New auction desktop computer full of bugs, need some help please

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.
katonca

katonca

Thread Starter
Joined
Aug 9, 2004
Messages
13,674
Hello, I purchased a used desktop computer a little while back to replace my aging system. The new (to me) computer seems to have some nasty bugs in the system. I'm having a difficult time getting it to run right. The current problem involves constant redirects and freezing.

I've attached my system info and a HijackThis report. I've tried to download DDS by sUBs and GMER but constant redirects have kept this from happening. If needs be I'll download it to my other computer and put it on a CD and run it on the auction comp.

Thank you for taking a look.

==========================================================================================

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows XP Home Edition, Service Pack 2, 32 bit
Processor: AMD Athlon(tm) XP 2500+, x86 Family 6 Model 10 Stepping 0
Processor Count: 1
RAM: 735 Mb
Graphics Card: VIA/S3G UniChrome IGP, 32 Mb
Hard Drives: C: Total - 78520 MB, Free - 59210 MB;
Motherboard: , KM266A-8235
Antivirus: AVG Anti-Virus Free Edition 2012, Updated: Yes, On-Demand Scanner: Enabled

=========================================================================================

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:18:40 PM, on 12/8/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\ping.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Privacy Suite Scheduler] "C:\Program Files\CyberScrub Privacy Suite\Launch.exe" "C:\Program Files\CyberScrub Privacy Suite\scheduler.exe" /SYSTRAY
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O4 - Global Startup: Play Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F7D4101\V1\PBN.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZCxdm492MTUS
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} (ScreenShare Control) - http://go2boss.amvonet.com/lms/3.2.1/moodle/screenshare//DesktopShare.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.gamehouse.com/games/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C77F4508-1F9C-4CF9-8B97-C3242D6E1741}: NameServer = 4.2.2.2,4.2.2.1
O18 - Filter hijack: text/html - {429bace4-a810-4875-b1ef-9e88d0c579cb} - C:\WINDOWS\system32\dsound3dd.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: getPlus(R) Installer - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 9077 bytes
 
katonca

katonca

Thread Starter
Joined
Aug 9, 2004
Messages
13,674
I got the dds to open and run. Here is the DDS.txt and the Attach txt is attached. I'll try and run GMER tonight.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Run by user at 17:04:39 on 2011-12-08
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.735.156 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sunbelt Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\ping.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.toast.net/start/
uSearch Page =
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {2D51D869-C36B-42BD-AE68-0A81BC771FA5} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Privacy Suite Scheduler] "c:\program files\cyberscrub privacy suite\launch.exe" "c:\program files\cyberscrub privacy suite\scheduler.exe" /SYSTRAY
uRun: [Privacy Suite RiskMonitor]
mRun: [VTTimer] VTTimer.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [PCTVOICE] pctspk.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\user\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\playwi~1.lnk - c:\program files\belkin\f7d4101\v1\PBN.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Search - ?p=ZCxdm492MTUS
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxp://go2boss.amvonet.com/lms/3.2.1/moodle/screenshare//DesktopShare.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.gamehouse.com/games/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbc/TrueInstallSBC.exe
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1 65.170.161.10 66.242.35.130
TCP: Interfaces\{B725FDF2-E3AF-489F-A02B-16D3151A8B39} : DhcpNameServer = 192.168.2.1 192.168.2.1 65.170.161.10 66.242.35.130
TCP: Interfaces\{C77F4508-1F9C-4CF9-8B97-C3242D6E1741} : NameServer = 4.2.2.2,4.2.2.1
Filter: text/html - {429bace4-a810-4875-b1ef-9e88d0c579cb} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\q4cvij8e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.toast.net/start/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npkimi.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XUL Cache: {43a853c6-1e29-4b13-a860-1ed94ceb81c3} - %profile%\extensions\{43a853c6-1e29-4b13-a860-1ed94ceb81c3}
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-9-23 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-6 366152]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [2008-10-31 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [2008-10-31 1365288]
R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2009-11-6 642432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-6 22216]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-9-23 65576]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-12-8 41272]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2010-9-23 816672]
S3 getPlus(R) Installer;getPlus(R) Installer;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-29 59552]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys --> c:\windows\system32\drivers\wg111v3.sys [?]
S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
.
=============== Created Last 30 ================
.
2011-12-08 17:58:15 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-07 21:09:16 -------- d-----w- c:\documents and settings\user\application data\IObit
2011-12-07 21:03:01 -------- d-----w- c:\documents and settings\all users\application data\IObit
2011-12-07 21:02:57 -------- d-----w- c:\program files\IObit
2011-12-07 01:15:38 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-07 01:15:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-05 23:01:18 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-05 14:57:36 -------- d-----w- c:\documents and settings\user\local settings\application data\Deployment
2011-12-04 14:20:35 -------- d--h--w- C:\VritualRoot
2011-12-04 01:37:40 -------- d-----w- c:\documents and settings\all users\application data\CPA_VA
2011-12-03 19:31:37 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2011-12-03 19:22:09 -------- d-----w- c:\documents and settings\all users\application data\Comodo
2011-12-03 19:21:57 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-12-03 19:21:03 -------- d-----w- c:\documents and settings\all users\application data\Comodo Downloader
2011-12-03 01:30:30 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-03 01:30:30 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-22 19:19:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-10-05 01:41:40 784 ----a-w- c:\windows\trz17.tmp
.
============= FINISH: 17:07:01.90 ===============
 

Attachments

katonca

katonca

Thread Starter
Joined
Aug 9, 2004
Messages
13,674
GMER is running right now. it's been running for a couple of hours so I'll post the log tomorrow.
 
katonca

katonca

Thread Starter
Joined
Aug 9, 2004
Messages
13,674
Here is the result of the GMER scan. It reported a rootkit was found:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-09 08:30:48
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 HDS728080PLAT20 rev.PF2OA21B
Running: zes4x8h8.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwClose [0xF3E20160]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateFile [0xF3E1F868]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateKey [0xF3E1C320]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcess [0xF3E1EE90]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcessEx [0xF3E1ED9C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateThread [0xF3E1F3FC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteFile [0xF3E20210]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteKey [0xF3E1C786]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteValueKey [0xF3E1C846]
SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwLoadDriver [0xF7ADA01C]
SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwMapViewOfSection [0xF7ADA168]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenFile [0xF3E1FB54]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenKey [0xF3E1C5CA]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwResumeThread [0xF3E1F4EC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetInformationFile [0xF3E1FE8C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetValueKey [0xF3E1C9BC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwWriteFile [0xF3E1FDE0]

---- Kernel code sections - GMER 1.0.15 ----

.text mrxsmb.sys F2A69000 7 Bytes [66, 3B, 06, 0F, 83, FD, B4]
.text mrxsmb.sys F2A69009 14 Bytes [8D, 4E, 10, 8B, 01, 3B, C1, ...]
.text mrxsmb.sys F2A69018 170 Bytes [85, C0, 0F, 84, F0, B4, 00, ...]
.text mrxsmb.sys F2A690C4 110 Bytes [08, 80, 48, 35, 40, 8B, 45, ...]
.text mrxsmb.sys F2A69133 127 Bytes [56, 57, 6A, 0A, BF, 5C, 91, ...]
.text ...
? C:\WINDOWS\system32\DRIVERS\mrxsmb.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\ctfmon.exe[392] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\ctfmon.exe[392] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\ctfmon.exe[392] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00130F54
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00130FE0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00130D24
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00130DB0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00130E3C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[504] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00130EC8
.text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\Explorer.EXE[568] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\Explorer.EXE[568] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\Explorer.EXE[568] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\Explorer.EXE[568] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00080F54
.text C:\WINDOWS\Explorer.EXE[568] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00080FE0
.text C:\WINDOWS\Explorer.EXE[568] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00080D24
.text C:\WINDOWS\Explorer.EXE[568] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00080DB0
.text C:\WINDOWS\Explorer.EXE[568] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00080E3C
.text C:\WINDOWS\Explorer.EXE[568] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00080EC8
.text C:\WINDOWS\Explorer.EXE[568] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\Explorer.EXE[568] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\Explorer.EXE[568] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001601A8
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00160090
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00160694
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!CreateProcessW 7C802332 5 Bytes JMP 001602C0
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!CreateProcessA 7C802367 5 Bytes JMP 00160234
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00160004
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0016011C
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001604F0
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!CreateThread 7C810647 5 Bytes JMP 0016057C
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001603D8
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0016034C
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!WinExec 7C86158D 5 Bytes JMP 00160464
.text C:\WINDOWS\system32\csrss.exe[588] KERNEL32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00160608
.text C:\WINDOWS\system32\csrss.exe[588] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001607AC
.text C:\WINDOWS\system32\csrss.exe[588] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00160720
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\winlogon.exe[612] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\winlogon.exe[612] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\winlogon.exe[612] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\winlogon.exe[612] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000708C4
.text C:\WINDOWS\system32\winlogon.exe[612] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00070838
.text C:\WINDOWS\system32\winlogon.exe[612] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\winlogon.exe[612] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00070F54
.text C:\WINDOWS\system32\winlogon.exe[612] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00070FE0
.text C:\WINDOWS\system32\winlogon.exe[612] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00070D24
.text C:\WINDOWS\system32\winlogon.exe[612] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00070DB0
.text C:\WINDOWS\system32\winlogon.exe[612] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00070E3C
.text C:\WINDOWS\system32\winlogon.exe[612] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00070EC8
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\services.exe[656] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\services.exe[656] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\services.exe[656] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\lsass.exe[676] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\lsass.exe[676] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[676] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\lsass.exe[676] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\lsass.exe[676] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\lsass.exe[676] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\lsass.exe[676] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\lsass.exe[676] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\lsass.exe[676] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\lsass.exe[676] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\lsass.exe[676] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[820] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[820] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[904] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[904] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[904] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[904] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00080EC8
.text C:\WINDOWS\System32\svchost.exe[952] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0089000A
.text C:\WINDOWS\System32\svchost.exe[952] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 008A000A
.text C:\WINDOWS\System32\svchost.exe[952] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0088000C
.text C:\WINDOWS\System32\svchost.exe[952] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[952] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1140] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1140] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1140] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1140] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1140] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\wscntfy.exe[1368] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\wscntfy.exe[1368] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\spoolsv.exe[1476] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\spoolsv.exe[1476] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\spoolsv.exe[1476] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\spoolsv.exe[1476] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\VTTimer.exe[1528] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\VTTimer.exe[1528] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\VTTimer.exe[1528] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1560] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1560] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1560] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[1560] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[1560] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[1560] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[1560] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[1560] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\svchost.exe[1560] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1560] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1560] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00130F54
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00130FE0
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00130D24
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00130DB0
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00130E3C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1616] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00130EC8
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\CTsvcCDA.exe[1632] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00130F54
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00130FE0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00130D24
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00130DB0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00130E3C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1668] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00130EC8
.text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\pctspk.exe[1688] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\pctspk.exe[1688] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\WINDOWS\system32\pctspk.exe[1688] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\WINDOWS\system32\pctspk.exe[1688] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\pctspk.exe[1688] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\pctspk.exe[1688] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1708] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00130F54
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00130FE0
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00130D24
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00130DB0
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00130E3C
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00130EC8
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1736] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1772] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[1812] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[1812] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[1812] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[1812] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[1812] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[1812] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[1848] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[1848] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[1848] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[1848] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[1848] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[1924] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000301A8
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00030090
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00030694
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000302C0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00030234
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00030004
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0003011C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000304F0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0003057C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000303D8
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0003034C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00030464
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00030608
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000307AC
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00030720
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00030F54
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00030FE0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00030D24
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00030DB0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00030E3C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[1972] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00030EC8
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[2008] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[2008] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] ws2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\CyberScrub Privacy Suite\scheduler.exe[2116] ws2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\SpywareGuard\sgmain.exe[2120] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\alg.exe[2208] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\alg.exe[2208] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\alg.exe[2208] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\alg.exe[2208] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\alg.exe[2208] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\alg.exe[2208] WININET.dll!InternetConnectA 78064992 5 Bytes JMP 00080F54
.text C:\WINDOWS\System32\alg.exe[2208] WININET.dll!InternetConnectW 78065B8E 5 Bytes JMP 00080FE0
.text C:\WINDOWS\System32\alg.exe[2208] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00080D24
.text C:\WINDOWS\System32\alg.exe[2208] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00080DB0
.text C:\WINDOWS\System32\alg.exe[2208] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00080E3C
.text C:\WINDOWS\System32\alg.exe[2208] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00080EC8
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\SpywareGuard\sgbhp.exe[2280] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Documents and Settings\user\Desktop\zes4x8h8.exe[2372] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) F36AD000-F36C5000 (98304 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{005AA08E-F378-CDEA-4494-80FA2A9BE74E}\[email protected] C:\Program Files\CyberLink\Shared Files\AudioFilter\claud.ax
Reg HKLM\SOFTWARE\Classes\CLSID\{005AA08E-F378-CDEA-4494-80FA2A9BE74E}\[email protected] Both
Reg HKLM\SOFTWARE\Classes\CLSID\{039CD4F0-516D-C442-ED45-803512FD5AC9}\[email protected] C:\WINDOWS\system32\quartz.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{039CD4F0-516D-C442-ED45-803512FD5AC9}\[email protected] Both
Reg HKLM\SOFTWARE\Classes\CLSID\{16E749DB-8E9B-D86A-B1AF-0020EB03A1B7}\[email protected] C:\Program Files\Common Files\System\Ole DB\oledb32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{16E749DB-8E9B-D86A-B1AF-0020EB03A1B7}\[email protected] Both
Reg HKLM\SOFTWARE\Classes\CLSID\{16E749DB-8E9B-D86A-B1AF-0020EB03A1B7}\[email protected] DataLinks
Reg HKLM\SOFTWARE\Classes\CLSID\{16E749DB-8E9B-D86A-B1AF-0020EB03A1B7}\[email protected] DataLinks
Reg HKLM\SOFTWARE\Classes\CLSID\{26B41561-A1B3-8D17-A7DE-051BE27736BA}\[email protected] C:\WINDOWS\system32\qcap.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{26B41561-A1B3-8D17-A7DE-051BE27736BA}\[email protected] Both
Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] C:\WINDOWS\system32\webvw.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] 0
Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\MiscStatus\1
Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\MiscStatus\[email protected] 131473
Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] ThumbCtl.ThumbCtl.1
Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] C:\WINDOWS\system32\webvw.dll, 1
Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] {cd603fc0-1f11-11d1-9e88-00c04fdcab92}
Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] 1.0
Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\[email protected] ThumbCtl.ThumbCtl
Reg HKLM\SOFTWARE\Classes\CLSID\{3B3E33AB-02A1-4A2B-373B-920E20CA196E}\[email protected] %SystemRoot%\system32\dsuiext.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{3B3E33AB-02A1-4A2B-373B-920E20CA196E}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\[email protected] C:\Program Files\Common Files\System\ado\msadomd.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\[email protected] Both
Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\[email protected] ADOMD.Catalog.2.7
Reg HKLM\SOFTWARE\Classes\CLSID\{3C91CB00-8514-901B-651D-5D20DF97F7FA}\[email protected] ADOMD.Catalog
Reg HKLM\SOFTWARE\Classes\CLSID\{5A85D433-BB42-24A0-27A5-E0C507D38021}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
Reg HKLM\SOFTWARE\Classes\CLSID\{5A85D433-BB42-24A0-27A5-E0C507D38021}\[email protected] C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
Reg HKLM\SOFTWARE\Classes\CLSID\{5A85D433-BB42-24A0-27A5-E0C507D38021}\[email protected] gcasDtServ.Agent
Reg HKLM\SOFTWARE\Classes\CLSID\{5A85D433-BB42-24A0-27A5-E0C507D38021}\[email protected] {CEACE91F-3F71-4A8C-B952-63716B2BC026}
Reg HKLM\SOFTWARE\Classes\CLSID\{5A85D433-BB42-24A0-27A5-E0C507D38021}\[email protected] 1.0
Reg HKLM\SOFTWARE\Classes\CLSID\{68006435-5F14-4E7B-4674-C5DAA4811732}\[email protected] C:\WINDOWS\system32\wbem\scrcons.exe
Reg HKLM\SOFTWARE\Classes\CLSID\{68006435-5F14-4E7B-4674-C5DAA4811732}\[email protected] Both
Reg HKLM\SOFTWARE\Classes\CLSID\{9C572CC7-FE23-53F0-69EB-41A00D1771E9}\[email protected] C:\Program Files\Common Files\System\ado\msadox.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{9C572CC7-FE23-53F0-69EB-41A00D1771E9}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{9C572CC7-FE23-53F0-69EB-41A00D1771E9}\[email protected] ADOX.Key.2.8
Reg HKLM\SOFTWARE\Classes\CLSID\{9C572CC7-FE23-53F0-69EB-41A00D1771E9}\[email protected] ADOX.Key.2.8
Reg HKLM\SOFTWARE\Classes\CLSID\{AC5D62F0-7AF9-D297-967B-364DE243FB9F}\[email protected] C:\WINDOWS\system32\mstask.dll,-101
Reg HKLM\SOFTWARE\Classes\CLSID\{AC5D62F0-7AF9-D297-967B-364DE243FB9F}\[email protected] C:\WINDOWS\system32\mstask.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{AC5D62F0-7AF9-D297-967B-364DE243FB9F}\[email protected]Model Both
Reg HKLM\SOFTWARE\Classes\CLSID\{C35E31D4-1C38-79FD-D2C6-B308CB3884F1}\[email protected] %SystemRoot%\system32\SHELL32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{C35E31D4-1C38-79FD-D2C6-B308CB3884F1}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{C7360F90-DC83-663C-D225-95957DD64018}\[email protected] C:\WINDOWS\system32\scardssp.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{C7360F90-DC83-663C-D225-95957DD64018}\[email protected] Free
Reg HKLM\SOFTWARE\Classes\CLSID\{C7360F90-DC83-663C-D225-95957DD64018}\[email protected] Scardssp.SCard.1
Reg HKLM\SOFTWARE\Classes\CLSID\{C7360F90-DC83-663C-D225-95957DD64018}\[email protected] {82C38704-19F1-11D3-A11F-00C04F79F800}
Reg HKLM\SOFTWARE\Classes\CLSID\{C7360F90-DC83-663C-D225-95957DD64018}\[email protected] Scardssp.SCard
Reg HKLM\SOFTWARE\Classes\CLSID\{D699BD77-1D24-645F-2FBC-5C3D1DB6FED7}\[email protected] C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
Reg HKLM\SOFTWARE\Classes\CLSID\{D699BD77-1D24-645F-2FBC-5C3D1DB6FED7}\[email protected] Setup.LogServices.1
Reg HKLM\SOFTWARE\Classes\CLSID\{D699BD77-1D24-645F-2FBC-5C3D1DB6FED7}\[email protected] Setup.LogServices
Reg HKLM\SOFTWARE\Classes\CLSID\{E4379E50-68C5-D33E-7FBA-56058C6AAC72}\[email protected] C:\Program Files\Common Files\Ahead\DSFilter\NeAudio.ax
Reg HKLM\SOFTWARE\Classes\CLSID\{E4379E50-68C5-D33E-7FBA-56058C6AAC72}\[email protected] Both
Reg HKLM\SOFTWARE\Classes\CLSID\{EFB75571-5FE9-B5CF-90A9-FECDB5D0EAE8}\[email protected] C:\WINDOWS\system32\scrobj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{EFB75571-5FE9-B5CF-90A9-FECDB5D0EAE8}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EFB75571-5FE9-B5CF-90A9-FECDB5D0EAE8}\[email protected] ScriptletHandler.ASP
Reg HKLM\SOFTWARE\Classes\CLSID\{EFCB1236-8091-8A61-C175-2F6DEEA4E7AD}\[email protected] C:\WINDOWS\system32\CLBCatQ.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EFCB1236-8091-8A61-C175-2F6DEEA4E7AD}\[email protected] Both
Reg HKLM\SOFTWARE\Classes\CLSID\{EFCB1236-8091-8A61-C175-2F6DEEA4E7AD}\[email protected] ComPlusMetaDataServices.ServicesMetaDataDispenser.1
Reg HKLM\SOFTWARE\Classes\CLSID\{EFCB1236-8091-8A61-C175-2F6DEEA4E7AD}\[email protected] ComPlusMetaDataServices.ServicesMetaDataDispenser
Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\[email protected] %SystemRoot%\System32\shell32.dll,-137
Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\[email protected] shell32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\[email protected] 0
Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\[email protected]
Reg HKLM\SOFTWARE\Classes\CLSID\{FBD44B43-52CF-EDF3-2A14-9785820AB493}\[email protected]

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB57337$\2469442358 0 bytes
File C:\WINDOWS\$NtUninstallKB57337$\2469442358\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB57337$\2469442358\bckfg.tmp 823 bytes
File C:\WINDOWS\$NtUninstallKB57337$\2469442358\cfg.ini 192 bytes
File C:\WINDOWS\$NtUninstallKB57337$\2469442358\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB57337$\2469442358\kwrd.dll 208896 bytes
File C:\WINDOWS\$NtUninstallKB57337$\2469442358\L 0 bytes
File C:\WINDOWS\$NtUninstallKB57337$\2469442358\L\bonspetl 64896 bytes
File C:\WINDOWS\$NtUninstallKB57337$\2469442358\lsflt7.ver 5175 bytes
File C:\WINDOWS\$NtUninstallKB57337$\2469442358\U 0 bytes
File C:\WINDOWS\$NtUninstallKB57337$\2469442358\U\[email protected] 2048 bytes
File C:\WINDOWS\$NtUninstallKB57337$\2469442358\U\[email protected] 209920 bytes
File C:\WINDOWS\$NtUninstallKB57337$\2469442358\U\[email protected] 1024 bytes
File C:\WINDOWS\$NtUninstallKB57337$\2469442358\U\[email protected] 71168 bytes
File C:\WINDOWS\$NtUninstallKB57337$\4202800072 0 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2251990365 0 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358 0 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\bckfg.tmp 851 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\cfg.ini 200 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\keywords 146 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\L 0 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\L\bonspetl 453632 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U 0 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U\[email protected] 2048 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U\[email protected] 224768 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U\[email protected] 1024 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U\[email protected] 1024 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U\[email protected] 12800 bytes
File C:\WINDOWS\$NtUninstallKB8198$\2469442358\U\[email protected] 98304 bytes

---- EOF - GMER 1.0.15 ----
 
valis

valis

Moderator
Joined
Sep 24, 2004
Messages
78,159
heyya Big D......let me know if nobody picks this up, I'll flag someone down for ya. :)
 
kevinf80

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
You have ZeroAcess Rootkit infection, plus some very nasty friends that it has called in, Do the following:

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

Link 1
Link 2

  • Ensure that Combofix is saved directly to the Desktop <--- Very important

    Before saving Combofix to the Desktop re-name to Gotcha.exe as below:



  • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the
    icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available Here if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Why have you not updated to SP3, any specific reason/

Kevin
 
katonca

katonca

Thread Starter
Joined
Aug 9, 2004
Messages
13,674
Hi V, always good to see ya.:) Hope the upcoming holiday will treat you and yours well, and be a merry one.

Kevin, thank you for helping me with my problems. Right now I am on my other computer. I will be downloading Combofix shortly and running the process.

The computer is relatively new to me and has not been fully tweaked yet. SP3 will be installed ASAP after the infections are eliminated (unless you think it is necessary now).
 
katonca

katonca

Thread Starter
Joined
Aug 9, 2004
Messages
13,674
One thing to note is my auction computer (the one which is infected) says that it is running AVG 2012 free edition. I don't find any such program on my computer. I've checked (add/remove programs) on the control panel and (all programs) from the start button. All other security programs have been disable as far as I can tell.

I've downloaded combofix and will be running it shortly.
 
flavallee

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
83,146
If you've purchased that computer with all the problems and "debris" from its previous owner, what you really need to do is format the hard drive and do a clean reinstall of Windows XP SP3 and get a fresh start.

What's the model number of that HP Pavilion? If you don't know for sure, advise what the product number(P/N) on the sticker is.

-----------------------------------------------------
 
katonca

katonca

Thread Starter
Joined
Aug 9, 2004
Messages
13,674
Combofix advised not to run w/o disabling AVG 2012. I can't find this program or it's files anywhere (C drive => program files).

This computer appears to be an assembled gamers computer. There is no P/N on the case. As a matter of fact the case isn't a pavilion case. I cancelled running the combofix scan until advised to do so. I don't want to screw it up considering it says AVG is running.
 
kevinf80

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,470
Your computer is awash with malware, you also have ZeroAccess rootkit infection, It may very well be beneficial to to reformat and re-install.
If you have no installation CD or recovery partition then the only option is to kill the rootkit and clear out all the malware. Combofix does deal with ZA very efficiently, obviously you must turn off your security. If you have no way of turning off AVG then give CF a try, accept the alert when prompted by CF......
 
katonca

katonca

Thread Starter
Joined
Aug 9, 2004
Messages
13,674
Thanks for the advice Kevin. This auction treasure didn't come with the CD and I've tried the recovery partition (non-existent). I'll give CF a try even though AVG is supposedly running. I'll post the result.
 
katonca

katonca

Thread Starter
Joined
Aug 9, 2004
Messages
13,674
Here is the Combofix log

ComboFix 11-12-09.02 - user 12/09/2011 13:30:58.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.735.517 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\Gotcha.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sunbelt Personal Firewall *Disabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\user\Application Data\alot
c:\documents and settings\user\WINDOWS
C:\install.exe
c:\program files\Common
c:\windows\$NtUninstallKB57337$
c:\windows\$NtUninstallKB57337$\2469442358\@
c:\windows\$NtUninstallKB57337$\2469442358\bckfg.tmp
c:\windows\$NtUninstallKB57337$\2469442358\cfg.ini
c:\windows\$NtUninstallKB57337$\2469442358\Desktop.ini
c:\windows\$NtUninstallKB57337$\2469442358\kwrd.dll
c:\windows\$NtUninstallKB57337$\2469442358\L\bonspetl
c:\windows\$NtUninstallKB57337$\2469442358\lsflt7.ver
c:\windows\$NtUninstallKB57337$\2469442358\U\[email protected]
c:\windows\$NtUninstallKB57337$\2469442358\U\[email protected]
c:\windows\$NtUninstallKB57337$\2469442358\U\[email protected]
c:\windows\$NtUninstallKB57337$\2469442358\U\[email protected]
c:\windows\$NtUninstallKB57337$\4202800072
c:\windows\$NtUninstallKB8198$\2251990365
c:\windows\$NtUninstallKB8198$\2469442358\@
c:\windows\$NtUninstallKB8198$\2469442358\bckfg.tmp
c:\windows\$NtUninstallKB8198$\2469442358\cfg.ini
c:\windows\$NtUninstallKB8198$\2469442358\Desktop.ini
c:\windows\$NtUninstallKB8198$\2469442358\keywords
c:\windows\$NtUninstallKB8198$\2469442358\kwrd.dll
c:\windows\$NtUninstallKB8198$\2469442358\L\bonspetl
c:\windows\$NtUninstallKB8198$\2469442358\lsflt7.ver
c:\windows\$NtUninstallKB8198$\2469442358\U\[email protected]
c:\windows\$NtUninstallKB8198$\2469442358\U\[email protected]
c:\windows\$NtUninstallKB8198$\2469442358\U\[email protected]
c:\windows\$NtUninstallKB8198$\2469442358\U\[email protected]
c:\windows\$NtUninstallKB8198$\2469442358\U\[email protected]
c:\windows\$NtUninstallKB8198$\2469442358\U\[email protected]
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\$NtUninstallKB8198$ . . . . Failed to delete
.
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\$NtServicePackUninstall$\proquota.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_9330b336
.
.
((((((((((((((((((((((((( Files Created from 2011-11-09 to 2011-12-09 )))))))))))))))))))))))))))))))
.
.
2011-12-09 18:49 . 2011-12-09 18:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-12-09 18:43 . 2004-08-04 12:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2011-12-09 18:43 . 2004-08-04 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2011-12-08 17:58 . 2011-12-08 17:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-07 21:09 . 2011-12-07 21:09 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2011-12-07 21:03 . 2011-12-07 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-12-07 21:02 . 2011-12-07 21:09 -------- d-----w- c:\program files\IObit
2011-12-07 01:15 . 2011-12-07 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-07 01:15 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-05 23:01 . 2011-12-05 23:01 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-05 22:53 . 2011-12-06 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-12-05 14:57 . 2011-12-05 16:31 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Deployment
2011-12-04 14:20 . 2011-12-04 14:20 -------- d-----w- C:\VritualRoot
2011-12-04 01:37 . 2011-12-06 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\CPA_VA
2011-12-03 19:31 . 2011-12-07 01:47 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2011-12-03 19:22 . 2011-12-03 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-12-03 19:21 . 2011-12-03 19:21 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-12-03 19:21 . 2011-12-03 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2011-12-03 19:17 . 2011-12-03 19:17 -------- d-----w- c:\documents and settings\Administrator.HOME
2011-12-03 01:30 . 2011-12-03 01:30 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-22 19:19 . 2011-11-22 19:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-05 01:41 . 2011-10-05 01:41 784 ----a-w- c:\windows\trz17.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Privacy Suite Scheduler"="c:\program files\CyberScrub Privacy Suite\Launch.exe" [2008-07-29 45192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-09-01 53248]
"PCTVOICE"="pctspk.exe" [2003-12-18 180224]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-11-04 329096]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [N/A]
Play Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F7D4101\V1\PBN.exe [2009-11-25 110592]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [9/23/2010 8:06 PM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [6/21/2008 3:54 AM 66600]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/6/2011 8:15 PM 366152]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 6:24 AM 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 6:24 AM 1365288]
R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [11/6/2009 7:26 AM 642432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/6/2011 8:15 PM 22216]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [9/23/2010 8:06 PM 65576]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [9/23/2010 2:32 PM 816672]
S3 getPlus(R) Installer;getPlus(R) Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe [9/29/2008 7:10 AM 59552]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 7:00 AM 14336]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v3.sys --> c:\windows\system32\DRIVERS\wg111v3.sys [?]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toast.net/start/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
TCP: Interfaces\{C77F4508-1F9C-4CF9-8B97-C3242D6E1741}: NameServer = 4.2.2.2,4.2.2.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxp://go2boss.amvonet.com/lms/3.2.1/moodle/screenshare//DesktopShare.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\q4cvij8e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.toast.net/start/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: XUL Cache: {43a853c6-1e29-4b13-a860-1ed94ceb81c3} - %profile%\extensions\{43a853c6-1e29-4b13-a860-1ed94ceb81c3}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
HKCU-Run-Privacy Suite RiskMonitor - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
AddRemove-The Sims - c:\program files\Maxis\The Sims\Uninst.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-09 13:49
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(612)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'explorer.exe'(1960)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Sunbelt Software\Personal Firewall\SbPFCl.exe
c:\windows\system32\VTTimer.exe
c:\windows\system32\pctspk.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\program files\CyberScrub Privacy Suite\scheduler.exe
.
**************************************************************************
.
Completion time: 2011-12-09 14:00:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-09 19:00
.
Pre-Run: 64,399,319,040 bytes free
Post-Run: 64,656,588,800 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 3A4D8C278504FD1B603C790BC00F3B36
 
valis

valis

Moderator
Joined
Sep 24, 2004
Messages
78,159
ick. :) And that's my professional opinion.

Glad I'm subscribed to this; I like to watch Kevin do his stuff. Never met a zero-access he couldn't destroy, that's my opinion.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Total: 515 (members: 7, guests: 508)
Top