1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan:Win32/Alureon.FE and it's accompanying bother

Discussion in 'Virus & Other Malware Removal' started by Dr_Hfuhruhurr, Nov 7, 2011.

Thread Status:
Not open for further replies.
  1. Dr_Hfuhruhurr

    Dr_Hfuhruhurr Thread Starter

    Joined:
    Jul 10, 2010
    Messages:
    17
    Hi guys, think I've picked up something nasty online this morning, the above item was flagged up by my AV program and since this I can't log on as Administrator, the browser redirects and the computer runs much much slower than usual. I ran MalwareBytes scans in normal and Safe modesand use Microsoft Security Essentials as antivirus protection, and none have flagged anything up. I've ran a HijackThis scan and TSG SysInfo and will post the results below, any help would be massively appreciated. Thanks in advance.
    Running XP SP3 on a Packard Bell laptop
    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows XP Professional, Service Pack 3, 32 bit
    Processor: Intel(R) Core(TM)2 CPU T5200 @ 1.60GHz, x86 Family 6 Model 15 Stepping 6
    Processor Count: 2
    RAM: 1014 Mb
    Graphics Card: Mobile Intel(R) 945GM Express Chipset Family, 128 Mb
    Hard Drives: C: Total - 144624 MB, Free - 57151 MB; G: Total - 953634 MB, Free - 292315 MB;
    Motherboard: PACKARD BELL BV, CH2
    Antivirus: Microsoft Security Essentials, Updated: Yes, On-Demand Scanner: Enabled
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:30:28, on 07/11/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\lxddcoms.exe
    C:\Program Files\CDBurnerXP\NMSAccessU.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\ping.exe
    C:\WINDOWS\TEMP\adhuyy\setup.exe
    C:\DOCUME~1\User\LOCALS~1\Temp\tmpd6984b3a.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [{FF1D83B3-F1BB-4268-BA2A-85724544C14F}] "C:\Documents and Settings\User\Application Data\Ummowo\egeq.exe"
    O4 - HKLM\..\Policies\Explorer\Run: [Mpk.exe] C:\Program Files\KGB\Mpk.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - .DEFAULT User Startup: laziqy.exe (User 'Default user')
    O4 - Startup: TalkTalk Diagnostic Reporting Tool.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: AMService - Unknown owner - C:\WINDOWS\TEMP\adhuyy\setup.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
    O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
    O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

    --
    End of file - 7713 bytes
     
  2. Dr_Hfuhruhurr

    Dr_Hfuhruhurr Thread Starter

    Joined:
    Jul 10, 2010
    Messages:
    17
    Having read the sticky above, I ran the DDS and GMER programs and got the following reports. Thanks again guys:
    DDS:
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Run by User at 17:05:32 on 2011-11-07
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.391 [GMT 0:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\lxddcoms.exe
    C:\Program Files\CDBurnerXP\NMSAccessU.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\KGB\Mpk.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\dllhost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [{FF1D83B3-F1BB-4268-BA2A-85724544C14F}] "c:\documents and settings\user\application data\ummowo\egeq.exe"
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    dRunOnce: [RunNarrator] Narrator.exe
    dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
    mExplorerRun: [Mpk.exe] c:\program files\kgb\Mpk.exe
    StartupFolder: c:\documents and settings\user\start menu\programs\startup\TalkTalk Diagnostic Reporting Tool.exe
    uPolicies-explorer: NoDesktop = 1 (0x1)
    uPolicies-system: DisableTaskMgr = 1 (0x1)
    mPolicies-system: DisableTaskMgr = 1 (0x1)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    LSP: mswsock.dll
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
    TCP: Interfaces\{114F6ADA-835E-46A1-9436-8D201983FE5D} : DhcpNameServer = 192.168.1.1 192.168.1.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\ecrsiagn.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2612669&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - prefs.js: keyword.URL - http:/www.google.co.uk/search?hl=en-GB&q=
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\ecrsiagn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\ecrsiagn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\ecrsiagn.default\extensions\{ca4eedb3-5719-4e27-a478-8d13f761c28d}\components\RadioWMPCoreGecko19.dll
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\ecrsiagn.default\extensions\[email protected]\platform\winnt_x86-msvc\components\lpxpcom.dll
    FF - plugin: c:\documents and settings\user\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165648]
    R1 MpKsl887dd22c;MpKsl887dd22c;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{96cc462f-2d88-4655-a339-a05948c964e9}\MpKsl887dd22c.sys [2011-11-7 28752]
    R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 MyPort;Myport;c:\windows\system32\drivers\MyPort.sys [2006-11-7 2127]
    R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-6-20 9472]
    S1 gfppapfa;gfppapfa;\??\c:\windows\system32\drivers\gfppapfa.sys --> c:\windows\system32\drivers\gfppapfa.sys [?]
    S1 MpKsl33f93f97;MpKsl33f93f97;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3e796051-a775-4588-be59-2b665173a36b}\mpksl33f93f97.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3e796051-a775-4588-be59-2b665173a36b}\MpKsl33f93f97.sys [?]
    S1 MpKsl388355cb;MpKsl388355cb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{96cc462f-2d88-4655-a339-a05948c964e9}\mpksl388355cb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{96cc462f-2d88-4655-a339-a05948c964e9}\MpKsl388355cb.sys [?]
    S1 MpKsl3d4abc23;MpKsl3d4abc23;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f6131274-29a6-4a53-9505-9e2bb1be6ae4}\mpksl3d4abc23.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f6131274-29a6-4a53-9505-9e2bb1be6ae4}\MpKsl3d4abc23.sys [?]
    S1 MpKsl4cfd3d70;MpKsl4cfd3d70;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2679bf0b-342a-4181-b461-e4d11d0b1929}\mpksl4cfd3d70.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2679bf0b-342a-4181-b461-e4d11d0b1929}\MpKsl4cfd3d70.sys [?]
    S1 MpKsl54c3dec7;MpKsl54c3dec7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{17041669-c35d-4d96-aaa6-796a6d3438aa}\mpksl54c3dec7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{17041669-c35d-4d96-aaa6-796a6d3438aa}\MpKsl54c3dec7.sys [?]
    S1 MpKsl677a99d7;MpKsl677a99d7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9886e45a-1361-434e-8bd0-7821ae3d4fc4}\mpksl677a99d7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9886e45a-1361-434e-8bd0-7821ae3d4fc4}\MpKsl677a99d7.sys [?]
    S1 MpKsl6d2a8641;MpKsl6d2a8641;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8dd7ea24-a49b-4312-8370-7a574eaa6cd1}\mpksl6d2a8641.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8dd7ea24-a49b-4312-8370-7a574eaa6cd1}\MpKsl6d2a8641.sys [?]
    S1 MpKsl7fac141c;MpKsl7fac141c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c529a9d-dcfb-48f8-8206-7a92d8d8d94c}\mpksl7fac141c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c529a9d-dcfb-48f8-8206-7a92d8d8d94c}\MpKsl7fac141c.sys [?]
    S1 MpKsl8b12b195;MpKsl8b12b195;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ff359c3b-261f-4e5f-9c8b-394e4c941f01}\mpksl8b12b195.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ff359c3b-261f-4e5f-9c8b-394e4c941f01}\MpKsl8b12b195.sys [?]
    S1 MpKsla06e061f;MpKsla06e061f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f9766469-d6ce-4d35-80f1-36a7362c6470}\mpksla06e061f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f9766469-d6ce-4d35-80f1-36a7362c6470}\MpKsla06e061f.sys [?]
    S1 MpKsla1e8ec3e;MpKsla1e8ec3e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{193580f4-c3ff-4d68-a2d9-a367c46201ad}\mpksla1e8ec3e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{193580f4-c3ff-4d68-a2d9-a367c46201ad}\MpKsla1e8ec3e.sys [?]
    S1 MpKsla49e07bd;MpKsla49e07bd;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0f20fe75-6411-4141-a5e0-3b0cfbff8a48}\mpksla49e07bd.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0f20fe75-6411-4141-a5e0-3b0cfbff8a48}\MpKsla49e07bd.sys [?]
    S1 MpKslc6364741;MpKslc6364741;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{af2c16d7-8615-4112-a866-edd1d852f19d}\mpkslc6364741.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{af2c16d7-8615-4112-a866-edd1d852f19d}\MpKslc6364741.sys [?]
    S1 MpKsld241d2f2;MpKsld241d2f2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4e1b0cb4-ed4b-4ef7-8db6-71c1635e714e}\mpksld241d2f2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4e1b0cb4-ed4b-4ef7-8db6-71c1635e714e}\MpKsld241d2f2.sys [?]
    S1 MpKsld53b1329;MpKsld53b1329;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{61b72680-a348-495b-8638-6c8ae49783f9}\mpksld53b1329.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{61b72680-a348-495b-8638-6c8ae49783f9}\MpKsld53b1329.sys [?]
    S1 MpKslde2db56c;MpKslde2db56c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5cc03c43-fdf6-4e8c-915e-f2481a146067}\mpkslde2db56c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5cc03c43-fdf6-4e8c-915e-f2481a146067}\MpKslde2db56c.sys [?]
    S1 MpKsle42e9b0c;MpKsle42e9b0c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6044208f-584b-4da4-98e1-cff3518c2a7e}\mpksle42e9b0c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6044208f-584b-4da4-98e1-cff3518c2a7e}\MpKsle42e9b0c.sys [?]
    S1 MpKsle8367e5d;MpKsle8367e5d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{df36b1de-d0a4-4042-aa29-563d801d416c}\mpksle8367e5d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{df36b1de-d0a4-4042-aa29-563d801d416c}\MpKsle8367e5d.sys [?]
    S1 MpKsle93802b1;MpKsle93802b1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3bbf7068-fee9-443f-9074-cd67ba5b66ec}\mpksle93802b1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3bbf7068-fee9-443f-9074-cd67ba5b66ec}\MpKsle93802b1.sys [?]
    S1 MpKslec80f60a;MpKslec80f60a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{163ea009-2c21-423e-ae33-55a387d1b8ca}\mpkslec80f60a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{163ea009-2c21-423e-ae33-55a387d1b8ca}\MpKslec80f60a.sys [?]
    S1 MpKslf23b2868;MpKslf23b2868;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a4f42f6f-a286-4fcf-b8b6-16bd1233507e}\mpkslf23b2868.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a4f42f6f-a286-4fcf-b8b6-16bd1233507e}\MpKslf23b2868.sys [?]
    S1 MpKslf43d1c4f;MpKslf43d1c4f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cea191a3-d4f1-4f8b-a977-a465f7c207d3}\mpkslf43d1c4f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cea191a3-d4f1-4f8b-a977-a465f7c207d3}\MpKslf43d1c4f.sys [?]
    S1 MpKslf6f75a62;MpKslf6f75a62;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a82d3148-e2e6-4514-a495-7d4b034001c8}\mpkslf6f75a62.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a82d3148-e2e6-4514-a495-7d4b034001c8}\MpKslf6f75a62.sys [?]
    S1 MpKslf710390a;MpKslf710390a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fab64744-fc02-4b34-9969-1c7abbb7be57}\mpkslf710390a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fab64744-fc02-4b34-9969-1c7abbb7be57}\MpKslf710390a.sys [?]
    S1 MpKslfea09deb;MpKslfea09deb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4220c803-9825-48c5-83f7-a6981c44baac}\mpkslfea09deb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4220c803-9825-48c5-83f7-a6981c44baac}\MpKslfea09deb.sys [?]
    S2 AMService;AMService;c:\windows\temp\adhuyy\setup.exe run --> c:\windows\temp\adhuyy\setup.exe run [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-2 136176]
    S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2009-12-29 99248]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-2 136176]
    S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-9-25 24576]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-4-23 41272]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2009-12-15 27064]
    .
    =============== Created Last 30 ================
    .
    2011-11-07 16:57:52 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{96cc462f-2d88-4655-a339-a05948c964e9}\MpKsl887dd22c.sys
    2011-11-07 16:57:37 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{96cc462f-2d88-4655-a339-a05948c964e9}\offreg.dll
    2011-11-07 15:18:52 -------- d-----w- c:\documents and settings\user\application data\Ummowo
    2011-11-07 15:18:52 -------- d-----w- c:\documents and settings\user\application data\Ecuci
    2011-11-07 11:46:07 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{96cc462f-2d88-4655-a339-a05948c964e9}\MpKsle3e8e07d.sys
    2011-11-07 10:51:05 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2011-11-07 10:50:33 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{96cc462f-2d88-4655-a339-a05948c964e9}\mpengine.dll
    2011-10-22 11:16:05 -------- d-----w- c:\program files\iPod
    2011-10-22 11:09:33 -------- d-----w- c:\program files\Bonjour
    .
    ==================== Find3M ====================
    .
    2011-11-07 11:59:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-10-25 16:39:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-31 17:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-30 22:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-08-30 22:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2006-05-03 11:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
    2007-02-21 12:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
    2008-03-16 14:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
    .
    ============= FINISH: 17:06:50.67 ===============

    I've attached the other file.

    And the ark.txt file will follow in a bit. Cheers
     

    Attached Files:

  3. Dr_Hfuhruhurr

    Dr_Hfuhruhurr Thread Starter

    Joined:
    Jul 10, 2010
    Messages:
    17
    And here's the GMER log:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-07 20:57:25
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST9160821A rev.3.ALA
    Running: r2csjq4g.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\pwroipob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF64CFDBF]
    ? C:\WINDOWS\system32\DRIVERS\redbook.sys suspicious PE modification
    ? C:\DOCUME~1\User\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01ED000A
    .text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01EE000A
    .text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 01EC000C
    .text C:\WINDOWS\Explorer.EXE[2964] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02FA000A
    .text C:\WINDOWS\Explorer.EXE[2964] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0301000A
    .text C:\WINDOWS\Explorer.EXE[2964] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 02F9000C
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 02F6FD90
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 02F6FD12
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 02F6D143
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 02F6FD51
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 02F748C1
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 02F74911
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 02F74822
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 02F7D73C
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 02F7D7D6
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 02F7D3CA
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 02F7D41A
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 02F7D4C4
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 02F748E9
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 02F7D828
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 02F7D438
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 02F6FC07
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 02F6FC77
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02F746F4
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 02F746C2
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 02F7D66E
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 02F7493C
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!GetUpdateRect 7E42A8C9 2 Bytes JMP 02F6FDD0
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!GetUpdateRect + 3 7E42A8CC 2 Bytes [B4, 84] {MOV AH, 0x84}
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 02F7D6B7
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 02F7D47E
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 02F74778
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 02F747D2
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 02F6FCB7
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 02F7D789
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 02F6FE63
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 02F7D550
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 02F7D5E2
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 02F6D2A9
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 02F7D50A
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 02F7D599
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 02F7D628
    .text C:\WINDOWS\Explorer.EXE[2964] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 02F7473B
    .text C:\WINDOWS\Explorer.EXE[2964] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 02F7B2EC
    .text C:\Program Files\KGB\Mpk.exe[3248] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 01D33BCD
    .text C:\Program Files\KGB\Mpk.exe[3248] ntdll.dll!NtQuerySystemInformation 7C90D92E 3 Bytes [68, E0, 1A]
    .text C:\Program Files\KGB\Mpk.exe[3248] ntdll.dll!NtQuerySystemInformation + 4 7C90D932 2 Bytes [10, C3] {ADC BL, AL}
    .text C:\Program Files\KGB\Mpk.exe[3248] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01D33DAD
    .text C:\Program Files\KGB\Mpk.exe[3248] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 01D33E4F
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!ReleaseDC 7E41869D 5 Bytes JMP 01D2FD90
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!GetDC 7E4186C7 5 Bytes JMP 01D2FD12
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 01D2D143
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!GetWindowDC 7E419021 5 Bytes JMP 01D2FD51
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!GetMessageW 7E4191C6 5 Bytes JMP 01D348C1
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!PeekMessageW 7E41929B 5 Bytes JMP 01D34911
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!GetCapture 7E4194DA 5 Bytes JMP 01D34822
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 01D3D73C
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 01D3D7D6
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 01D3D3CA
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 01D3D41A
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 01D3D4C4
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!GetMessageA 7E42772B 5 Bytes JMP 01D348E9
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 01D3D828
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 01D3D438
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!BeginPaint 7E428FE9 5 Bytes JMP 01D2FC07
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!EndPaint 7E428FFD 5 Bytes JMP 01D2FC77
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01D346F4
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!GetMessagePos 7E42996C 5 Bytes JMP 01D346C2
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 01D3D66E
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!PeekMessageA 7E42A340 5 Bytes JMP 01D3493C
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!GetUpdateRect 7E42A8C9 2 Bytes JMP 01D2FDD0
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!GetUpdateRect + 3 7E42A8CC 2 Bytes [90, 83]
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 01D3D6B7
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 01D3D47E
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!SetCapture 7E42C35E 5 Bytes JMP 01D34778
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 01D347D2
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!GetDCEx 7E42C595 5 Bytes JMP 01D2FCB7
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 01D3D789
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 01D2FE63
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!DefFrameProcW 7E430833 5 Bytes JMP 01D3D550
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 01D3D5E2
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 01D2D2A9
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 01D3D50A
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 01D3D599
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 01D3D628
    .text C:\Program Files\KGB\Mpk.exe[3248] user32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 01D3473B
    .text C:\Program Files\KGB\Mpk.exe[3248] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01D29A43
    .text C:\Program Files\KGB\Mpk.exe[3248] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01D29A7B
    .text C:\Program Files\KGB\Mpk.exe[3248] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01D29A9C
    .text C:\Program Files\KGB\Mpk.exe[3248] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 01D3B2EC
    .text C:\Program Files\KGB\Mpk.exe[3248] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01D2A9CD
    .text C:\Program Files\KGB\Mpk.exe[3248] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 01D2AA82
    .text C:\Program Files\KGB\Mpk.exe[3248] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 01D2A98A
    .text C:\Program Files\KGB\Mpk.exe[3248] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01D2AA56
    .text C:\Program Files\KGB\Mpk.exe[3248] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01D2A7AA
    .text C:\Program Files\KGB\Mpk.exe[3248] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 01D2A7FE
    .text C:\Program Files\KGB\Mpk.exe[3248] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 01D2AA0C
    .text C:\Program Files\KGB\Mpk.exe[3248] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 01D2A8EE
    .text C:\Program Files\KGB\Mpk.exe[3248] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 01D2A852
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 012E3BCD
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] ntdll.dll!NtQuerySystemInformation 7C90D92E 6 Bytes PUSH 01291AE0; RET C:\Program Files\KGB\MPK.dll
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 012E3DAD
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 012E3E4F
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 012DFD90
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 012DFD12
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 012DD143
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 012DFD51
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 012E48C1
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 012E4911
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 012E4822
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 012ED73C
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 012ED7D6
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 012ED3CA
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 012ED41A
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 012ED4C4
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 012E48E9
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 012ED828
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 012ED438
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 012DFC07
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 012DFC77
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 012E46F4
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 012E46C2
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 012ED66E
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 012E493C
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!GetUpdateRect 7E42A8C9 2 Bytes JMP 012DFDD0
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!GetUpdateRect + 3 7E42A8CC 2 Bytes [EB, 82] {JMP 0xffffffffffffff84}
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 012ED6B7
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 012ED47E
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 012E4778
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 012E47D2
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 012DFCB7
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 012ED789
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 012DFE63
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 012ED550
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 012ED5E2
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 012DD2A9
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 012ED50A
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 012ED599
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 012ED628
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 012E473B
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 012D9A43
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012D9A7B
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012D9A9C
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 012EB2EC
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 012DA9CD
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 012DAA82
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 012DA98A
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 012DAA56
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 012DA7AA
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 012DA7FE
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 012DAA0C
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 012DA8EE
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3256] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 012DA852
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00893BCD
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] ntdll.dll!NtQuerySystemInformation 7C90D92E 3 Bytes [68, E0, 1A]
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] ntdll.dll!NtQuerySystemInformation + 4 7C90D932 2 Bytes [10, C3] {ADC BL, AL}
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00893DAD
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00893E4F
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 0088FD90
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 0088FD12
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0088D143
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 0088FD51
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 008948C1
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 00894911
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!GetCapture 7E4194DA 3 Bytes JMP 00894822
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!GetCapture + 4 7E4194DE 1 Byte [82]
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 0089D73C
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 0089D7D6
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 0089D3CA
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 0089D41A
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 0089D4C4
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 008948E9
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 0089D828
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 0089D438
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 0088FC07
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 0088FC77
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 008946F4
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 008946C2
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 0089D66E
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 0089493C
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!GetUpdateRect 7E42A8C9 2 Bytes JMP 0088FDD0
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!GetUpdateRect + 3 7E42A8CC 2 Bytes [46, 82]
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 0089D6B7
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 0089D47E
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 00894778
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 008947D2
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 0088FCB7
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 0089D789
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 0088FE63
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 0089D550
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 0089D5E2
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 0088D2A9
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 0089D50A
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 0089D599
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 0089D628
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 0089473B
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00889A43
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00889A7B
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00889A9C
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 0089B2EC
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0088A9CD
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0088AA82
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0088A98A
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 0088AA56
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0088A7AA
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 0088A7FE
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 0088AA0C
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 0088A8EE
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3276] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 0088A852
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 01B43BCD
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] ntdll.dll!NtQuerySystemInformation 7C90D92E 6 Bytes PUSH 01841AE0; RET C:\Program Files\KGB\MPK.dll
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01B43DAD
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 01B43E4F
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 01B4B2EC
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 01B3FD90
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 01B3FD12
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 01B3D143
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 01B3FD51
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 01B448C1
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 01B44911
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 01B44822
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 01B4D73C
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 01B4D7D6
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 01B4D3CA
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 01B4D41A
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 01B4D4C4
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 01B448E9
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 01B4D828
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 01B4D438
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 01B3FC07
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 01B3FC77
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01B446F4
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 01B446C2
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 01B4D66E
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 01B4493C
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!GetUpdateRect 7E42A8C9 2 Bytes JMP 01B3FDD0
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!GetUpdateRect + 3 7E42A8CC 2 Bytes [71, 83] {JNO 0xffffffffffffff85}
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 01B4D6B7
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 01B4D47E
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 01B44778
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 01B447D2
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 01B3FCB7
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 01B4D789
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 01B3FE63
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 01B4D550
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 01B4D5E2
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 01B3D2A9
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 01B4D50A
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 01B4D599
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 01B4D628
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 01B4473B
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01B3A9CD
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 01B3AA82
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 01B3A98A
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01B3AA56
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01B3A7AA
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 01B3A7FE
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 01B3AA0C
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 01B3A8EE
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 01B3A852
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01B39A43
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01B39A7B
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3292] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01B39A9C
    .text C:\WINDOWS\system32\ctfmon.exe[3424] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00C13BCD
    .text C:\WINDOWS\system32\ctfmon.exe[3424] ntdll.dll!NtQuerySystemInformation 7C90D92E 3 Bytes [68, E0, 1A]
    .text C:\WINDOWS\system32\ctfmon.exe[3424] ntdll.dll!NtQuerySystemInformation + 4 7C90D932 2 Bytes [10, C3] {ADC BL, AL}
    .text C:\WINDOWS\system32\ctfmon.exe[3424] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00C13DAD
    .text C:\WINDOWS\system32\ctfmon.exe[3424] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00C13E4F
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 00C0FD90
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00C0FD12
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00C0D143
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 00C0FD51
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 00C148C1
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 00C14911
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 00C14822
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 00C1D73C
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 00C1D7D6
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 00C1D3CA
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 00C1D41A
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 00C1D4C4
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 00C148E9
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 00C1D828
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 00C1D438
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 00C0FC07
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 00C0FC77
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00C146F4
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 00C146C2
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 00C1D66E
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 00C1493C
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!GetUpdateRect 7E42A8C9 2 Bytes JMP 00C0FDD0
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!GetUpdateRect + 3 7E42A8CC 2 Bytes [7E, 82] {JLE 0xffffffffffffff84}
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 00C1D6B7
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 00C1D47E
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 00C14778
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 00C147D2
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 00C0FCB7
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 00C1D789
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 00C0FE63
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 00C1D550
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 00C1D5E2
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00C0D2A9
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 00C1D50A
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 00C1D599
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 00C1D628
    .text C:\WINDOWS\system32\ctfmon.exe[3424] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 00C1473B
    .text C:\WINDOWS\system32\ctfmon.exe[3424] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C09A43
    .text C:\WINDOWS\system32\ctfmon.exe[3424] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C09A7B
    .text C:\WINDOWS\system32\ctfmon.exe[3424] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C09A9C
    .text C:\WINDOWS\system32\ctfmon.exe[3424] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 00C1B2EC
    .text C:\WINDOWS\system32\ctfmon.exe[3424] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00C0A9CD
    .text C:\WINDOWS\system32\ctfmon.exe[3424] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00C0AA82
    .text C:\WINDOWS\system32\ctfmon.exe[3424] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00C0A98A
    .text C:\WINDOWS\system32\ctfmon.exe[3424] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00C0AA56
    .text C:\WINDOWS\system32\ctfmon.exe[3424] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00C0A7AA
    .text C:\WINDOWS\system32\ctfmon.exe[3424] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 00C0A7FE
    .text C:\WINDOWS\system32\ctfmon.exe[3424] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 00C0AA0C
    .text C:\WINDOWS\system32\ctfmon.exe[3424] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 00C0A8EE
    .text C:\WINDOWS\system32\ctfmon.exe[3424] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 00C0A852
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 01383BCD
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] ntdll.dll!NtQuerySystemInformation 7C90D92E 3 Bytes [68, E0, 1A]
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] ntdll.dll!NtQuerySystemInformation + 4 7C90D932 2 Bytes [10, C3] {ADC BL, AL}
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01383DAD
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 01383E4F
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 0137FD90
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 0137FD12
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0137D143
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 0137FD51
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 013848C1
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 01384911
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 01384822
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 0138D73C
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 0138D7D6
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!OpenInputDesktop 7E41ECA3 5 Bytes JMP 0138D3CA
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!SwitchDesktop 7E41FE6E 5 Bytes JMP 0138D41A
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!DefDlgProcW 7E423D3A 5 Bytes JMP 0138D4C4
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!GetMessageA 7E42772B 5 Bytes JMP 013848E9
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 0138D828
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!DefWindowProcW 7E428D20 5 Bytes JMP 0138D438
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 0137FC07
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 0137FC77
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 013846F4
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!GetMessagePos 7E42996C 5 Bytes JMP 013846C2
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!CallWindowProcW 7E42A01E 5 Bytes JMP 0138D66E
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!PeekMessageA 7E42A340 5 Bytes JMP 0138493C
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!GetUpdateRect 7E42A8C9 2 Bytes JMP 0137FDD0
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!GetUpdateRect + 3 7E42A8CC 2 Bytes [F5, 82]
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!CallWindowProcA 7E42A97D 5 Bytes JMP 0138D6B7
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!DefWindowProcA 7E42C17E 5 Bytes JMP 0138D47E
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 01384778
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!ReleaseCapture 7E42C37A 5 Bytes JMP 013847D2
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 0137FCB7
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 0138D789
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!GetUpdateRgn 7E42F5EC 5 Bytes JMP 0137FE63
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!DefFrameProcW 7E430833 5 Bytes JMP 0138D550
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!DefMDIChildProcW 7E430A47 5 Bytes JMP 0138D5E2
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 0137D2A9
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!DefDlgProcA 7E43E577 5 Bytes JMP 0138D50A
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!DefFrameProcA 7E44F965 5 Bytes JMP 0138D599
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!DefMDIChildProcA 7E44F9B4 5 Bytes JMP 0138D628
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] USER32.dll!SetCursorPos 7E4561B3 5 Bytes JMP 0138473B
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01379A43
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01379A7B
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01379A9C
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] CRYPT32.dll!PFXImportCertStore 77AEFF87 5 Bytes JMP 0138B2EC
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0137A9CD
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0137AA82
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0137A98A
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 0137AA56
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0137A7AA
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 0137A7FE
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 0137AA0C
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 0137A8EE
    .text C:\Documents and Settings\User\Desktop\r2csjq4g.exe[3580] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 0137A852

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Modules - GMER 1.0.15 ----

    Module (noname) (*** hidden *** ) F645C000-F647B000 (126976 bytes)

    ---- Processes - GMER 1.0.15 ----

    Process C:\Program Files\KGB\Mpk.exe (*** hidden *** ) 3248

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060d184de
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\[email protected] 0x12 0x7D 0xBD 0x1F ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060d184de (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\[email protected] 0x12 0x7D 0xBD 0x1F ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{17841D80-6155-AAB0-A6EF-5E5959A3A69D}

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\NetworkService\Cookies\M9ELAS9D.txt 481 bytes
    File C:\Documents and Settings\NetworkService\Cookies\Y7Q8ANQR.txt 0 bytes
    File C:\Documents and Settings\NetworkService\Cookies\9B47HDGR.txt 0 bytes
    File C:\Documents and Settings\NetworkService\Cookies\RQLH4RP0.txt 0 bytes
    File C:\Documents and Settings\NetworkService\Cookies\51G1IKXW.txt 0 bytes
    File C:\Documents and Settings\NetworkService\Cookies\HQR3DI3C.txt 0 bytes
    File C:\Documents and Settings\NetworkService\Cookies\ZUZL1AH5.txt 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\s[1].htm 413 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\sp-skins_005_1320614641[1].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\4773[1].htm 458 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\6t8Noa6-Yq4[1].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\background_gradient[1] 453 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\fontSizeCookie[1].js 1946 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\bkgd-input[1].jpg 330 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\q[2] 1795 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\q[3] 309 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\adsCAV4AM0I 1258 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\icon-sprite-carousel-pagination-tabbed-footer[1].png 4100 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\iframe3CA5HCN1Q.htm 1827 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\Penn_St_Ex_Coach_Allegations_Football_09893[1].jpg 21429 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\250458[1].xml 241 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\trailers_5[1].xml 9272 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\spcConV[1].php 17302 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\statsnew[2].xml 240 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4812TWCI\ajs[5].php 0 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\2425695388 0 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371 0 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\bckfg.tmp 814 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\cfg.ini 178 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\keywords 0 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\kwrd.dll 208896 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\L\ceqhhore 57600 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\U\[email protected] 1536 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\U\[email protected] 209920 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\U\[email protected] 1024 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\U\[email protected] 1024 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\U\[email protected] 12800 bytes
    File C:\WINDOWS\$NtUninstallKB38186$\463048371\U\[email protected] 95744 bytes

    ---- EOF - GMER 1.0.15 ----

    Thanks again
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1025834

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice