text C:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
    .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\system32\svchost.exe[904] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
    .text C:\WINDOWS\system32\svchost.exe[904] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
    .text C:\WINDOWS\system32\svchost.exe[904] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
    .text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00080F54
    .text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00080FE0
    .text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00080D24
    .text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00080DB0
    .text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00080E3C
    .text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00080EC8
    .text C:\WINDOWS\System32\svchost.exe[952] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0089000A
    .text C:\WINDOWS\System32\svchost.exe[952] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 008A000A
    .text C:\WINDOWS\System32\svchost.exe[952] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0088000C
    .text C:\WINDOWS\System32\svchost.exe[952] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\System32\svchost.exe[952] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\system32\svchost.exe[1140] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\system32\svchost.exe[1140] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\system32\svchost.exe[1140] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
    .text C:\WINDOWS\system32\svchost.exe[1140] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
    .text C:\WINDOWS\system32\svchost.exe[1140] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
    .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
    .text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
    .text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
    .text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00080F54
    .text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00080FE0
    .text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00080D24
    .text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00080DB0
    .text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00080E3C
    .text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00080EC8
    .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
    .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
    .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
    .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
    .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
    .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00070004
    .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0007011C
    .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000704F0
    .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0007057C
    .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000703D8
    .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0007034C
    .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070464
    .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00070608
    .text C:\WINDOWS\system32\wscntfy.exe[1368] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000707AC
    .text C:\WINDOWS\system32\wscntfy.exe[1368] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00070720
    .text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\system32\spoolsv.exe[1476] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\system32\spoolsv.exe[1476] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
    .text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
    .text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
    .text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\WINDOWS\system32\VTTimer.exe[1528] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\WINDOWS\system32\VTTimer.exe[1528] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\system32\svchost.exe[1560] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\system32\svchost.exe[1560] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\system32\svchost.exe[1560] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00080F54
    .text C:\WINDOWS\system32\svchost.exe[1560] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00080FE0
    .text C:\WINDOWS\system32\svchost.exe[1560] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00080D24
    .text C:\WINDOWS\system32\svchost.exe[1560] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00080DB0
    .text C:\WINDOWS\system32\svchost.exe[1560] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00080E3C
    .text C:\WINDOWS\system32\svchost.exe[1560] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00080EC8
    .text C:\WINDOWS\system32\svchost.exe[1560] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
    .text C:\WINDOWS\system32\svchost.exe[1560] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
    .text C:\WINDOWS\system32\svchost.exe[1560] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00130F54
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00130FE0
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00130D24
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00130DB0
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00130E3C
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00130EC8
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\WINDOWS\system32\CTsvcCDA.exe[1632] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00130F54
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00130FE0
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00130D24
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00130DB0
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00130E3C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00130EC8
    .text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\WINDOWS\system32\pctspk.exe[1688] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
    .text C:\WINDOWS\system32\pctspk.exe[1688] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
    .text C:\WINDOWS\system32\pctspk.exe[1688] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
    .text C:\WINDOWS\system32\pctspk.exe[1688] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\WINDOWS\system32\pctspk.exe[1688] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00130F54
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00130FE0
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00130D24
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00130DB0
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00130E3C
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00130EC8
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
    .text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
    .text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\System32\svchost.exe[1812] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\System32\svchost.exe[1812] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\System32\svchost.exe[1812] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
    .text C:\WINDOWS\System32\svchost.exe[1812] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
    .text C:\WINDOWS\System32\svchost.exe[1812] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
    .text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\System32\svchost.exe[1848] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\System32\svchost.exe[1848] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\System32\svchost.exe[1848] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
    .text C:\WINDOWS\System32\svchost.exe[1848] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
    .text C:\WINDOWS\System32\svchost.exe[1848] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000301A8
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00030090
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00030694
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000302C0
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00030234
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00030004
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0003011C
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000304F0
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0003057C
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000303D8
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0003034C
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00030464
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00030608
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000307AC
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00030720
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00030F54
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00030FE0
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00030D24
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00030DB0
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00030E3C
    .text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00030EC8
    .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\system32\svchost.exe[2008] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\system32\svchost.exe[2008] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] ws2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
    .text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] ws2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\Program Files\SpywareGuard\sgmain.exe[2120] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
    .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
    .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
    .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
    .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
    .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
    .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
    .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
    .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
    .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
    .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
    .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
    .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
    .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
    .text C:\WINDOWS\System32\alg.exe[2208] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
    .text C:\WINDOWS\System32\alg.exe[2208] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
    .text C:\WINDOWS\System32\alg.exe[2208] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
    .text C:\WINDOWS\System32\alg.exe[2208] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
    .text C:\WINDOWS\System32\alg.exe[2208] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
    .text C:\WINDOWS\System32\alg.exe[2208] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00080F54
    .text C:\WINDOWS\System32\alg.exe[2208] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00080FE0
    .text C:\WINDOWS\System32\alg.exe[2208] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00080D24
    .text C:\WINDOWS\System32\alg.exe[2208] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00080DB0
    .text C:\WINDOWS\System32\alg.exe[2208] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00080E3C
    .text C:\WINDOWS\System32\alg.exe[2208] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00080EC8
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\Program Files\SpywareGuard\sgbhp.exe[2280] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
    .text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)

    ---- Modules - GMER 1.0.15 ----

    Module (noname) (*** hidden *** ) F36AD000-F36C5000 (98304 bytes)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\CLSID\{005AA08E-F378-CDEA-4494-80FA2A9BE74E}\[email protected] C:\Program Files\CyberLink\Shared Files\AudioFilter\claud.ax
    Reg HKLM\SOFTWARE\Classes\CLSID\{005AA08E-F378-CDEA-4494-80FA2A9BE74E}\[email protected] Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{039CD4F0-516D-C442-ED45-803512FD5AC9}\[email protected] C:\WINDOWS\system32\quartz.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{039CD4F0-516D-C442-ED45-803512FD5AC9}\[email protected] Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{16E749DB-8E9B-D86A-B1AF-0020EB03A1B7}\[email protected] C:\Program Files\Common Files\System\Ole DB\oledb32.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{16E749DB-8E9B-D86A-B1AF-0020EB03A1B7}\[email protected] Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{16E749DB-8E9B-D86A-B1AF-0020EB03A1B7}\[email protected] DataLinks
    Reg HKLM\SOFTWARE\Classes\CLSID\{16E749DB-8E9B-D86A-B1AF-0020EB03A1B7}\[email protected] DataLinks
    Reg HKLM\SOFTWARE\Classes\CLSID\{26B41561-A1B3-8D17-A7DE-051BE27736BA}\[email protected] C:\WINDOWS\system32\qcap.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{26B41561-A1B3-8D17-A7DE-051BE27736BA}\[email protected] Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] C:\WINDOWS\system32\webvw.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] 0
    Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\MiscStatus\1
    Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\MiscStatus\[email protected] 131473
    Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] ThumbCtl.ThumbCtl.1
    Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] C:\WINDOWS\system32\webvw.dll, 1
    Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] {cd603fc0-1f11-11d1-9e88-00c04fdcab92}
    Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] 1.0
    Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] ThumbCtl.ThumbCtl
    Reg HKLM\SOFTWARE\Classes\CLSID\{3B3E33AB-02A1-4A2B-373B-920E20CA196E}\[email protected] %SystemRoot%\system32\dsuiext.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{3B3E33AB-02A1-4A2B-373B-920E20CA196E}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\[email protected] C:\Program Files\Common Files\System\ado\msadomd.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\[email protected] Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\[email protected] ADOMD.Catalog.2.7
    Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\[email protected] ADOMD.Catalog
    Reg HKLM\SOFTWARE\Classes\CLSID\{5A85D433-BB42-24A0-27A5-E0C507D38021}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
    Reg HKLM\SOFTWARE\Classes\CLSID\{5A85D433-BB42-24A0-27A5-E0C507D38021}\[email protected] C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    Reg HKLM\SOFTWARE\Classes\CLSID\{5A85D433-BB42-24A0-27A5-E0C507D38021}\[email protected] gcasDtServ.Agent
    Reg HKLM\SOFTWARE\Classes\CLSID\{5A85D433-BB42-24A0-27A5-E0C507D38021}\[email protected] {CEACE91F-3F71-4A8C-B952-63716B2BC026}
    Reg HKLM\SOFTWARE\Classes\CLSID\{5A85D433-BB42-24A0-27A5-E0C507D38021}\[email protected] 1.0
    Reg HKLM\SOFTWARE\Classes\CLSID\{68006435-5F14-4E7B-4674-C5DAA4811732}\[email protected] C:\WINDOWS\system32\wbem\scrcons.exe
    Reg HKLM\SOFTWARE\Classes\CLSID\{68006435-5F14-4E7B-4674-C5DAA4811732}\[email protected] Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{9C572CC7-FE23-53F0-69EB-41A00D1771E9}\[email protected] C:\Program Files\Common Files\System\ado\msadox.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{9C572CC7-FE23-53F0-69EB-41A00D1771E9}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{9C572CC7-FE23-53F0-69EB-41A00D1771E9}\[email protected] ADOX.Key.2.8
    Reg HKLM\SOFTWARE\Classes\CLSID\{9C572CC7-FE23-53F0-69EB-41A00D1771E9}\[email protected] ADOX.Key.2.8
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC5D62F0-7AF9-D297-967B-364DE243FB9F}\[email protected] C:\WINDOWS\system32\mstask.dll,-101
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC5D62F0-7AF9-D297-967B-364DE243FB9F}\[email protected] C:\WINDOWS\system32\mstask.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC5D62F0-7AF9-D297-967B-364DE243FB9F}\[email protected] Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{C35E31D4-1C38-79FD-D2C6-B308CB3884F1}\[email protected] %SystemRoot%\system32\SHELL32.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{C35E31D4-1C38-79FD-D2C6-B308CB3884F1}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{C7360F90-DC83-663C-D225-95957DD64018}\[email protected] C:\WINDOWS\system32\scardssp.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{C7360F90-DC83-663C-D225-95957DD64018}\[email protected] Free
    Reg HKLM\SOFTWARE\Classes\CLSID\{C7360F90-DC83-663C-D225-95957DD64018}\[email protected] Scardssp.SCard.1
    Reg HKLM\SOFTWARE\Classes\CLSID\{C7360F90-DC83-663C-D225-95957DD64018}\[email protected] {82C38704-19F1-11D3-A11F-00C04F79F800}
    Reg HKLM\SOFTWARE\Classes\CLSID\{C7360F90-DC83-663C-D225-95957DD64018}\[email protected] Scardssp.SCard
    Reg HKLM\SOFTWARE\Classes\CLSID\{D699BD77-1D24-645F-2FBC-5C3D1DB6FED7}\[email protected] C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
    Reg HKLM\SOFTWARE\Classes\CLSID\{D699BD77-1D24-645F-2FBC-5C3D1DB6FED7}\[email protected] Setup.LogServices.1
    Reg HKLM\SOFTWARE\Classes\CLSID\{D699BD77-1D24-645F-2FBC-5C3D1DB6FED7}\[email protected] Setup.LogServices
    Reg HKLM\SOFTWARE\Classes\CLSID\{E4379E50-68C5-D33E-7FBA-56058C6AAC72}\[email protected] C:\Program Files\Common Files\Ahead\DSFilter\NeAudio.ax
    Reg HKLM\SOFTWARE\Classes\CLSID\{E4379E50-68C5-D33E-7FBA-56058C6AAC72}\[email protected] Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{EFB75571-5FE9-B5CF-90A9-FECDB5D0EAE8}\[email protected] C:\WINDOWS\system32\scrobj.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{EFB75571-5FE9-B5CF-90A9-FECDB5D0EAE8}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{EFB75571-5FE9-B5CF-90A9-FECDB5D0EAE8}\[email protected] ScriptletHandler.ASP
    Reg HKLM\SOFTWARE\Classes\CLSID\{EFCB1236-8091-8A61-C175-2F6DEEA4E7AD}\[email protected] C:\WINDOWS\system32\CLBCatQ.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{EFCB1236-8091-8A61-C175-2F6DEEA4E7AD}\[email protected] Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{EFCB1236-8091-8A61-C175-2F6DEEA4E7AD}\[email protected] ComPlusMetaDataServices.ServicesMetaDataDispenser.1
    Reg HKLM\SOFTWARE\Classes\CLSID\{EFCB1236-8091-8A61-C175-2F6DEEA4E7AD}\[email protected] ComPlusMetaDataServices.ServicesMetaDataDispenser
    Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\[email protected] %SystemRoot%\System32\shell32.dll,-137
    Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\[email protected] shell32.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\[email protected] 0
    Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\[email protected]
    Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\[email protected]

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\$NtUninstallKB57337$\2469442358 0 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\2469442358\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\2469442358\bckfg.tmp 823 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\2469442358\cfg.ini 192 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\2469442358\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\2469442358\kwrd.dll 208896 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\2469442358\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\2469442358\L\bonspetl 64896 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\2469442358\lsflt7.ver 5175 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\2469442358\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\2469442358\U\[email protected] 2048 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\2469442358\U\[email protected] 209920 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\2469442358\U\[email protected] 1024 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\2469442358\U\[email protected] 71168 bytes
    File C:\WINDOWS\$NtUninstallKB57337$\4202800072 0 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2251990365 0 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358 0 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\bckfg.tmp 851 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\cfg.ini 200 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\keywords 146 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\kwrd.dll 223744 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\L\bonspetl 453632 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\lsflt7.ver 5176 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U\[email protected] 2048 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U\[email protected] 224768 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U\[email protected] 1024 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U\[email protected] 1024 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U\[email protected] 12800 bytes
    File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U\[email protected] 98304 bytes

    ---- EOF - GMER 1.0.15 ----
     
    katonca, Dec 9, 2011
    #4
  6. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    77,762
    heyya Big D......let me know if nobody picks this up, I'll flag someone down for ya. :)
     
    valis, Dec 9, 2011
    #5
  7. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    You have ZeroAcess Rootkit infection, plus some very nasty friends that it has called in, Do the following:

    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

    Link 1
    Link 2

    • Ensure that Combofix is saved directly to the Desktop <--- Very important

      Before saving Combofix to the Desktop re-name to Gotcha.exe as below:

      [​IMG]

    • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available Here if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

    Why have you not updated to SP3, any specific reason/

    Kevin
     
    kevinf80, Dec 9, 2011
    #6
  8. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    77,762
    kevin, thanks........:)
     
    valis, Dec 9, 2011
    #7
  9. katonca

    katonca Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    13,674
    Hi V, always good to see ya.:) Hope the upcoming holiday will treat you and yours well, and be a merry one.

    Kevin, thank you for helping me with my problems. Right now I am on my other computer. I will be downloading Combofix shortly and running the process.

    The computer is relatively new to me and has not been fully tweaked yet. SP3 will be installed ASAP after the infections are eliminated (unless you think it is necessary now).
     
    katonca, Dec 9, 2011
    #8
  10. katonca

    katonca Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    13,674
    One thing to note is my auction computer (the one which is infected) says that it is running AVG 2012 free edition. I don't find any such program on my computer. I've checked (add/remove programs) on the control panel and (all programs) from the start button. All other security programs have been disable as far as I can tell.

    I've downloaded combofix and will be running it shortly.
     
    katonca, Dec 9, 2011
    #9
  11. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    80,907
    First Name:
    Frank
    If you've purchased that computer with all the problems and "debris" from its previous owner, what you really need to do is format the hard drive and do a clean reinstall of Windows XP SP3 and get a fresh start.

    What's the model number of that HP Pavilion? If you don't know for sure, advise what the product number(P/N) on the sticker is.

    -----------------------------------------------------
     
    flavallee, Dec 9, 2011
    #10
  12. katonca

    katonca Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    13,674
    Combofix advised not to run w/o disabling AVG 2012. I can't find this program or it's files anywhere (C drive => program files).

    This computer appears to be an assembled gamers computer. There is no P/N on the case. As a matter of fact the case isn't a pavilion case. I cancelled running the combofix scan until advised to do so. I don't want to screw it up considering it says AVG is running.
     
    katonca, Dec 9, 2011
    #11
  13. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Your computer is awash with malware, you also have ZeroAccess rootkit infection, It may very well be beneficial to to reformat and re-install.
    If you have no installation CD or recovery partition then the only option is to kill the rootkit and clear out all the malware. Combofix does deal with ZA very efficiently, obviously you must turn off your security. If you have no way of turning off AVG then give CF a try, accept the alert when prompted by CF......
     
    kevinf80, Dec 9, 2011
    #12
  14. katonca

    katonca Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    13,674
    Thanks for the advice Kevin. This auction treasure didn't come with the CD and I've tried the recovery partition (non-existent). I'll give CF a try even though AVG is supposedly running. I'll post the result.
     
    katonca, Dec 9, 2011
    #13
  15. katonca

    katonca Thread Starter

    Joined:
    Aug 9, 2004
    Messages:
    13,674
    Here is the Combofix log

    ComboFix 11-12-09.02 - user 12/09/2011 13:30:58.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.735.517 [GMT -5:00]
    Running from: c:\documents and settings\user\Desktop\Gotcha.exe
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: Sunbelt Personal Firewall *Disabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\user\Application Data\alot
    c:\documents and settings\user\WINDOWS
    C:\install.exe
    c:\program files\Common
    c:\windows\$NtUninstallKB57337$
    c:\windows\$NtUninstallKB57337$\2469442358\@
    c:\windows\$NtUninstallKB57337$\2469442358\bckfg.tmp
    c:\windows\$NtUninstallKB57337$\2469442358\cfg.ini
    c:\windows\$NtUninstallKB57337$\2469442358\Desktop.ini
    c:\windows\$NtUninstallKB57337$\2469442358\kwrd.dll
    c:\windows\$NtUninstallKB57337$\2469442358\L\bonspetl
    c:\windows\$NtUninstallKB57337$\2469442358\lsflt7.ver
    c:\windows\$NtUninstallKB57337$\2469442358\U\[email protected]
    c:\windows\$NtUninstallKB57337$\2469442358\U\[email protected]
    c:\windows\$NtUninstallKB57337$\2469442358\U\[email protected]
    c:\windows\$NtUninstallKB57337$\2469442358\U\[email protected]
    c:\windows\$NtUninstallKB57337$\4202800072
    c:\windows\$NtUninstallKB8198$\2251990365
    c:\windows\$NtUninstallKB8198$\2469442358\@
    c:\windows\$NtUninstallKB8198$\2469442358\bckfg.tmp
    c:\windows\$NtUninstallKB8198$\2469442358\cfg.ini
    c:\windows\$NtUninstallKB8198$\2469442358\Desktop.ini
    c:\windows\$NtUninstallKB8198$\2469442358\keywords
    c:\windows\$NtUninstallKB8198$\2469442358\kwrd.dll
    c:\windows\$NtUninstallKB8198$\2469442358\L\bonspetl
    c:\windows\$NtUninstallKB8198$\2469442358\lsflt7.ver
    c:\windows\$NtUninstallKB8198$\2469442358\U\[email protected]
    c:\windows\$NtUninstallKB8198$\2469442358\U\[email protected]
    c:\windows\$NtUninstallKB8198$\2469442358\U\[email protected]
    c:\windows\$NtUninstallKB8198$\2469442358\U\[email protected]
    c:\windows\$NtUninstallKB8198$\2469442358\U\[email protected]
    c:\windows\$NtUninstallKB8198$\2469442358\U\[email protected]
    c:\windows\system32\Packet.dll
    c:\windows\system32\pthreadVC.dll
    c:\windows\system32\WanPacket.dll
    c:\windows\system32\wpcap.dll
    c:\windows\$NtUninstallKB8198$ . . . . Failed to delete
    .
    c:\windows\system32\proquota.exe was missing
    Restored copy from - c:\windows\$NtServicePackUninstall$\proquota.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_9330b336
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-09 to 2011-12-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-09 18:49 . 2011-12-09 18:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2011-12-09 18:43 . 2004-08-04 12:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
    2011-12-09 18:43 . 2004-08-04 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
    2011-12-08 17:58 . 2011-12-08 17:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-12-07 21:09 . 2011-12-07 21:09 -------- d-----w- c:\documents and settings\user\Application Data\IObit
    2011-12-07 21:03 . 2011-12-07 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
    2011-12-07 21:02 . 2011-12-07 21:09 -------- d-----w- c:\program files\IObit
    2011-12-07 01:15 . 2011-12-07 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-07 01:15 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-05 23:01 . 2011-12-05 23:01 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-12-05 22:53 . 2011-12-06 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2011-12-05 14:57 . 2011-12-05 16:31 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Deployment
    2011-12-04 14:20 . 2011-12-04 14:20 -------- d-----w- C:\VritualRoot
    2011-12-04 01:37 . 2011-12-06 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\CPA_VA
    2011-12-03 19:31 . 2011-12-07 01:47 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
    2011-12-03 19:22 . 2011-12-03 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
    2011-12-03 19:21 . 2011-12-03 19:21 1700352 ----a-w- c:\windows\system32\gdiplus.dll
    2011-12-03 19:21 . 2011-12-03 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
    2011-12-03 19:17 . 2011-12-03 19:17 -------- d-----w- c:\documents and settings\Administrator.HOME
    2011-12-03 01:30 . 2011-12-03 01:30 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-11-22 19:19 . 2011-11-22 19:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-05 01:41 . 2011-10-05 01:41 784 ----a-w- c:\windows\trz17.tmp
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Privacy Suite Scheduler"="c:\program files\CyberScrub Privacy Suite\Launch.exe" [2008-07-29 45192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VTTimer"="VTTimer.exe" [2004-09-01 53248]
    "PCTVOICE"="pctspk.exe" [2003-12-18 180224]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-11-04 329096]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    c:\documents and settings\user\Start Menu\Programs\Startup\
    SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
    NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [N/A]
    Play Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F7D4101\V1\PBN.exe [2009-11-25 110592]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
    R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [9/23/2010 8:06 PM 270888]
    R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [6/21/2008 3:54 AM 66600]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/6/2011 8:15 PM 366152]
    R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 6:24 AM 95528]
    R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 6:24 AM 1365288]
    R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [11/6/2009 7:26 AM 642432]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/6/2011 8:15 PM 22216]
    R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [9/23/2010 8:06 PM 65576]
    S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [9/23/2010 2:32 PM 816672]
    S3 getPlus(R) Installer;getPlus(R) Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe [9/29/2008 7:10 AM 59552]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 7:00 AM 14336]
    S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v3.sys --> c:\windows\system32\DRIVERS\wg111v3.sys [?]
    S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.toast.net/start/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    Trusted Zone: att.net
    Trusted Zone: sbcglobal.net
    Trusted Zone: yahoo.com
    TCP: Interfaces\{C77F4508-1F9C-4CF9-8B97-C3242D6E1741}: NameServer = 4.2.2.2,4.2.2.1
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxp://go2boss.amvonet.com/lms/3.2.1/moodle/screenshare//DesktopShare.cab
    DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
    DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
    FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\q4cvij8e.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.toast.net/start/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: XUL Cache: {43a853c6-1e29-4b13-a860-1ed94ceb81c3} - %profile%\extensions\{43a853c6-1e29-4b13-a860-1ed94ceb81c3}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
    HKCU-Run-Privacy Suite RiskMonitor - (no file)
    HKLM-Run-Cmaudio - cmicnfg.cpl
    AddRemove-The Sims - c:\program files\Maxis\The Sims\Uninst.isu
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-09 13:49
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(612)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    - - - - - - - > 'explorer.exe'(1960)
    c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\CTsvcCDA.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Sunbelt Software\Personal Firewall\SbPFCl.exe
    c:\windows\system32\VTTimer.exe
    c:\windows\system32\pctspk.exe
    c:\program files\SpywareGuard\sgbhp.exe
    c:\program files\CyberScrub Privacy Suite\scheduler.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-09 14:00:07 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-09 19:00
    .
    Pre-Run: 64,399,319,040 bytes free
    Post-Run: 64,656,588,800 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 3A4D8C278504FD1B603C790BC00F3B36
     
    katonca, Dec 9, 2011
    #14
  16. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    77,762
    ick. :) And that's my professional opinion.

    Glad I'm subscribed to this; I like to watch Kevin do his stuff. Never met a zero-access he couldn't destroy, that's my opinion.
     
    valis, Dec 9, 2011
    #15

  17. Sponsor

Page 1 of 5
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - auction desktop computer
  1. agurl333

    In Progress Folder desktop new "I was on your pc" Checking netstat

    agurl333, Jun 11, 2019, in forum: Virus & Other Malware Removal
    Replies:
    1
    Views:
    494
    iMacg3
    Jun 11, 2019
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1030339

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice