1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Virus Warning - what do I do

Discussion in 'Virus & Other Malware Removal' started by hez21, Feb 12, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. hez21

    hez21 Thread Starter

    Joined:
    Feb 12, 2013
    Messages:
    8
    VIRUS WARNING

    Hi, I am a complete novice at all this, so please bear with me:p My computer is coming up with a virus warning - but not all the time - after a while of this warning coming up my computer runs very slow and also when I get onto the internet and into say facebook - it will let me, but to do anything from there, like go to a game it just comes up with blank screens or sometimes saying internet explorer cant find this page. When this happens it will also let me into say hotmail, I can open some but not others and if I want to respond or delete some it wont let me. it also will not let me get into any banking or try to go to any other www. sites. After doing a virus scan last night this is the what I got - C:\windows\AutoKMS.exe\AutoKMS.exe - a variant of WIN32\HackKMS.B - unable to clean.

    Please find attachments

    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 64 bit
    Processor: AMD A6-3410MX APU with Radeon(tm) HD Graphics, AMD64 Family 18 Model 1 Stepping 0
    Processor Count: 4
    RAM: 7658 Mb
    Graphics Card: AMD Radeon HD 6750M, 1024 Mb
    Hard Drives: C: Total - 697790 MB, Free - 591289 MB; D: Total - 17309 MB, Free - 1895 MB;
    Motherboard: Hewlett-Packard, 1807
    Antivirus: ESET NOD32 Antivirus 5.0, Updated and Enabled


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:21:37 AM, on 13/02/2013
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16457)
    Boot mode: Normal
    Running processes:
    C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Windows\SysWOW64\RunDll32.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe
    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe
    C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
    C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
    C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
    C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\SwiApiMux.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Heather\Desktop\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.jp.msn.com/HPALL/14
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.telstra.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.jp.msn.com/HPALL/14
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.jp.msn.com/HPALL/14
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telstra BigPond Home Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: TSBHO Class - {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
    O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
    O4 - HKLM\..\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    O4 - HKLM\..\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe" -tsr
    O4 - HKLM\..\Run: [NBAgent] "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Global Startup: Bluetooth.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
    O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
    O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
    O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Royal Vegas Flash Casino - {41ae269d-89a6-495c-a00c-a4c5be5d0285} - https://royalvegas2.gameassists.co....&sext2=demo&ul=en&theme=royalvegas&variant=eu (file missing) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Program Files\IDT\WDM\AESTSr64.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: TrueSuiteService (FPLService) - HP - C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
    O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
    O23 - Service: HP Support Assistant Service - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
    O23 - Service: HP Client Services (HPClientSvc) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
    O23 - Service: HP Connection Manager 4.0 Service (hpCMSrv) - Hewlett-Packard Development Company L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
    O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
    O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
    O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe (file missing)
    O23 - Service: HPWMISVC - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
    O23 - Service: IconMan_R - Realsil Microelectronics Inc. - C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @C:\Program Files (x86)\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files (x86)\Nero\Update\NASvc.exe
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
    O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\stlang64.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV64.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
    --
    End of file - 15455 bytes

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16457
    Run by Heather at 11:27:07 on 2013-02-13
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.7659.5437 [GMT 11:00]
    .
    AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Hpservice.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\System32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k WbioSvcGroup
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\IDT\WDM\AESTSr64.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
    C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
    C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
    C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
    C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
    C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Windows\SysWOW64\RunDll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe
    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe
    C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
    C:\Program Files (x86)\Nero\Update\NASvc.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
    C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
    C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\SwiApiMux.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Heather\Desktop\HijackThis.exe
    C:\Windows\SysWOW64\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://ninemsn.com.au/
    uWindow Title = Telstra BigPond Home Internet Explorer
    uSearch Page = hxxp://www.telstra.com/
    mWinlogon: Userinit = userinit.exe
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
    uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
    mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [BigPondWirelessBroadbandCM] "C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe" -tsr
    mRun: [NBAgent] "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
    mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    TCP: NameServer = 61.9.194.49 61.9.207.1
    TCP: Interfaces\{32ECDBEE-4ADA-4CAD-89CE-BC1F32CE78B8} : DHCPNameServer = 172.168.11.12
    TCP: Interfaces\{7BAF7D9A-124C-4972-BA7B-37F3F19F1EC3} : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{806225BA-AE25-45D9-BD16-E0F932A3BEC4} : DHCPNameServer = 61.9.194.49 61.9.207.1
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SSODL: WebCheck - <orphaned>
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
    x64-BHO: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\x64\IEBHO.dll
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
    x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
    x64-Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
    x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
    x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    x64-DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    x64-SSODL: WebCheck - <orphaned>
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2011-4-16 79488]
    R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2011-4-16 40064]
    R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-12-30 89600]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-4-2 204288]
    R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-4-2 365568]
    R2 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2011-8-9 202576]
    R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-9-22 974944]
    R2 epfwwfpr;epfwwfpr;C:\Windows\System32\drivers\epfwwfpr.sys [2011-8-4 137144]
    R2 FPLService;TrueSuiteService;C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-2-18 265544]
    R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]
    R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
    R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
    R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2012-4-25 31000]
    R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-10 26680]
    R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-10-11 2375168]
    R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2010-3-25 490280]
    R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2012-3-23 87040]
    R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-1-31 3289208]
    R3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\System32\drivers\amdhub30.sys [2011-3-18 87168]
    R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2011-10-11 46136]
    R3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\amdxhc.sys [2011-3-18 188544]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2010-11-18 115216]
    R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2010-7-29 31088]
    R3 hpCMSrv;HP Connection Manager 4.0 Service;C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-2-16 1071160]
    R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2011-10-11 337512]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-10-11 428136]
    R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);C:\Windows\System32\drivers\swnc8ua3.sys [2009-3-20 219136]
    R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);C:\Windows\System32\drivers\swumxa3.sys [2009-3-20 195456]
    R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2011-10-11 47232]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-19 138576]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-11-9 160944]
    S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-2 183560]
    S3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\System32\drivers\btwampfl.sys [2011-10-11 344616]
    S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2011-10-11 39464]
    S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-13 206072]
    S3 HTCAND64;HTC Device Driver;C:\Windows\System32\drivers\ANDROIDUSB.sys [2009-11-1 33736]
    S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\System32\drivers\htcnprot.sys [2010-6-25 36928]
    S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-14 292864]
    S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-14 1485312]
    S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-14 740864]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-4-22 1255736]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-23 57184]
    .
    =============== Created Last 30 ================
    .
    2013-02-12 07:56:21 9161176 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E8E64109-58E9-4A7A-B370-50373059A843}\mpengine.dll
    2013-02-12 07:55:48 -------- d-----w- C:\ProgramData\Synaptics
    .
    ==================== Find3M ====================
    .
    2013-02-12 08:51:53 151552 ----a-w- C:\Windows\KMSEmulator.exe
    2013-02-08 12:30:51 74096 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-02-08 12:30:51 697712 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2013-01-16 14:28:58 273840 ------w- C:\Windows\System32\MpSigStub.exe
    2012-12-30 10:04:21 95544 ----a-w- C:\Windows\System32\bcmwlcoi.dll
    2012-12-30 10:04:21 6656 ----a-w- C:\Windows\System32\bcmwlrc.dll
    2012-12-30 10:04:20 4747840 ----a-w- C:\Windows\System32\drivers\BCMWL664.SYS
    2012-12-30 10:04:20 3952640 ----a-w- C:\Windows\System32\bcmihvsrv64.dll
    2012-12-30 10:04:20 3617792 ----a-w- C:\Windows\System32\bcmihvui64.dll
    2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll
    2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll
    2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
    2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
    2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll
    2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll
    2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll
    2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll
    2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs
    2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs
    2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs
    2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs
    2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs
    2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs
    2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs
    2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs
    2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs
    2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs
    2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs
    2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs
    2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs
    2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs
    2012-11-30 05:45:35 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2012-11-30 05:45:35 243200 ----a-w- C:\Windows\System32\wow64.dll
    2012-11-30 05:45:35 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2012-11-30 05:45:14 215040 ----a-w- C:\Windows\System32\winsrv.dll
    2012-11-30 05:43:12 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2012-11-30 05:41:07 424448 ----a-w- C:\Windows\System32\KernelBase.dll
    2012-11-30 04:54:00 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2012-11-30 04:53:59 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2012-11-30 03:23:48 338432 ----a-w- C:\Windows\System32\conhost.exe
    2012-11-30 02:44:06 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2012-11-30 02:44:04 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2012-11-30 02:44:04 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2012-11-30 02:44:03 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2012-11-30 02:38:59 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2012-11-30 02:38:59 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2012-11-30 02:38:59 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2012-11-30 02:38:59 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2012-11-23 03:26:31 3149824 ----a-w- C:\Windows\System32\win32k.sys
    2012-11-23 03:13:57 68608 ----a-w- C:\Windows\System32\taskhost.exe
    2012-11-22 05:44:23 800768 ----a-w- C:\Windows\System32\usp10.dll
    2012-11-22 04:45:03 626688 ----a-w- C:\Windows\SysWow64\usp10.dll
    2012-11-20 05:48:49 307200 ----a-w- C:\Windows\System32\ncrypt.dll
    2012-11-20 04:51:09 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
    .
    ============= FINISH: 11:27:36.66 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 19/04/2012 5:54:42 PM
    System Uptime: 13/02/2013 6:51:33 AM (5 hours ago)
    .
    Motherboard: Hewlett-Packard | | 1807
    Processor: AMD A6-3410MX APU with Radeon(tm) HD Graphics | Socket FS1 | 1600/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 681 GiB total, 577.495 GiB free.
    D: is FIXED (NTFS) - 17 GiB total, 1.851 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP125: 2/01/2013 3:14:11 PM - Windows Update
    RP126: 2/01/2013 4:25:12 PM - Windows Update
    RP127: 5/01/2013 4:50:02 PM - Windows Update
    RP128: 10/01/2013 4:41:15 PM - Windows Update
    RP129: 11/01/2013 11:02:03 AM - Windows Update
    RP130: 16/01/2013 11:48:57 AM - Windows Update
    RP131: 19/01/2013 1:11:43 PM - Windows Update
    RP132: 23/01/2013 2:25:24 PM - Windows Update
    RP133: 30/01/2013 1:56:18 PM - Windows Update
    RP134: 2/02/2013 3:25:33 PM - Windows Update
    RP135: 6/02/2013 10:27:35 AM - Windows Update
    RP136: 9/02/2013 6:47:00 PM - Windows Update
    RP137: 12/02/2013 6:55:38 PM - Windows Update
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.1.4)
    Adobe Shockwave Player 11.5
    Agatha Christie - Peril at End House
    AMD APP SDK Runtime
    AMD Fuel
    AMD System Monitor
    AMD VISION Engine Control Center
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI Catalyst Install Manager
    AuthenTec TrueAPI
    Bejeweled 2 Deluxe
    Bejeweled 3
    BigPond Wireless Broadband 2.13.16
    Bing Bar
    Blackhawk Striker 2
    Blasterball 3
    Bonjour
    BookWorm Deluxe 1.0y
    Bounce Symphony
    Broadcom 2070 Bluetooth 3.0
    Broadcom 802.11 Wireless LAN Adapter
    Build-a-lot 2
    Cake Mania
    Canon MOV Decoder
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities MyCamera
    Canon Utilities MyCamera DC
    Canon Utilities PhotoStitch
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    Casinoval.Au
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-utility64
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Chuzzle Deluxe
    Cradle Of Persia
    CyberLink YouCam
    D3DX10
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Diner Dash 2 Restaurant Rescue
    Dora's World Adventure
    Energy Star Digital Logo
    ESET NOD32 Antivirus
    ESU for Microsoft Windows 7
    Evernote v. 4.2.2
    Farm Frenzy
    FATE - The Traitor Soul
    Final Drive Nitro
    Hewlett-Packard ACLM.NET v1.1.2.0
    Hexic Deluxe
    High-Definition Video Playback 10
    Hoyle Card Games 2011 (remove only)
    Hoyle Puzzle and Board Games 2011 (remove only)
    HP 3D DriveGuard
    HP Auto
    HP Client Services
    HP Connection Manager
    HP Customer Experience Enhancements
    HP Documentation
    HP DVB-T TV Tuner 8.0.64.43
    HP Games
    HP On Screen Display
    HP Power Manager
    HP Quick Launch
    HP Setup
    HP Setup Manager
    HP SimplePass 2011
    HP Software Framework
    HP Support Assistant
    HTC BMP USB Driver
    HTC Driver Installer
    HTC Sync
    IDT Audio
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 24
    Java(TM) 6 Update 24 (64-bit)
    Jewel Quest 2
    Jewel Quest Heritage 1.00
    Jewel Quest Mysteries
    Jewel Quest Mysteries 2 Trail of the Midnight Heart (remove only)
    Jewel Quest Solitaire (remove only)
    Junk Mail filter update
    LightScribe System Software
    Mah Jong Medley
    Mah Jong Quest
    Mesh Runtime
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Home and Student 2010
    Microsoft Office Office 64-bit Components 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared 64-bit MUI (English) 2010
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Single Image 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Primary Interoperability Assemblies 2005
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP3 Parser
    MSXML 4.0 SP3 Parser (KB2721691)
    MSXML 4.0 SP3 Parser (KB2758694)
    MSXML 4.0 SP3 Parser (KB973685)
    Myst Masterpiece Edition
    Mystery P.I. - Stolen in San Francisco
    Namco All-Stars PAC-MAN
    Nero 10 Menu TemplatePack Basic
    Nero 10 Movie ThemePack Basic
    Nero BackItUp 10
    Nero BackItUp 10 Help (CHM)
    Nero Burning ROM 10
    Nero BurningROM 10 Help (CHM)
    Nero BurnRights 10
    Nero BurnRights 10 Help (CHM)
    Nero Control Center 10
    Nero ControlCenter 10 Help (CHM)
    Nero Core Components 10
    Nero CoverDesigner 10
    Nero CoverDesigner 10 Help (CHM)
    Nero DiscSpeed 10
    Nero DiscSpeed 10 Help (CHM)
    Nero Dolby Files 10
    Nero Express 10
    Nero Express 10 Help (CHM)
    Nero InfoTool 10
    Nero InfoTool 10 Help (CHM)
    Nero MediaHub 10
    Nero MediaHub 10 Help (CHM)
    Nero Multimedia Suite 10
    Nero Recode 10
    Nero Recode 10 Help (CHM)
    Nero RescueAgent 10
    Nero RescueAgent 10 Help (CHM)
    Nero SoundTrax 10
    Nero SoundTrax 10 Help (CHM)
    Nero StartSmart 10
    Nero StartSmart 10 Help (CHM)
    Nero Update
    Nero Vision 10
    Nero Vision 10 Help (CHM)
    Nero WaveEditor 10
    Nero WaveEditor 10 Help (CHM)
    Penguins!
    Plants vs. Zombies - Game of the Year
    Poker Superstars III
    Polar Bowler
    Polar Golfer
    PowerISO
    QuickTime
    Realtek Ethernet Controller Driver
    Realtek PCIE Card Reader
    Recovery Manager
    Sacred
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
    Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
    Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition
    Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
    Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
    Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition
    Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition
    Skype Click to Call
    Skype¬ô 6.0
    Slingo Supreme
    Synaptics Pointing Device Driver
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2687277) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
    Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
    Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
    Update Installer for WildTangent Games App
    Validity WBF DDK
    Virtual Villagers 4 - The Tree of Life
    Vuze
    WildTangent Games App (HP Games)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Language Selector
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Remote Client
    Windows Live Remote Client Resources
    Windows Live Remote Service
    Windows Live Remote Service Resources
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WinRAR archiver
    WMV9/VC-1 Video Playback
    Zuma Deluxe
    .
    ==== End Of File ===========================

    GMER 2.0.18454 - http://www.gmer.net
    Rootkit scan 2013-02-13 11:42:10
    Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000067 WDC_WD75 rev.01.0 698.64GB
    Running: 90fr2kw1.exe; Driver: C:\Users\Heather\AppData\Local\Temp\fwdirkow.sys

    ---- User code sections - GMER 2.0 ----
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075fc87b1 4 bytes [C2, 04, 00, 00]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\RunDll32.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[3736] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[3788] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000074a52da4 5 bytes JMP 00000001714e9eb4
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000074a6cbf3 5 bytes JMP 0000000171638fb6
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074a6cfca 5 bytes JMP 0000000171441893
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000074a8cb0c 5 bytes JMP 0000000171638f51
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000074a8ce64 5 bytes JMP 000000017163901b
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000074a9fbd1 5 bytes JMP 0000000171638ed8
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000074a9fc9d 5 bytes JMP 0000000171638e5f
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074a9fcd6 5 bytes JMP 0000000171638dfb
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074a9fcfa 5 bytes JMP 0000000171638d97
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000075d093ec 5 bytes JMP 00000001716391d0
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000070dc388e 5 bytes JMP 0000000071639080
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000070e67922 5 bytes JMP 0000000071639128
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2344] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000748d2694 5 bytes JMP 00000001716393c8
    ? C:\Windows\system32\mssprxy.dll [2344] entry point in ".rdata" section 000000006f7f71e6
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000770325fd 6 bytes JMP 0000000171508042
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000077042a63 6 bytes JMP 00000001714a9805
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\kernel32.dll!CreateThread 0000000075fc34b5 5 bytes JMP 00000001714a75db
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074a48a29 5 bytes JMP 00000001715103cf
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074a4d22e 5 bytes JMP 00000001714b363b
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000074a52da4 5 bytes JMP 00000001714e9eb4
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074a56285 5 bytes JMP 0000000171507fdf
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074a57603 5 bytes JMP 00000001714e25ac
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000074a6cbf3 5 bytes JMP 0000000171638fb6
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074a6cfca 5 bytes JMP 0000000171441893
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074a6f52b 5 bytes JMP 000000017152ed00
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000074a8cb0c 5 bytes JMP 0000000171638f51
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000074a8ce64 5 bytes JMP 000000017163901b
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000074a9fbd1 5 bytes JMP 0000000171638ed8
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000074a9fc9d 5 bytes JMP 0000000171638e5f
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074a9fcd6 5 bytes JMP 0000000171638dfb
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074a9fcfa 5 bytes JMP 0000000171638d97
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075b46143 5 bytes JMP 0000000171639784
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075ca3e59 5 bytes JMP 000000017163987c
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000075ca3eae 5 bytes JMP 00000001716398fa
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075ca4731 5 bytes JMP 00000001716397ee
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075ca5dee 5 bytes JMP 000000017163989a
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000075d093ec 5 bytes JMP 00000001716391d0
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000070dc388e 5 bytes JMP 0000000071639080
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000070e67922 5 bytes JMP 0000000071639128
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1680] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000748d2694 5 bytes JMP 00000001716393c8
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000770325fd 6 bytes JMP 0000000171508042
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000077042a63 6 bytes JMP 00000001714a9805
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\kernel32.dll!CreateThread 0000000075fc34b5 5 bytes JMP 00000001714a75db
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074a48a29 5 bytes JMP 00000001715103cf
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074a4d22e 5 bytes JMP 00000001714b363b
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000074a52da4 5 bytes JMP 00000001714e9eb4
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074a56285 5 bytes JMP 0000000171507fdf
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074a57603 5 bytes JMP 00000001714e25ac
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000074a6cbf3 5 bytes JMP 0000000171638fb6
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074a6cfca 5 bytes JMP 0000000171441893
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074a6f52b 5 bytes JMP 000000017152ed00
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000074a8cb0c 5 bytes JMP 0000000171638f51
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000074a8ce64 5 bytes JMP 000000017163901b
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000074a9fbd1 5 bytes JMP 0000000171638ed8
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000074a9fc9d 5 bytes JMP 0000000171638e5f
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074a9fcd6 5 bytes JMP 0000000171638dfb
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074a9fcfa 5 bytes JMP 0000000171638d97
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075b46143 5 bytes JMP 0000000171639784
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075ca3e59 5 bytes JMP 000000017163987c
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000075ca3eae 5 bytes JMP 00000001716398fa
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075ca4731 5 bytes JMP 00000001716397ee
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075ca5dee 5 bytes JMP 000000017163989a
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000075d093ec 5 bytes JMP 00000001716391d0
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000070dc388e 5 bytes JMP 0000000071639080
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000070e67922 5 bytes JMP 0000000071639128
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6744] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000748d2694 5 bytes JMP 00000001716393c8
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000770325fd 6 bytes JMP 0000000171508042
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000077042a63 6 bytes JMP 00000001714a9805
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\kernel32.dll!CreateThread 0000000075fc34b5 5 bytes JMP 00000001714a75db
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074a48a29 5 bytes JMP 00000001715103cf
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074a4d22e 5 bytes JMP 00000001714b363b
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000074a52da4 5 bytes JMP 00000001714e9eb4
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074a56285 5 bytes JMP 0000000171507fdf
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074a57603 5 bytes JMP 00000001714e25ac
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000074a6cbf3 5 bytes JMP 0000000171638fb6
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074a6cfca 5 bytes JMP 0000000171441893
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074a6f52b 5 bytes JMP 000000017152ed00
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000074a8cb0c 5 bytes JMP 0000000171638f51
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000074a8ce64 5 bytes JMP 000000017163901b
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000074a9fbd1 5 bytes JMP 0000000171638ed8
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000074a9fc9d 5 bytes JMP 0000000171638e5f
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074a9fcd6 5 bytes JMP 0000000171638dfb
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074a9fcfa 5 bytes JMP 0000000171638d97
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075b46143 5 bytes JMP 0000000171639784
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075ca3e59 5 bytes JMP 000000017163987c
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000075ca3eae 5 bytes JMP 00000001716398fa
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075ca4731 5 bytes JMP 00000001716397ee
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075ca5dee 5 bytes JMP 000000017163989a
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000075d093ec 5 bytes JMP 00000001716391d0
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000070dc388e 5 bytes JMP 0000000071639080
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000070e67922 5 bytes JMP 0000000071639128
    .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[7008] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000748d2694 5 bytes JMP 00000001716393c8
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\HijackThis.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[5448] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[6152] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074791401 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074791419 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074791431 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007479144a 2 bytes [79, 74]
    .text ... * 9
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000747914dd 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000747914f5 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007479150d 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074791525 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007479153d 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074791555 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007479156d 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074791585 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007479159d 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000747915b5 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000747915cd 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000747916b2 2 bytes [79, 74]
    .text C:\Users\Heather\Desktop\90fr2kw1.exe[7144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000747916bd 2 bytes [79, 74]
    ---- User IAT/EAT - GMER 2.0 ----
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef5112750] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef5112b98] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef5117de0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef5118130] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef5111908] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef5111c00] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef51181d8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef5112878] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef5117a5c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmIncrement] [7fef5116c48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef51177bc] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef5117064] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef5116544] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2676] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef5115e30] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    ---- Registry - GMER 2.0 ----
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\402cf422e91c
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\[email protected] 0x56 0xDF 0xBF 0x5F ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\402cf422e91c (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\[email protected] 0x56 0xDF 0xBF 0x5F ...
    ---- EOF - GMER 2.0 ----

    Thank you Hez
     
  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    • Ensure that Combofix is saved directly to the Desktop <--- Very important
    • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

    Kevin
     
  3. hez21

    hez21 Thread Starter

    Joined:
    Feb 12, 2013
    Messages:
    8
    Thanks, have done as you suggested. After I posted last time, I went to close down but it wouldn't, instead the blue death screen came up. I restarted and then did your suggestion. Find reply below

    ComboFix 13-02-13.01 - Heather 13/02/2013 21:13:17.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.7659.5723 [GMT 11:00]
    Running from: c:\users\Heather\Desktop\ComboFix.exe
    AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-01-13 to 2013-02-13 )))))))))))))))))))))))))))))))
    .
    .
    2013-02-13 10:28 . 2013-02-13 10:28 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-02-12 07:56 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E8E64109-58E9-4A7A-B370-50373059A843}\mpengine.dll
    2013-02-12 07:55 . 2013-02-12 07:55 -------- d-----w- c:\programdata\Synaptics
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-02-13 03:27 . 2012-04-22 12:11 151552 ----a-w- c:\windows\KMSEmulator.exe
    2013-02-08 12:30 . 2012-04-29 09:24 74096 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-02-08 12:30 . 2012-04-29 09:24 697712 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2013-01-16 14:28 . 2010-11-21 03:27 273840 ------w- c:\windows\system32\MpSigStub.exe
    2013-01-11 00:09 . 2012-04-21 13:14 67599240 ----a-w- c:\windows\system32\MRT.exe
    2012-12-30 10:06 . 2012-12-30 10:07 535552 ----a-w- c:\windows\system32\drivers\stwrt64.sys
    2012-12-30 10:06 . 2011-10-11 06:52 4444672 ----a-w- c:\windows\system32\stlang64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 1425408 ----a-w- c:\windows\sttray64.exe
    2012-12-30 10:06 . 2012-12-30 10:07 654336 ------w- c:\windows\system32\stapi64.dll
    2012-12-30 10:06 . 2012-12-30 10:07 448512 ----a-w- c:\windows\system32\stcplx64.dll
    2012-12-30 10:06 . 2012-12-30 10:07 1987072 ----a-w- c:\windows\system32\stapo64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 251904 ----a-w- c:\windows\system32\staco64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 249344 ----a-w- c:\windows\system32\IDTNJ.exe
    2012-12-30 10:06 . 2011-10-11 06:52 1085440 ----a-w- c:\windows\system32\IDTNX.dll
    2012-12-30 10:06 . 2011-10-11 06:52 5298688 ----a-w- c:\windows\system32\IDTNHP.dll
    2012-12-30 10:06 . 2011-10-11 06:52 6344704 ----a-w- c:\windows\system32\IDTNGUI.exe
    2012-12-30 10:06 . 2011-10-11 06:52 1819136 ----a-w- c:\windows\system32\IDTNC64.cpl
    2012-12-30 10:06 . 2011-10-11 06:52 223744 ----a-w- c:\windows\system32\HPToneCtrls64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 90624 ----a-w- c:\windows\system32\AESTCo64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 68608 ----a-w- c:\windows\system32\AESTAR64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 442368 ----a-w- c:\windows\system32\AESTEC64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 162304 ----a-w- c:\windows\system32\AESTAC64.dll
    2012-12-30 10:04 . 2011-10-11 06:55 95544 ----a-w- c:\windows\system32\bcmwlcoi.dll
    2012-12-30 10:04 . 2011-10-11 06:55 6656 ----a-w- c:\windows\system32\bcmwlrc.dll
    2012-12-30 10:04 . 2011-10-11 06:55 4747840 ----a-w- c:\windows\system32\drivers\BCMWL664.SYS
    2012-12-30 10:04 . 2011-10-11 06:55 3952640 ----a-w- c:\windows\system32\bcmihvsrv64.dll
    2012-12-30 10:04 . 2011-10-11 06:55 3617792 ----a-w- c:\windows\system32\bcmihvui64.dll
    2012-12-16 17:11 . 2012-12-22 04:43 46080 ----a-w- c:\windows\system32\atmlib.dll
    2012-12-16 14:45 . 2012-12-22 04:43 367616 ----a-w- c:\windows\system32\atmfd.dll
    2012-12-16 14:13 . 2012-12-22 04:43 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
    2012-12-16 14:13 . 2012-12-22 04:43 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
    2012-12-07 13:20 . 2013-01-10 05:46 441856 ----a-w- c:\windows\system32\Wpc.dll
    2012-12-07 13:15 . 2013-01-10 05:46 2746368 ----a-w- c:\windows\system32\gameux.dll
    2012-12-07 12:26 . 2013-01-10 05:46 308736 ----a-w- c:\windows\SysWow64\Wpc.dll
    2012-12-07 12:20 . 2013-01-10 05:46 2576384 ----a-w- c:\windows\SysWow64\gameux.dll
    2012-12-07 11:20 . 2013-01-10 05:46 30720 ----a-w- c:\windows\system32\usk.rs
    2012-12-07 11:20 . 2013-01-10 05:46 43520 ----a-w- c:\windows\system32\csrr.rs
    2012-12-07 11:20 . 2013-01-10 05:46 23552 ----a-w- c:\windows\system32\oflc.rs
    2012-12-07 11:20 . 2013-01-10 05:46 45568 ----a-w- c:\windows\system32\oflc-nz.rs
    2012-12-07 11:20 . 2013-01-10 05:46 44544 ----a-w- c:\windows\system32\pegibbfc.rs
    2012-12-07 11:20 . 2013-01-10 05:46 20480 ----a-w- c:\windows\system32\pegi-fi.rs
    2012-12-07 11:20 . 2013-01-10 05:46 20480 ----a-w- c:\windows\system32\pegi-pt.rs
    2012-12-07 11:19 . 2013-01-10 05:46 20480 ----a-w- c:\windows\system32\pegi.rs
    2012-12-07 11:19 . 2013-01-10 05:46 46592 ----a-w- c:\windows\system32\fpb.rs
    2012-12-07 11:19 . 2013-01-10 05:46 40960 ----a-w- c:\windows\system32\cob-au.rs
    2012-12-07 11:19 . 2013-01-10 05:46 21504 ----a-w- c:\windows\system32\grb.rs
    2012-12-07 11:19 . 2013-01-10 05:46 15360 ----a-w- c:\windows\system32\djctq.rs
    2012-12-07 11:19 . 2013-01-10 05:46 55296 ----a-w- c:\windows\system32\cero.rs
    2012-12-07 11:19 . 2013-01-10 05:46 51712 ----a-w- c:\windows\system32\esrb.rs
    2012-12-07 10:46 . 2013-01-10 05:46 43520 ----a-w- c:\windows\SysWow64\csrr.rs
    2012-12-07 10:46 . 2013-01-10 05:46 30720 ----a-w- c:\windows\SysWow64\usk.rs
    2012-12-07 10:46 . 2013-01-10 05:46 45568 ----a-w- c:\windows\SysWow64\oflc-nz.rs
    2012-12-07 10:46 . 2013-01-10 05:46 44544 ----a-w- c:\windows\SysWow64\pegibbfc.rs
    2012-12-07 10:46 . 2013-01-10 05:46 20480 ----a-w- c:\windows\SysWow64\pegi-pt.rs
    2012-12-07 10:46 . 2013-01-10 05:46 23552 ----a-w- c:\windows\SysWow64\oflc.rs
    2012-12-07 10:46 . 2013-01-10 05:46 20480 ----a-w- c:\windows\SysWow64\pegi-fi.rs
    2012-12-07 10:46 . 2013-01-10 05:46 46592 ----a-w- c:\windows\SysWow64\fpb.rs
    2012-12-07 10:46 . 2013-01-10 05:46 20480 ----a-w- c:\windows\SysWow64\pegi.rs
    2012-12-07 10:46 . 2013-01-10 05:46 21504 ----a-w- c:\windows\SysWow64\grb.rs
    2012-12-07 10:46 . 2013-01-10 05:46 40960 ----a-w- c:\windows\SysWow64\cob-au.rs
    2012-12-07 10:46 . 2013-01-10 05:46 15360 ----a-w- c:\windows\SysWow64\djctq.rs
    2012-12-07 10:46 . 2013-01-10 05:46 55296 ----a-w- c:\windows\SysWow64\cero.rs
    2012-12-07 10:46 . 2013-01-10 05:46 51712 ----a-w- c:\windows\SysWow64\esrb.rs
    2012-11-30 05:45 . 2013-01-10 05:46 362496 ----a-w- c:\windows\system32\wow64win.dll
    2012-11-30 05:45 . 2013-01-10 05:46 243200 ----a-w- c:\windows\system32\wow64.dll
    2012-11-30 05:45 . 2013-01-10 05:46 13312 ----a-w- c:\windows\system32\wow64cpu.dll
    2012-11-30 05:45 . 2013-01-10 05:46 215040 ----a-w- c:\windows\system32\winsrv.dll
    2012-11-30 05:43 . 2013-01-10 05:46 16384 ----a-w- c:\windows\system32\ntvdm64.dll
    2012-11-30 05:41 . 2013-01-10 05:46 424448 ----a-w- c:\windows\system32\KernelBase.dll
    2012-11-30 05:41 . 2013-01-10 05:46 1161216 ----a-w- c:\windows\system32\kernel32.dll
    2012-11-30 05:38 . 2013-01-10 05:46 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
    2012-11-30 04:54 . 2013-01-10 05:46 5120 ----a-w- c:\windows\SysWow64\wow32.dll
    2012-11-30 04:53 . 2013-01-10 05:46 274944 ----a-w- c:\windows\SysWow64\KernelBase.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-02 336384]
    "HPConnectionManager"="c:\program files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2011-02-15 94264]
    "HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
    "HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-01-27 318520]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-04-01 634880]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "BigPondWirelessBroadbandCM"="c:\program files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe" [2009-04-29 2297856]
    "NBAgent"="c:\program files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-03-26 1234216]
    "PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2011-11-15 312376]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-24 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-30 1132320]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-01-30 3289208]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
    R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-07-14 344616]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-02 39464]
    R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-01 33736]
    R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
    R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys [2009-03-20 219136]
    R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\DRIVERS\swumxa3.sys [2009-03-20 195456]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-22 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [2011-04-15 79488]
    S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [2011-04-15 40064]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2011-08-03 146432]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2012-12-30 89600]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-02 204288]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-04-02 365568]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2011-08-09 202576]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-09-22 974944]
    S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2011-08-03 137144]
    S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-02-18 265544]
    S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
    S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2012-04-25 31000]
    S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
    S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-03-08 2375168]
    S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-03-25 490280]
    S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2012-03-23 87040]
    S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys [2011-03-18 87168]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]
    S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys [2011-03-18 188544]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-11-17 115216]
    S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2010-07-28 31088]
    S3 hpCMSrv;HP Connection Manager 4.0 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-02-15 1071160]
    S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-03-25 337512]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-02-17 428136]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-12-16 47232]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2009-06-17 02:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-02-13 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-29 12:30]
    .
    2013-02-13 c:\windows\Tasks\AutoKMS.job
    - c:\windows\AutoKMS\AutoKMS.exe [2012-04-22 12:12]
    .
    2013-02-08 c:\windows\Tasks\HPCeeScheduleForHEATHER-HP$.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
    .
    2013-02-12 c:\windows\Tasks\HPCeeScheduleForHeather.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 4035152]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2012-12-30 1425408]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ninemsn.com.au/
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 61.9.226.33 61.9.211.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-02-13 22:01:53
    ComboFix-quarantined-files.txt 2013-02-13 11:01
    .
    Pre-Run: 630,757,838,848 bytes free
    Post-Run: 634,236,608,512 bytes free
    .
    - - End Of File - - 14F5FD5BB45F5C32976E6288B2C3A099
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    You mention this alert at the beginning: C:\windows\AutoKMS.exe\AutoKMS.exe - a variant of WIN32\HackKMS.B and tell us that was flagged by your AV but not able to clean it.

    The same entry does show up in the Combofix log:

    2013-02-13 c:\windows\Tasks\AutoKMS.job
    - c:\windows\AutoKMS\AutoKMS.exe


    Well this is quite interesting, AutoKMS.exe is a Crack used to make fraudulent copies of Microsoft Office legal, Can you run the following and post its log:

    Please run the MGA Diagnostic Tool and post back the report it creates:
    • Download MGADiag to your desktop.
    • Double-click on MGADiag.exe to launch the program
    • Click "Continue"
    • Ensure that the "Windows" tab is selected (it should be by default).
    • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
    • Paste the MGA Diagnostic Report back here in your next reply.

    Kevin
     
  5. hez21

    hez21 Thread Starter

    Joined:
    Feb 12, 2013
    Messages:
    8
    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-73CQT-WMF7J-3Q6C9
    Windows Product Key Hash: KaFG+RmurcM3ZxzWyfEP9WtPUJw=
    Windows Product ID: 00359-OEM-8992687-00010
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {29DEDF6F-D540-4E54-8450-C1137A19C393}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.120830-0333
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A
    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002
    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002
    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed
    File Scan Data-->
    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{29DEDF6F-D540-4E54-8450-C1137A19C393}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-3Q6C9</PKey><PID>00359-OEM-8992687-00010</PID><PIDType>2</PIDType><SID>S-1-5-21-2880828808-1028491219-2167413215</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Pavilion dv6 Notebook PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>F.02</Version><SMBIOSVersion major="2" minor="7"/><Date>20110902000000.000000+000</Date></BIOS><HWID>E5C23607018400FC</HWID><UserLCID>0C09</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>AUS Eastern Standard Time(GMT+10:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-MPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
    Spsys.log Content: 0x80070002
    Licensing Data-->
    Software licensing service version: 6.1.7601.17514
    Name: Windows(R) 7, HomePremium edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: d2c04e90-c3dd-4260-b0f3-f845f5d27d64
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00359-00178-926-800010-02-3081-7601.0000-2842011
    Installation ID: 002301804144742346176536175054662721356443634291971875
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 3Q6C9
    License Status: Licensed
    Remaining Windows rearm count: 1
    Trusted time: 14/02/2013 12:08:06 PM
    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 11:12:2012 21:18
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:

    HWID Data-->
    HWID Hash Current: NgAAAAEAAwABAAIAAAACAAAAAwABAAEAln1c50RsHODu+2QRplWOzS4uYj3qYJA6BrvZrABq
    OEM Activation 1.0 Data-->
    N/A
    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
    ACPI Table Name OEMID Value OEMTableID Value
    APIC HP INSYDE
    FACP HPQOEM SLIC-MPC
    HPET HP INSYDE
    BOOT HP INSYDE
    MCFG HP INSYDE
    WDRT HP INSYDE
    ASF! HP INSYDE
    SLIC HPQOEM SLIC-MPC
    MSDM HP INSYDE
    SSDT HP INSYDE
    SSDT HP INSYDE
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    ClearJavaCache::
    File::
    c:\windows\AutoKMS\AutoKMS.exe
    c:\windows\Tasks\AutoKMS.job
    c:\windows\KMSEmulator.exe
    
    Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Next,

    Run Eset Online Scanner

    **Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

    Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • click on the Run ESET Online Scanner button
    • Tick the box next to YES, I accept the Terms of Use.
      Click Start
    • When asked, allow the add/on to be installed
      Click Start
    • Make sure that the option Remove found threats is unticked
    • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
      Click Scan
    • wait for the virus definitions to be downloaded
    • Wait for the scan to finish
    When the scan is complete

    • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found
    If threats were found

    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    close program
    copy and paste the report here

    Post both logs...
     
  7. hez21

    hez21 Thread Starter

    Joined:
    Feb 12, 2013
    Messages:
    8
    Hi Kevin, here it comes

    ComboFix 13-02-13.01 - Heather 14/02/2013 21:33:27.2.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.7659.5842 [GMT 11:00]
    Running from: c:\users\Heather\Desktop\ComboFix.exe
    Command switches used :: c:\users\Heather\Desktop\CFScript.txt
    AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    FILE ::
    "c:\windows\AutoKMS\AutoKMS.exe"
    "c:\windows\KMSEmulator.exe"
    "c:\windows\Tasks\AutoKMS.job"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\AutoKMS\AutoKMS.exe
    c:\windows\KMSEmulator.exe
    c:\windows\Tasks\AutoKMS.job
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-01-14 to 2013-02-14 )))))))))))))))))))))))))))))))
    .
    .
    2013-02-14 10:48 . 2013-02-14 10:48 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-02-12 07:56 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E8E64109-58E9-4A7A-B370-50373059A843}\mpengine.dll
    2013-02-12 07:55 . 2013-02-12 07:55 -------- d-----w- c:\programdata\Synaptics
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-02-08 12:30 . 2012-04-29 09:24 74096 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-02-08 12:30 . 2012-04-29 09:24 697712 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2013-01-16 14:28 . 2010-11-21 03:27 273840 ------w- c:\windows\system32\MpSigStub.exe
    2013-01-11 00:09 . 2012-04-21 13:14 67599240 ----a-w- c:\windows\system32\MRT.exe
    2012-12-30 10:06 . 2012-12-30 10:07 535552 ----a-w- c:\windows\system32\drivers\stwrt64.sys
    2012-12-30 10:06 . 2011-10-11 06:52 4444672 ----a-w- c:\windows\system32\stlang64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 1425408 ----a-w- c:\windows\sttray64.exe
    2012-12-30 10:06 . 2012-12-30 10:07 654336 ------w- c:\windows\system32\stapi64.dll
    2012-12-30 10:06 . 2012-12-30 10:07 448512 ----a-w- c:\windows\system32\stcplx64.dll
    2012-12-30 10:06 . 2012-12-30 10:07 1987072 ----a-w- c:\windows\system32\stapo64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 251904 ----a-w- c:\windows\system32\staco64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 249344 ----a-w- c:\windows\system32\IDTNJ.exe
    2012-12-30 10:06 . 2011-10-11 06:52 1085440 ----a-w- c:\windows\system32\IDTNX.dll
    2012-12-30 10:06 . 2011-10-11 06:52 5298688 ----a-w- c:\windows\system32\IDTNHP.dll
    2012-12-30 10:06 . 2011-10-11 06:52 6344704 ----a-w- c:\windows\system32\IDTNGUI.exe
    2012-12-30 10:06 . 2011-10-11 06:52 1819136 ----a-w- c:\windows\system32\IDTNC64.cpl
    2012-12-30 10:06 . 2011-10-11 06:52 223744 ----a-w- c:\windows\system32\HPToneCtrls64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 90624 ----a-w- c:\windows\system32\AESTCo64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 68608 ----a-w- c:\windows\system32\AESTAR64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 442368 ----a-w- c:\windows\system32\AESTEC64.dll
    2012-12-30 10:06 . 2011-10-11 06:52 162304 ----a-w- c:\windows\system32\AESTAC64.dll
    2012-12-30 10:04 . 2011-10-11 06:55 95544 ----a-w- c:\windows\system32\bcmwlcoi.dll
    2012-12-30 10:04 . 2011-10-11 06:55 6656 ----a-w- c:\windows\system32\bcmwlrc.dll
    2012-12-30 10:04 . 2011-10-11 06:55 4747840 ----a-w- c:\windows\system32\drivers\BCMWL664.SYS
    2012-12-30 10:04 . 2011-10-11 06:55 3952640 ----a-w- c:\windows\system32\bcmihvsrv64.dll
    2012-12-30 10:04 . 2011-10-11 06:55 3617792 ----a-w- c:\windows\system32\bcmihvui64.dll
    2012-12-16 17:11 . 2012-12-22 04:43 46080 ----a-w- c:\windows\system32\atmlib.dll
    2012-12-16 14:45 . 2012-12-22 04:43 367616 ----a-w- c:\windows\system32\atmfd.dll
    2012-12-16 14:13 . 2012-12-22 04:43 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
    2012-12-16 14:13 . 2012-12-22 04:43 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
    2012-12-07 13:20 . 2013-01-10 05:46 441856 ----a-w- c:\windows\system32\Wpc.dll
    2012-12-07 13:15 . 2013-01-10 05:46 2746368 ----a-w- c:\windows\system32\gameux.dll
    2012-12-07 12:26 . 2013-01-10 05:46 308736 ----a-w- c:\windows\SysWow64\Wpc.dll
    2012-12-07 12:20 . 2013-01-10 05:46 2576384 ----a-w- c:\windows\SysWow64\gameux.dll
    2012-12-07 11:20 . 2013-01-10 05:46 30720 ----a-w- c:\windows\system32\usk.rs
    2012-12-07 11:20 . 2013-01-10 05:46 43520 ----a-w- c:\windows\system32\csrr.rs
    2012-12-07 11:20 . 2013-01-10 05:46 23552 ----a-w- c:\windows\system32\oflc.rs
    2012-12-07 11:20 . 2013-01-10 05:46 45568 ----a-w- c:\windows\system32\oflc-nz.rs
    2012-12-07 11:20 . 2013-01-10 05:46 44544 ----a-w- c:\windows\system32\pegibbfc.rs
    2012-12-07 11:20 . 2013-01-10 05:46 20480 ----a-w- c:\windows\system32\pegi-fi.rs
    2012-12-07 11:20 . 2013-01-10 05:46 20480 ----a-w- c:\windows\system32\pegi-pt.rs
    2012-12-07 11:19 . 2013-01-10 05:46 20480 ----a-w- c:\windows\system32\pegi.rs
    2012-12-07 11:19 . 2013-01-10 05:46 46592 ----a-w- c:\windows\system32\fpb.rs
    2012-12-07 11:19 . 2013-01-10 05:46 40960 ----a-w- c:\windows\system32\cob-au.rs
    2012-12-07 11:19 . 2013-01-10 05:46 21504 ----a-w- c:\windows\system32\grb.rs
    2012-12-07 11:19 . 2013-01-10 05:46 15360 ----a-w- c:\windows\system32\djctq.rs
    2012-12-07 11:19 . 2013-01-10 05:46 55296 ----a-w- c:\windows\system32\cero.rs
    2012-12-07 11:19 . 2013-01-10 05:46 51712 ----a-w- c:\windows\system32\esrb.rs
    2012-12-07 10:46 . 2013-01-10 05:46 43520 ----a-w- c:\windows\SysWow64\csrr.rs
    2012-12-07 10:46 . 2013-01-10 05:46 30720 ----a-w- c:\windows\SysWow64\usk.rs
    2012-12-07 10:46 . 2013-01-10 05:46 45568 ----a-w- c:\windows\SysWow64\oflc-nz.rs
    2012-12-07 10:46 . 2013-01-10 05:46 44544 ----a-w- c:\windows\SysWow64\pegibbfc.rs
    2012-12-07 10:46 . 2013-01-10 05:46 20480 ----a-w- c:\windows\SysWow64\pegi-pt.rs
    2012-12-07 10:46 . 2013-01-10 05:46 23552 ----a-w- c:\windows\SysWow64\oflc.rs
    2012-12-07 10:46 . 2013-01-10 05:46 20480 ----a-w- c:\windows\SysWow64\pegi-fi.rs
    2012-12-07 10:46 . 2013-01-10 05:46 46592 ----a-w- c:\windows\SysWow64\fpb.rs
    2012-12-07 10:46 . 2013-01-10 05:46 20480 ----a-w- c:\windows\SysWow64\pegi.rs
    2012-12-07 10:46 . 2013-01-10 05:46 21504 ----a-w- c:\windows\SysWow64\grb.rs
    2012-12-07 10:46 . 2013-01-10 05:46 40960 ----a-w- c:\windows\SysWow64\cob-au.rs
    2012-12-07 10:46 . 2013-01-10 05:46 15360 ----a-w- c:\windows\SysWow64\djctq.rs
    2012-12-07 10:46 . 2013-01-10 05:46 55296 ----a-w- c:\windows\SysWow64\cero.rs
    2012-12-07 10:46 . 2013-01-10 05:46 51712 ----a-w- c:\windows\SysWow64\esrb.rs
    2012-11-30 05:45 . 2013-01-10 05:46 362496 ----a-w- c:\windows\system32\wow64win.dll
    2012-11-30 05:45 . 2013-01-10 05:46 243200 ----a-w- c:\windows\system32\wow64.dll
    2012-11-30 05:45 . 2013-01-10 05:46 13312 ----a-w- c:\windows\system32\wow64cpu.dll
    2012-11-30 05:45 . 2013-01-10 05:46 215040 ----a-w- c:\windows\system32\winsrv.dll
    2012-11-30 05:43 . 2013-01-10 05:46 16384 ----a-w- c:\windows\system32\ntvdm64.dll
    2012-11-30 05:41 . 2013-01-10 05:46 424448 ----a-w- c:\windows\system32\KernelBase.dll
    2012-11-30 05:41 . 2013-01-10 05:46 1161216 ----a-w- c:\windows\system32\kernel32.dll
    2012-11-30 05:38 . 2013-01-10 05:46 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-10 05:46 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
    2012-11-30 04:54 . 2013-01-10 05:46 5120 ----a-w- c:\windows\SysWow64\wow32.dll
    2012-11-30 04:53 . 2013-01-10 05:46 274944 ----a-w- c:\windows\SysWow64\KernelBase.dll
    2012-11-30 04:45 . 2013-01-10 05:46 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-02 336384]
    "HPConnectionManager"="c:\program files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2011-02-15 94264]
    "HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
    "HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-01-27 318520]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-04-01 634880]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "BigPondWirelessBroadbandCM"="c:\program files (x86)\Telstra\BigPond Wireless Broadband 2.13.16\BigPond_CM.exe" [2009-04-29 2297856]
    "NBAgent"="c:\program files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-03-26 1234216]
    "PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2011-11-15 312376]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-24 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-30 1132320]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-01-30 3289208]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
    R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-07-14 344616]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-02 39464]
    R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    R3 hpCMSrv;HP Connection Manager 4.0 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-02-15 1071160]
    R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-01 33736]
    R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-22 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [2011-04-15 79488]
    S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [2011-04-15 40064]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2011-08-03 146432]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2012-12-30 89600]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-02 204288]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-04-02 365568]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2011-08-09 202576]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-09-22 974944]
    S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2011-08-03 137144]
    S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-02-18 265544]
    S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
    S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2012-04-25 31000]
    S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
    S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-03-08 2375168]
    S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-03-25 490280]
    S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2012-03-23 87040]
    S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys [2011-03-18 87168]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]
    S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys [2011-03-18 188544]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-11-17 115216]
    S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2010-07-28 31088]
    S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-03-25 337512]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-02-17 428136]
    S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys [2009-03-20 219136]
    S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\DRIVERS\swumxa3.sys [2009-03-20 195456]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-12-16 47232]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2009-06-17 02:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-02-14 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-29 12:30]
    .
    2013-02-08 c:\windows\Tasks\HPCeeScheduleForHEATHER-HP$.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
    .
    2013-02-12 c:\windows\Tasks\HPCeeScheduleForHeather.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 4035152]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2012-12-30 1425408]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ninemsn.com.au/
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 61.9.194.49 61.9.134.49
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-02-14 22:21:33
    ComboFix-quarantined-files.txt 2013-02-14 11:21
    ComboFix2.txt 2013-02-13 11:02
    .
    Pre-Run: 635,573,956,608 bytes free
    Post-Run: 635,886,682,112 bytes free
    .
    - - End Of File - - 9303D55432149FAA387FA2AB8DB85AEE

    C:\Qoobox\Quarantine\C\Windows\KMSEmulator.exe.vir a variant of Win32/HackKMS.A application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Windows\AutoKMS\AutoKMS.exe.vir a variant of Win32/HackKMS.B application cleaned by deleting - quarantined
    C:\Users\Heather\Downloads\Book Worm\Bookworm Deluxe and Crack File (1).exe probably a variant of Win32/Agent.JMHOHYZ trojan deleted - quarantined
    C:\Users\Heather\Downloads\Mahjong Quest\Mah Jong Quest Key Gen.exe a variant of Win32/Keygen.DY application cleaned by deleting - quarantined
    C:\Users\Heather\Downloads\PowerISO\keygen.exe a variant of Win32/Keygen.CP application cleaned by deleting - quarantined

    Hez
     
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    It is not recommended to use cracked software or associated key generators, there is always a very high risk of malware/infection.

    OK do the following:

    Open Malwarebytes, check for updates then run Quick scan. Full instructions follow if Malwarebytes is not installed:

    Download Malwarebytes from one of the following links and save it to your desktop.:


    http://www.malwarebytes.org/mbam.php
    http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml
    http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Next,

    Download Security Check by screen317 from either of the following:
    http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Post those two logs, also give an update on any remaining issues or concerns related to to the operating system...

    Kevin....:)
     
  9. hez21

    hez21 Thread Starter

    Joined:
    Feb 12, 2013
    Messages:
    8
    Hi Kevin

    I did the Malwarebytes - I tried to update this twice and had 2 error messages -

    1st - The setup files are corrupted, Pl obtain a new copy of the program. Decided to try again

    2nd - An Error has occurred. Please report this issue PROGRAM_ERROR_UPDATING ( 0, 0, Incomplete transfer).

    I then just went with the scan -

    Malwarebytes Anti-Malware (Trial) 1.70.0.1100
    www.malwarebytes.org
    Database version: v2013.02.15.04
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Heather :: HEATHER-HP [administrator]
    Protection: Enabled
    15/02/2013 9:28:23 PM
    mbam-log-2013-02-15 (21-28-23).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 212364
    Time elapsed: 1 minute(s), 19 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)

    Results of screen317's Security Check version 0.99.57
    Windows 7 Service Pack 1 x64 (UAC is disabled!)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    ESET NOD32 Antivirus 5.0
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.70.0.1100
    Java(TM) 6 Update 24
    Java version out of Date!
    Adobe Reader 10.1.4 Adobe Reader out of Date!
    ````````Process Check: objlist.exe by Laurent````````
    ESET NOD32 Antivirus egui.exe
    ESET NOD32 Antivirus ekrn.exe
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    Malwarebytes Anti-Malware mbam.exe
    Malwarebytes' Anti-Malware mbamscheduler.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!)
    ````````````````````End of Log``````````````````````


    Thanks Heather
     
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    OK, do the following:

    Adobe Reader is outdated...
    Visit http://get.adobe.com/uk/reader/otherversions/ and download the latest version of Acrobat Reader

    Step 1 - Select your Operating System.
    Step 2 - Select your Langauge.
    Step 3 - Select latest version.

    Untick the option for McAfee security scanner if offered.

    Download and install.

    Having the latest updates ensures there are no security vulnerabilities in your system.

    Next,

    Your Java [​IMG] is out of date. Older versions have vulnerabilities that malware can use to infect your system.
    Please follow these steps to remove older version of Java components and upgrade the application.

    Upgrading Java:

    Go to http://java.com/en/ and click on "Do I have Java"
    It will check your current version and then offer to update to the latest version
    Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

    ***Note: please check in Start > Control Panel > Uninstall a Program, make sure old version of Java are removed, specifically - Java(TM) 6 Update 24

    Let me know if those steps complete OK, also if any remaining issues or concerns....

    Kevin...
     
  11. hez21

    hez21 Thread Starter

    Joined:
    Feb 12, 2013
    Messages:
    8
    Thank you Kevin, everything seems to be great
     
  12. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    OK, do the following:

    Remove Combofix now that we're done with it
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
    The above procedure will delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.

    It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

    Next,

    Remove ESET online scanner (Only If installed):

    • Click Start, type Uninstall a Program into the Search programs and files box, and then press ENTER.
    • Click to select ESET Online Scanner from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall ESETonline Scanner, only re-boot if prompted.

    Next,

    • Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.
    • Double click [​IMG] icon to start the program.
      If you are using Vista or Windows 7 accept UAC
    • Then Click the big [​IMG] button.
    • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
    • Restart your computer when prompted.
    • This will remove tools we have used and itself.

    Let me know if those steps complete OK, also if any remaining issues or concerns.

    Kevin...
     
  13. hez21

    hez21 Thread Starter

    Joined:
    Feb 12, 2013
    Messages:
    8
    Kevin, I did all the things you suggested in your last post - just a question- was it supposed to clear up the MGADiag, Hijack This, SysInfo, GMER, Malewarebytes and all notepad notes. If it was, then it didn't do its job

    Malewarebytes Anti keeps coming up with this message - Successfully blocked access to a potentially malicious website 222.186.15.17 Type: incoming Port: 1433, Process: svchost.exe


    A new message keeps appearing about every hr e.g last one was - Successfully blocked access to a potentially malicious website 60.173.12.142 Type: incoming Port: 3389, Process: svchost.exe

    Hez
     
  14. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Yes you can remove the entries you mention except for Malwarebytes, leave that installed for now. What exactly were you doing when you receive the IP block alert, both the addresses you posted are from Haidia, Beijin, China...

    Can you update Malwarebytes ans run a Full scan, post the log that is produced.... Also tell me what what happening when the alerts came in. Did you have a browser open, were you connected to anywhere specific...

    Kevin
     
  15. hez21

    hez21 Thread Starter

    Joined:
    Feb 12, 2013
    Messages:
    8
    Hi Kevin,

    It is already updated it was done today before the warnings came in. It did a scan and said there was nothing there. I was on Facebook when the messages came in and trying to get onto alsorts of game sites but can't because they take forever to load. I have had about 6 or 7 more messages, a couple each time I get on Facebook.

    Malwarebytes Anti-Malware (Trial) 1.70.0.1100
    www.malwarebytes.org
    Database version: v2013.02.17.01
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Heather :: HEATHER-HP [administrator]
    Protection: Enabled
    17/02/2013 10:06:52 PM
    mbam-log-2013-02-17 (22-06-52).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 213140
    Time elapsed: 3 minute(s), 37 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1089254

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice