Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help with Tojan would be cool please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help with Tojan would be cool please

Unread postby Marmalade » May 5th, 2012, 12:48 am

MY anti virus ran a scan and found some sort of trojan
JSscript XE-inf in my Firefox profile
and the name Dean Edwards was there also, whoever that was.
Since I didnt notice it it only got picked up on boot scan as I rebooted without knowing
is it possible it could have spread
Still have problems
mouse keeps moving
firefox keeps not responding

Logs enclosed


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.0
Run by Chris at 5:47:04 on 2012-05-05
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3060.1838 [GMT 1:00]
.
AV: avast! Internet Security *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Internet Security *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: avast! Internet Security *Enabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.visagecomputers.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [FileHippo.com] "c:\program files\filehippo.com\UpdateChecker.exe" /background
uRun: [GoTrusted] c:\program files\gotrusted.com\gotrusted secure tunnel v2.3.1.5\GoTrusted Secure Tunnel.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [KiesHelper] c:\program files\samsung\kies\KiesHelper.exe /s
uRun: [KiesPDLR] c:\program files\samsung\kies\external\firmwareupdate\KiesPDLR.exe
uRun: [Google Update] "c:\users\chris\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [KiesTrayAgent] c:\program files\samsung\kies\KiesTrayAgent.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
StartupFolder: c:\users\chris\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net ... plugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{24808C3F-DF8E-4DBB-B40F-D7DB39A51B71} : DhcpNameServer = 192.168.0.203
TCP: Interfaces\{C010AF49-0C76-4353-BB35-19AE24C74C4F} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{C010AF49-0C76-4353-BB35-19AE24C74C4F} : DhcpNameServer = 192.168.0.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\pbeikcgo.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\chris\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2012-4-17 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2012-4-17 196440]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2012-4-17 112984]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2012-4-17 24408]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-4-17 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-4-17 337880]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-4-17 20696]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-4-17 57688]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-4-17 44768]
R2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2012-4-17 134920]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-26 654408]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2012-2-16 95200]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-14 399416]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-4-12 66112]
R3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\drivers\gttap1.sys [2008-3-18 20480]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-26 22344]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 0184651330180573mcinstcleanup;McAfee Application Installer Cleanup (0184651330180573);c:\windows\temp\018465~1.exe -cleanup -nolog --> c:\windows\temp\018465~1.EXE -cleanup -nolog [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-30 257696]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [2010-11-19 43520]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 129976]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-05-04 21:50:16 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 21:50:16 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-02 05:03:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-05-02 05:03:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-05-02 05:03:02 772552 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-02 05:03:02 687560 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 14:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-09 09:29:56 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-08 17:50:28 49016 ----a-w- c:\windows\system32\sirenacm.dll
2012-03-06 23:15:19 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:04:25 112984 ----a-w- c:\windows\system32\drivers\aswFW.sys
2012-03-06 23:03:51 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:03:23 196440 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2012-03-06 23:02:43 24408 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2012-03-06 23:01:48 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-06 06:39:00 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-06 06:39:00 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-02-29 15:11:45 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11:42 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09:53 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 13:32:37 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 14:54:51 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2012-02-14 15:45:30 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45:30 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-13 14:12:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47:57 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44:40 1068544 ----a-w- c:\windows\system32\DWrite.dll
.
============= FINISH: 5:47:37.66 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 04/02/2011 10:32:19
System Uptime: 05/05/2012 05:25:37 (0 hours ago)
.
Motherboard: Dell Inc. | | 0K216C
Processor: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz | Socket 775 | 2664/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 288 GiB total, 234.851 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 3.888 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: GT-I9100
Device ID: USB\VID_04E8&PID_6860&MS_COMP_MTP&SAMSUNG_ANDROID\6&71AC855&3&0000
Manufacturer: SAMSUNG Electronics Co. Ltd.
Name: GT-I9100
PNP Device ID: USB\VID_04E8&PID_6860&MS_COMP_MTP&SAMSUNG_ANDROID\6&71AC855&3&0000
Service: WUDFRd
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Leawo Video Converter version 5.1.0.0
Adobe AIR
Adobe Community Help
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop CS5.1
Adobe Reader X (10.1.3)
Adobe Shockwave Player 11.6
Apple Application Support
Apple Software Update
avast! Internet Security
AviSynth 2.5
CCleaner
ConvertXtoDVD 4.0.9.322
D3DX10
EasyBCD 1.7
ESET Online Scanner v3
ffdshow [rev 2180] [2008-10-04]
FileHippo.com Update Checker
Google Chrome
GoTrusted Secure Tunnel v2.3.1.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678)
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 31
Java(TM) 7 Update 4
K-Lite Codec Pack 7.9.0 (Basic)
Malwarebytes Anti-Malware version 1.61.0.1400
McAfee SiteAdvisor
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
Nero 7 Lite 7.10.1.2
OpenOffice.org 3.3
PDF Settings CS5
PowerDVD
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Revo Uninstaller 1.93
Samsung Kies
SAMSUNG USB Driver for Mobile Phones
Secunia PSI (2.0.0.4003)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Segoe UI
StreamTorrent 1.0
SUPERAntiSpyware
swMSM
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
VLC media player 2.0.1
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Media Player Firefox Plugin
WinRAR archiver
YouTube Downloader App 3.00
.
==== Event Viewer Messages From Past Week ========
.
29/04/2012 16:33:44, Error: Service Control Manager [7043] - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
28/04/2012 15:39:16, Error: EventLog [6008] - The previous system shutdown at 01:10:53 on 28/04/2012 was unexpected.
01/05/2012 06:28:51, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
.
==== End Of File ===========================
Marmalade
Active Member
 
Posts: 9
Joined: May 5th, 2012, 12:41 am
Advertisement
Register to Remove

Re: Help with Tojan would be cool please

Unread postby deltalima » May 5th, 2012, 3:37 pm

checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Help with Tojan would be cool please

Unread postby deltalima » May 5th, 2012, 3:41 pm

Hi Marmalade,

Welcome to the forum.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please do not run any scans or make any changes to the system unless I ask you too.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please Note:
The programs I ask you to run need to be run in Administrator Mode by... Right clicking the program file and selecting: Run as Administrator.
Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program.
When prompted, please select: Allow. Reference: User Account Control (UAC) and Running as Administrator

Remove P2P Programs

  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    StreamTorrent 1.0


  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

CKScanner

  • Please download CKScanner from here to your Desktop.
  • Make sure that CKScanner.exe is on the your Desktop before running the application!
  • Right click on CKScanner.exe and select: Run as Administrator then click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved
  • Double-click on the CKFiles.txt icon on your Desktop and copy/paste the contents in your next reply.

Next

  • Please download this tool from Microsoft.
  • Right click on MGADiag.exe and select: Run as Administrator.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.

Please let me know if the computer is used for home or for business use.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Help with Tojan would be cool please

Unread postby Marmalade » May 5th, 2012, 4:22 pm

Thanks, its a home computer
-----------------------------

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.WRNAUV
----- EOF -----

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-V36KB-BW8PX-K6Y77
Windows Product Key Hash: XSqsoFMD0i1daBDTcniPDwwbYUQ=
Windows Product ID: 89578-OEM-7354286-31327
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.0.6002.2.00010300.2.0.003
ID: {E65EA5B3-6C5D-4EC7-8D9D-F2261B4B4E40}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows Vista (TM) Home Premium
Architecture: 0x00000000
Build lab: 6002.vistasp2_gdr.120305-0430
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: 6.0.6002.16398

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{E65EA5B3-6C5D-4EC7-8D9D-F2261B4B4E40}</UGUID><Version>1.9.0027.0</Version><OS>6.0.6002.2.00010300.2.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-K6Y77</PKey><PID>89578-OEM-7354286-31327</PID><PIDType>3</PIDType><SID>S-1-5-21-3299710142-3868310564-1978959094</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 530</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>1.0.15</Version><SMBIOSVersion major="2" minor="5"/><Date>20080620000000.000000+000</Date></BIOS><HWID>04313507018400FA</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>FX09 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.0.6002.18005
Name: Windows(TM) Vista, HomePremium edition
Description: Windows Operating System - Vista, OEM_COA_NSLP channel
Activation ID: f3acdd3c-119a-4932-a3d7-0b6f33a1dca9
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 89578-00146-542-831327-02-2057-6001.0000-0352011
Installation ID: 009735477993813240357353173165725586922680830092409893
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43473
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43474
Use License URL: http://go.microsoft.com/fwlink/?LinkID=43476
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43475
Partial Product Key: K6Y77
License Status: Licensed

Windows Activation Technologies-->
N/A

HWID Data-->
HWID Hash Current: NgAAAAEABAABAAEAAQABAAAAAwABAAEAeqj+v9K/8nu2WWT+iP26k+xQ8vREJZCgrFYisCqF

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20000
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL FX09
FACP DELL FX09
HPET DELL FX09
MCFG DELL FX09
SLIC DELL FX09
DMY2 DELL FX09
SSDT PmRef CpuPm
Marmalade
Active Member
 
Posts: 9
Joined: May 5th, 2012, 12:41 am

Re: Help with Tojan would be cool please

Unread postby deltalima » May 5th, 2012, 4:28 pm

Hi Marmalade,

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Right click on OTL.exe and select: Run as Administrator.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Right click the .exe file and select: Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Help with Tojan would be cool please

Unread postby Marmalade » May 6th, 2012, 3:11 am

OTL logfile created on: 06/05/2012 07:47:01 - Run 1
OTL by OldTimer - Version 3.2.42.2 Folder = C:\Users\Chris\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.99 Gb Total Physical Memory | 2.10 Gb Available Physical Memory | 70.11% Memory free
6.21 Gb Paging File | 4.47 Gb Available in Paging File | 72.05% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.32 Gb Total Space | 234.74 Gb Free Space | 81.41% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 3.89 Gb Free Space | 39.82% Space Free | Partition Type: NTFS
Drive E: | 702.31 Mb Total Space | 594.80 Mb Free Space | 84.69% Space Free | Partition Type: UDF

Computer Name: DELL-530 | User Name: Chris | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Chris\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe ()
PRC - C:\Program Files\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\afwServ.exe (AVAST Software)
PRC - c:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Secunia\PSI\psia.exe (Secunia)
PRC - C:\Program Files\Secunia\PSI\sua.exe (Secunia)
PRC - C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
PRC - C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll ()
MOD - C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll ()
MOD - C:\Windows\System32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
MOD - C:\Users\Chris\AppData\Local\temp\bd7c47bb-f5c0-417c-a180-ec348d87718a\CliSecureRT.dll ()
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL ()
MOD - C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\aceee343625b7f4576e6d48fb91977e3\PresentationFramework.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\5eb81f84116fecd08f3acf0603204457\PresentationCore.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\33d45f88d59de3b84f2ed79095e29f41\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\8729094857a3f3185deec237ef30b087\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\5654b44c3d45f7863f6d3d218a87967a\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\888be382c48887c830026806a9587e31\System.Management.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Remo#\1378a1c9290882206f4d5a6561bfc5d7\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\a07e3882af9ea368a54742fc19c86662\System.Xaml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\eaeaf5f980c23f6075820513748695d9\PresentationFramework.Aero.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\22d54437cf1de9478f5c2c23f07eb9d6\System.Core.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\1084708d3872b8e64f7ec88145298b2d\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ff7c4aa829c327b186ef85cff3289bdf\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\90842cf922c71c82718ba71d5801c30c\mscorlib.ni.dll ()
MOD - C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe ()
MOD - C:\Program Files\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Program Files\WinRAR\RarExt.dll ()


========== Win32 Services (SafeList) ==========

SRV - (0184651330180573mcinstcleanup) McAfee Application Installer Cleanup (0184651330180573) -- C:\Windows\TEMP\018465~1.EXE File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV - (avast! Firewall) -- C:\Program Files\AVAST Software\Avast\afwServ.exe (AVAST Software)
SRV - (McAfee SiteAdvisor Service) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (Secunia PSI Agent) -- C:\Program Files\Secunia\PSI\psia.exe (Secunia)
SRV - (Secunia Update Agent) -- C:\Program Files\Secunia\PSI\sua.exe (Secunia)
SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
SRV - (SwitchBoard) -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (mbr) -- C:\Users\Chris\AppData\Local\Temp\mbr.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (aswFW) -- C:\Windows\System32\drivers\aswFW.sys (AVAST Software)
DRV - (aswSnx) -- C:\Windows\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswNdis2) -- C:\Windows\System32\drivers\aswNdis2.sys (AVAST Software)
DRV - (aswKbd) -- C:\Windows\System32\drivers\aswKbd.sys (AVAST Software)
DRV - (AswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (aswNdis) -- C:\Windows\System32\drivers\aswNdis.sys (ALWIL Software)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (dg_ssudbus) SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.) -- C:\Windows\System32\drivers\ssudbus.sys (DEVGURU Co., LTD.(www.devguru.co.kr))
DRV - (AVGIDSEH) -- C:\Windows\System32\drivers\AVGIDSEH.sys (AVG Technologies CZ, s.r.o. )
DRV - (PSI) -- C:\Windows\System32\drivers\psi_mf.sys (Secunia)
DRV - (MOSUMAC) -- C:\Windows\System32\drivers\MOSUMAC.SYS (--)
DRV - (gttap1) -- C:\Windows\System32\drivers\gttap1.sys (GoTrusted)
DRV - (e1express) Intel(R) -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.visagecomputers.co.uk/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.com/route/?d=4d4c00cf ... =chrome&q={searchTerms}&lng={language}&iy=&ychte=us
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.0: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.3.37: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.3.37: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.3.37: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.3.37: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.3.37: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Chris\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Chris\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/05/02 06:04:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2012/02/25 16:51:28 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/04/17 13:03:46 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/04/30 15:28:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/04/17 10:35:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chris\AppData\Roaming\Mozilla\Extensions
[2012/05/03 17:10:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\pbeikcgo.default\extensions
[2012/04/22 22:04:53 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\pbeikcgo.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2012/04/30 15:28:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/04/17 13:03:46 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
() (No name found) -- C:\USERS\CHRIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\PBEIKCGO.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2012/04/21 02:19:34 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/04/21 02:18:25 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/04/21 02:18:25 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Chris\AppData\Local\Google\Chrome\Application\19.0.1084.41\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Chris\AppData\Local\Google\Chrome\Application\19.0.1084.41\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Chris\AppData\Local\Google\Chrome\Application\19.0.1084.41\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_228.dll
CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.123.2_0\McChPlg.dll
CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: Java Deployment Toolkit 6.0.310.5 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
CHR - plugin: RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
CHR - plugin: RealNetworks(tm) Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Chris\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: SiteAdvisor = C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.123.2_0\
CHR - Extension: avast! WebRep = C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\
CHR - Extension: ScriptNo = C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\oiigbmnaadbkfbmpbfijlflahbdbdgdf\1.0.6.2_0\
CHR - Extension: Gmail = C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/04/11 02:40:18 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [KiesTrayAgent] C:\Program Files\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [FileHippo.com] C:\Program Files\FileHippo.com\UpdateChecker.exe (FileHippo.com)
O4 - HKCU..\Run: [GoTrusted] C:\Program Files\GoTrusted.com\GoTrusted Secure Tunnel v2.3.1.5\GoTrusted Secure Tunnel.exe (GoTrusted.com)
O4 - HKCU..\Run: [KiesHelper] C:\Program Files\Samsung\Kies\KiesHelper.exe (Samsung)
O4 - HKCU..\Run: [KiesPDLR] C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe ()
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net ... plugin.cab (QuickTime Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 10.4.0)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 10.4.0)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{24808C3F-DF8E-4DBB-B40F-D7DB39A51B71}: DhcpNameServer = 192.168.0.203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C010AF49-0C76-4353-BB35-19AE24C74C4F}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C010AF49-0C76-4353-BB35-19AE24C74C4F}: NameServer = 8.26.56.26,156.154.70.22
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/06 07:45:56 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Users\Chris\Desktop\OTL.exe
[2012/05/05 21:21:07 | 000,000,000 | ---D | C] -- C:\MGADiagToolOutput
[2012/05/05 21:20:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Office Genuine Advantage
[2012/05/05 21:18:55 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Users\Chris\Desktop\MGADiag.exe
[2012/05/05 05:42:53 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Chris\Desktop\dds(1).scr
[2012/05/02 06:04:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2012/05/02 06:03:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/05/02 06:03:35 | 000,227,784 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2012/04/25 01:48:06 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/04/25 01:48:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/04/17 12:54:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Internet Security
[2012/04/17 12:54:07 | 000,020,696 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2012/04/17 12:54:05 | 000,337,880 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2012/04/17 12:53:59 | 000,112,984 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFW.sys
[2012/04/17 12:53:36 | 000,196,440 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswNdis2.sys
[2012/04/17 12:53:35 | 000,035,672 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2012/04/17 12:53:34 | 000,053,848 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2012/04/17 12:53:34 | 000,024,408 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswKbd.sys
[2012/04/17 12:53:33 | 000,612,184 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2012/04/17 12:53:33 | 000,057,688 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2012/04/17 12:53:04 | 000,041,184 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/04/17 12:53:04 | 000,012,112 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswNdis.sys
[2012/04/17 12:53:03 | 000,201,352 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2012/04/17 12:19:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2012/04/17 12:19:00 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/04/17 12:19:00 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/04/17 11:55:15 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Download Manager
[2012/04/17 11:48:36 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\lptmp22190
[2012/04/17 10:35:18 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Mozilla
[2012/04/17 10:35:02 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/04/17 10:24:04 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Apple Computer
[2012/04/16 21:09:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2012/04/16 21:09:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2012/04/16 21:09:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2012/04/16 21:08:29 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\Apple
[2012/04/16 21:08:23 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2012/04/16 21:08:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple
[2012/04/12 00:10:10 | 000,066,112 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\Windows\System32\drivers\ssudbus.sys
[2012/04/11 21:51:32 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2012/04/11 12:25:12 | 000,174,024 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2012/04/11 12:25:12 | 000,174,024 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2012/04/11 12:24:44 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012/04/11 11:24:22 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/04/11 11:24:20 | 001,799,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/04/11 11:24:19 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/04/11 11:24:19 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/04/11 11:24:19 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/04/11 11:24:18 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/04/11 11:23:59 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2012/04/11 11:23:58 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2012/04/11 02:41:03 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/04/11 02:38:49 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/04/11 01:47:49 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{A64F6B20-0248-4FFC-AA50-D2E5E5C156B9}
[2012/04/11 01:47:09 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{9663F7A2-DDF6-431D-B294-D83624D322D9}
[2012/04/10 22:42:55 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\SUPERAntiSpyware.com
[2012/04/10 20:13:09 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\StreamTorrent
[2012/04/09 12:32:48 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{2A442981-DE4C-4081-9437-5BD379B62520}
[2012/04/09 12:32:37 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{68E27041-A7D3-4F46-8112-F8E549EB25F1}
[2012/04/08 23:18:59 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{930BD804-669F-4067-AC8E-5A68B2782FA7}
[2011/12/28 15:52:30 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Chris\AppData\Roaming\pcouffin.sys
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/06 07:46:44 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3299710142-3868310564-1978959094-1001UA.job
[2012/05/06 07:46:04 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\Chris\Desktop\OTL.exe
[2012/05/06 07:45:35 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/05/06 07:45:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/05/05 21:55:00 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3299710142-3868310564-1978959094-1001Core.job
[2012/05/05 21:20:25 | 000,005,184 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/05/05 21:20:25 | 000,005,184 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/05/05 21:19:03 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Users\Chris\Desktop\MGADiag.exe
[2012/05/05 21:18:25 | 000,458,240 | ---- | M] () -- C:\Users\Chris\Desktop\CKScanner.exe
[2012/05/05 09:28:35 | 000,001,041 | ---- | M] () -- C:\Users\Chris\AppData\Roaming\vso_ts_preview.xml
[2012/05/05 05:42:58 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Chris\Desktop\dds(1).scr
[2012/05/05 05:25:51 | 3209,875,456 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/04 22:50:16 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/05/04 22:50:16 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/05/03 17:11:25 | 000,002,042 | ---- | M] () -- C:\Users\Chris\Desktop\Google Chrome.lnk
[2012/05/03 17:11:25 | 000,002,004 | ---- | M] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/05/02 06:05:30 | 000,001,069 | ---- | M] () -- C:\Users\Public\Desktop\RealPlayer.lnk
[2012/05/02 06:04:36 | 000,198,832 | ---- | M] (RealNetworks, Inc.) -- C:\Windows\System32\rmoc3260.dll
[2012/05/02 06:04:07 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\Windows\System32\pndx5016.dll
[2012/05/02 06:04:07 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\Windows\System32\pndx5032.dll
[2012/05/02 06:04:04 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\Windows\System32\pncrt.dll
[2012/05/02 06:03:02 | 000,772,552 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\npdeployJava1.dll
[2012/05/02 06:03:02 | 000,687,560 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\deployJava1.dll
[2012/05/02 06:03:02 | 000,227,784 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2012/05/02 06:03:02 | 000,174,024 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2012/05/02 06:03:02 | 000,174,024 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2012/05/02 06:02:40 | 000,000,804 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/04/30 15:28:30 | 000,000,870 | ---- | M] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/04/30 15:28:30 | 000,000,846 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/04/24 13:43:36 | 007,354,634 | ---- | M] () -- C:\Users\Chris\Documents\tuessssss.pdf
[2012/04/21 09:54:07 | 021,563,144 | ---- | M] () -- C:\Users\Chris\Documents\sa.pdf
[2012/04/18 13:01:59 | 008,127,107 | ---- | M] () -- C:\Users\Chris\Documents\vvvvvvvvvvvvvv.pdf
[2012/04/17 13:03:47 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012/04/17 12:54:09 | 000,001,829 | ---- | M] () -- C:\Users\Public\Desktop\avast! Internet Security.lnk
[2012/04/17 12:19:09 | 000,001,800 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/04/16 21:09:38 | 000,001,726 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012/04/16 08:21:06 | 000,035,840 | ---- | M] () -- C:\Users\Chris\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/04/14 12:03:02 | 048,120,397 | ---- | M] () -- C:\Users\Chris\Documents\pdf_reports.pdf
[2012/04/11 11:22:13 | 000,595,798 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/04/11 11:22:12 | 000,103,872 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/04/11 11:10:35 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2012/04/11 03:03:07 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2012/04/11 03:03:07 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2012/04/11 02:40:18 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/04/10 19:10:38 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/10 11:01:47 | 006,087,543 | ---- | M] () -- C:\Users\Chris\Documents\dd.pdf
[2012/04/06 21:37:19 | 000,062,737 | ---- | M] () -- C:\Users\Chris\Desktop\Dufrais Whos Paying.mp3
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/05 21:18:25 | 000,458,240 | ---- | C] () -- C:\Users\Chris\Desktop\CKScanner.exe
[2012/05/02 06:05:30 | 000,001,069 | ---- | C] () -- C:\Users\Public\Desktop\RealPlayer.lnk
[2012/04/24 13:43:36 | 007,354,634 | ---- | C] () -- C:\Users\Chris\Documents\tuessssss.pdf
[2012/04/21 09:54:06 | 021,563,144 | ---- | C] () -- C:\Users\Chris\Documents\sa.pdf
[2012/04/18 13:01:59 | 008,127,107 | ---- | C] () -- C:\Users\Chris\Documents\vvvvvvvvvvvvvv.pdf
[2012/04/17 12:54:09 | 000,001,829 | ---- | C] () -- C:\Users\Public\Desktop\avast! Internet Security.lnk
[2012/04/17 12:19:09 | 000,001,800 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/04/17 10:35:07 | 000,000,870 | ---- | C] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/04/17 10:35:07 | 000,000,858 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/04/17 10:35:07 | 000,000,846 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/04/16 21:09:38 | 000,001,726 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012/04/16 21:08:24 | 000,001,830 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
[2012/04/16 16:17:49 | 000,001,041 | ---- | C] () -- C:\Users\Chris\AppData\Roaming\vso_ts_preview.xml
[2012/04/14 12:03:00 | 048,120,397 | ---- | C] () -- C:\Users\Chris\Documents\pdf_reports.pdf
[2012/04/11 21:51:34 | 000,002,042 | ---- | C] () -- C:\Users\Chris\Desktop\Google Chrome.lnk
[2012/04/11 21:51:34 | 000,002,004 | ---- | C] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/04/11 21:50:34 | 000,000,908 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3299710142-3868310564-1978959094-1001UA.job
[2012/04/11 21:50:33 | 000,000,856 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3299710142-3868310564-1978959094-1001Core.job
[2012/04/11 11:10:35 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2012/04/11 03:03:07 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2012/04/11 03:03:07 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2012/04/10 11:01:46 | 006,087,543 | ---- | C] () -- C:\Users\Chris\Documents\dd.pdf
[2012/04/06 21:37:08 | 000,062,737 | ---- | C] () -- C:\Users\Chris\Desktop\Dufrais Whos Paying.mp3
[2012/03/18 21:07:14 | 000,175,616 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2012/01/13 09:10:03 | 000,614,499 | ---- | C] () -- C:\Users\Chris\AppData\Local\census.cache
[2012/01/13 09:09:35 | 000,163,945 | ---- | C] () -- C:\Users\Chris\AppData\Local\ars.cache
[2012/01/13 08:12:43 | 000,000,036 | ---- | C] () -- C:\Users\Chris\AppData\Local\housecall.guid.cache
[2011/12/28 15:52:30 | 000,007,887 | ---- | C] () -- C:\Users\Chris\AppData\Roaming\pcouffin.cat
[2011/12/28 15:52:30 | 000,001,144 | ---- | C] () -- C:\Users\Chris\AppData\Roaming\pcouffin.inf
[2011/12/28 08:42:22 | 000,035,840 | ---- | C] () -- C:\Users\Chris\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/12/23 21:58:28 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe
[2011/12/23 21:58:24 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll
[2011/12/23 21:58:24 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll
[2011/12/23 21:58:24 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll
[2011/12/23 21:58:24 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll
[2011/02/04 14:50:35 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/02/04 14:50:19 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/02/04 14:19:09 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1472.dll
[2011/02/04 13:24:09 | 000,000,680 | ---- | C] () -- C:\Users\Chris\AppData\Local\d3d9caps.dat

< End of report >

OTL Extras logfile created on: 06/05/2012 07:47:02 - Run 1
OTL by OldTimer - Version 3.2.42.2 Folder = C:\Users\Chris\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.99 Gb Total Physical Memory | 2.10 Gb Available Physical Memory | 70.11% Memory free
6.21 Gb Paging File | 4.47 Gb Available in Paging File | 72.05% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.32 Gb Total Space | 234.74 Gb Free Space | 81.41% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 3.89 Gb Free Space | 39.82% Space Free | Partition Type: NTFS
Drive E: | 702.31 Mb Total Space | 594.80 Mb Free Space | 84.69% Space Free | Partition Type: UDF

Computer Name: DELL-530 | User Name: Chris | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{66DA123C-20BA-4BF5-807B-56DD045F3DC1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{7581500E-176F-4EB2-BAF0-C2B422A28AAE}" = lport=2869 | protocol=6 | dir=in | app=system |
"{DF4322E7-A8F4-4CDA-97E0-1F16E3619F58}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{F90F0B39-2DFB-46FB-AD77-58B3F1CC027D}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2A98C711-D518-40A0-8682-2CBDD0F41A4C}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{39DDA8C9-459F-4031-B48E-6C18F49A046D}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{40D3180F-159E-490F-B7AE-C78FB21B4835}" = protocol=17 | dir=in | app=c:\windows\system32\muzapp.exe |
"{6F2BB904-B011-49BA-9FCC-D9B076A725D6}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{7F2385FC-8BDB-4F8D-977F-5E7E212778D2}" = protocol=6 | dir=in | app=c:\windows\system32\muzapp.exe |
"{8888D5A1-B51B-46D2-90DB-74EB76149035}" = dir=in | app=c:\program files\windows live\messenger\livecall.exe |
"{971FDF86-35D2-44E9-8021-145985745FBC}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{E00B87B6-1B74-441A-B6C4-529AD3385CBF}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{26A24AE4-039D-4CA4-87B4-2F83217004FF}" = Java(TM) 7 Update 4
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{331ED3CF-3A1B-467C-9A62-899E2D3B20C4}_is1" = Leawo Video Converter version 5.1.0.0
"{3521BDBD-D453-5D9F-AA55-44B75D214629}" = Adobe Community Help
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{47FA2C44-D148-4DBC-AF60-B91934AA4842}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{9158FF30-78D7-40EF-B83E-451AC5334640}" = Adobe Photoshop CS5.1
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{969E11AA-8F3A-F162-1A5A-0965E216B6CE}" = Adobe Download Assistant
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{CCCDF430-FFC5-41E8-82EB-FB7959EBC450}" = GoTrusted Secure Tunnel v2.3.1.5
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.0.9.322
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"avast" = avast! Internet Security
"AviSynth" = AviSynth 2.5
"CCleaner" = CCleaner
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"com.adobe.downloadassistant.AdobeDownloadAssistant" = Adobe Download Assistant
"EasyBCD" = EasyBCD 1.7
"ESET Online Scanner" = ESET Online Scanner v3
"ffdshow_is1" = ffdshow [rev 2180] [2008-10-04]
"FileHippo.com" = FileHippo.com Update Checker
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"InstallShield_{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"KLiteCodecPack_is1" = K-Lite Codec Pack 7.9.0 (Basic)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 12.0 (x86 en-US)" = Mozilla Firefox 12.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Nero7Lite_is1" = Nero 7 Lite 7.10.1.2
"RealPlayer 15.0" = RealPlayer
"Revo Uninstaller" = Revo Uninstaller 1.93
"Secunia PSI" = Secunia PSI (2.0.0.4003)
"VLC media player" = VLC media player 2.0.1
"WinLiveSuite" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"YouTube Downloader App" = YouTube Downloader App 3.00

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 28/04/2012 10:44:21 | Computer Name = DELL-530 | Source = Windows Search Service | ID = 3013
Description =

Error - 28/04/2012 10:44:21 | Computer Name = DELL-530 | Source = Windows Search Service | ID = 3013
Description =

Error - 28/04/2012 10:44:21 | Computer Name = DELL-530 | Source = Windows Search Service | ID = 3013
Description =

Error - 28/04/2012 10:44:21 | Computer Name = DELL-530 | Source = Windows Search Service | ID = 3013
Description =

Error - 29/04/2012 10:42:56 | Computer Name = DELL-530 | Source = WinMgmt | ID = 10
Description =

Error - 29/04/2012 11:42:07 | Computer Name = DELL-530 | Source = WinMgmt | ID = 10
Description =

Error - 29/04/2012 17:31:26 | Computer Name = DELL-530 | Source = WinMgmt | ID = 10
Description =

Error - 29/04/2012 21:07:39 | Computer Name = DELL-530 | Source = WinMgmt | ID = 10
Description =

Error - 30/04/2012 09:52:04 | Computer Name = DELL-530 | Source = WinMgmt | ID = 10
Description =

Error - 30/04/2012 10:41:02 | Computer Name = DELL-530 | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 22/02/2012 08:09:37 | Computer Name = DELL-530 | Source = Service Control Manager | ID = 7011
Description =

Error - 22/02/2012 15:49:51 | Computer Name = DELL-530 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.2 for the Network Card with network
address 001EC982BAAF has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 28/02/2012 00:32:42 | Computer Name = DELL-530 | Source = Service Control Manager | ID = 7011
Description =

Error - 03/03/2012 23:54:56 | Computer Name = DELL-530 | Source = Service Control Manager | ID = 7011
Description =

Error - 07/03/2012 05:28:57 | Computer Name = DELL-530 | Source = Service Control Manager | ID = 7011
Description =

Error - 07/03/2012 05:52:40 | Computer Name = DELL-530 | Source = Service Control Manager | ID = 7011
Description =

Error - 09/03/2012 05:31:39 | Computer Name = DELL-530 | Source = DCOM | ID = 10010
Description =

Error - 09/03/2012 05:39:10 | Computer Name = DELL-530 | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_SYMEVENT\0000 disappeared from the system without
first being prepared for removal.

Error - 09/03/2012 18:56:49 | Computer Name = DELL-530 | Source = Service Control Manager | ID = 7009
Description =

Error - 09/03/2012 18:56:49 | Computer Name = DELL-530 | Source = Service Control Manager | ID = 7000
Description =


< End of report >
Marmalade
Active Member
 
Posts: 9
Joined: May 5th, 2012, 12:41 am

Re: Help with Tojan would be cool please

Unread postby Marmalade » May 6th, 2012, 3:14 am

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-06 08:15:22
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-1 ST3320613AS rev.DE11
Running: ujzo2niy.exe; Driver: C:\Users\Chris\AppData\Local\Temp\kfriapod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8EC72DF8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8F160A5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8EC7385E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8EC782E4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8EC78330]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8EC78422]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8EC78252]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8EC78374]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8EC7829A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8EC783DC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8EC72E44]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8F160B34]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8EC72AD6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8EC72E90]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8EC75D1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8EC73B02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8EC7830E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8EC78352]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8EC78446]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8EC78278]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8EC783AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8EC782C2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8EC78400]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8F160CA0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8EC739CE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8EC72EDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8EC72F28]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8EC72B46]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8EC72CEA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8EC72C92]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8EC72D5A]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8F0DA640]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8EC72F74]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8F160BE0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8F176D92]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 10D 820E6890 4 Bytes [F8, 2D, C7, 8E]
.text ntkrnlpa.exe!KeSetEvent + 131 820E68B4 4 Bytes [5A, 0A, 16, 8F]
.text ntkrnlpa.exe!KeSetEvent + 191 820E6914 4 Bytes [5E, 38, C7, 8E]
.text ntkrnlpa.exe!KeSetEvent + 1D1 820E6954 8 Bytes [E4, 82, C7, 8E, 30, 83, C7, ...]
.text ntkrnlpa.exe!KeSetEvent + 1DD 820E6960 4 Bytes [22, 84, C7, 8E]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82211633 5 Bytes JMP 8F173C8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 8226A573 5 Bytes JMP 8F17574C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82273E98 4 Bytes CALL 8EC741B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82277B0C 4 Bytes CALL 8EC741CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 822CBE70 7 Bytes JMP 8F176D96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
? C:\Users\Chris\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00070600
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00070804
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00070A08
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000701F8
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000703FC
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000803FC
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00080600
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00081014
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00080804
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00080A08
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00080C0C
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00080E10
.text C:\Program Files\Secunia\PSI\psi_tray.exe[320] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000801F8
.text C:\Windows\System32\igfxtray.exe[436] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 001501F8
.text C:\Windows\System32\igfxtray.exe[436] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 001503FC
.text C:\Windows\System32\igfxtray.exe[436] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\System32\igfxtray.exe[436] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00180600
.text C:\Windows\System32\igfxtray.exe[436] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00180804
.text C:\Windows\System32\igfxtray.exe[436] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00180A08
.text C:\Windows\System32\igfxtray.exe[436] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 001801F8
.text C:\Windows\System32\igfxtray.exe[436] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 001803FC
.text C:\Windows\System32\igfxtray.exe[436] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 001903FC
.text C:\Windows\System32\igfxtray.exe[436] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00190600
.text C:\Windows\System32\igfxtray.exe[436] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00191014
.text C:\Windows\System32\igfxtray.exe[436] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00190804
.text C:\Windows\System32\igfxtray.exe[436] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00190A08
.text C:\Windows\System32\igfxtray.exe[436] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00190C0C
.text C:\Windows\System32\igfxtray.exe[436] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00190E10
.text C:\Windows\System32\igfxtray.exe[436] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 001901F8
.text C:\Windows\system32\csrss.exe[512] KERNEL32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\wininit.exe[556] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[556] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[556] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\wininit.exe[556] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000503FC
.text C:\Windows\system32\wininit.exe[556] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00050600
.text C:\Windows\system32\wininit.exe[556] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00051014
.text C:\Windows\system32\wininit.exe[556] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00050804
.text C:\Windows\system32\wininit.exe[556] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00050A08
.text C:\Windows\system32\wininit.exe[556] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00050C0C
.text C:\Windows\system32\wininit.exe[556] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00050E10
.text C:\Windows\system32\wininit.exe[556] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000501F8
.text C:\Windows\system32\wininit.exe[556] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00060600
.text C:\Windows\system32\wininit.exe[556] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00060804
.text C:\Windows\system32\wininit.exe[556] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00060A08
.text C:\Windows\system32\wininit.exe[556] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000601F8
.text C:\Windows\system32\wininit.exe[556] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000603FC
.text C:\Windows\system32\csrss.exe[568] KERNEL32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\services.exe[600] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\services.exe[600] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\services.exe[600] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\services.exe[600] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\services.exe[600] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00080600
.text C:\Windows\system32\services.exe[600] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00080804
.text C:\Windows\system32\services.exe[600] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00080A08
.text C:\Windows\system32\services.exe[600] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000801F8
.text C:\Windows\system32\services.exe[600] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000803FC
.text C:\Windows\system32\winlogon.exe[628] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[628] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[628] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[628] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000503FC
.text C:\Windows\system32\winlogon.exe[628] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00050600
.text C:\Windows\system32\winlogon.exe[628] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00051014
.text C:\Windows\system32\winlogon.exe[628] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00050804
.text C:\Windows\system32\winlogon.exe[628] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00050A08
.text C:\Windows\system32\winlogon.exe[628] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00050C0C
.text C:\Windows\system32\winlogon.exe[628] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00050E10
.text C:\Windows\system32\winlogon.exe[628] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000501F8
.text C:\Windows\system32\winlogon.exe[628] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00060600
.text C:\Windows\system32\winlogon.exe[628] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00060804
.text C:\Windows\system32\winlogon.exe[628] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00060A08
.text C:\Windows\system32\winlogon.exe[628] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000601F8
.text C:\Windows\system32\winlogon.exe[628] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsass.exe[652] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\lsass.exe[652] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\lsass.exe[652] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00080600
.text C:\Windows\system32\lsass.exe[652] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00080804
.text C:\Windows\system32\lsass.exe[652] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00080A08
.text C:\Windows\system32\lsass.exe[652] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000801F8
.text C:\Windows\system32\lsass.exe[652] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000803FC
.text C:\Windows\system32\lsm.exe[664] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\lsm.exe[664] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\lsm.exe[664] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\lsm.exe[664] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\lsm.exe[664] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\lsm.exe[664] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\lsm.exe[664] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\lsm.exe[664] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\lsm.exe[664] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\lsm.exe[664] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\lsm.exe[664] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\igfxsrvc.exe[740] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 001501F8
.text C:\Windows\system32\igfxsrvc.exe[740] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 001503FC
.text C:\Windows\system32\igfxsrvc.exe[740] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\igfxsrvc.exe[740] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00170600
.text C:\Windows\system32\igfxsrvc.exe[740] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00170804
.text C:\Windows\system32\igfxsrvc.exe[740] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00170A08
.text C:\Windows\system32\igfxsrvc.exe[740] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 001701F8
.text C:\Windows\system32\igfxsrvc.exe[740] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 001703FC
.text C:\Windows\system32\igfxsrvc.exe[740] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 001803FC
.text C:\Windows\system32\igfxsrvc.exe[740] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00180600
.text C:\Windows\system32\igfxsrvc.exe[740] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00181014
.text C:\Windows\system32\igfxsrvc.exe[740] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00180804
.text C:\Windows\system32\igfxsrvc.exe[740] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00180A08
.text C:\Windows\system32\igfxsrvc.exe[740] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00180C0C
.text C:\Windows\system32\igfxsrvc.exe[740] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00180E10
.text C:\Windows\system32\igfxsrvc.exe[740] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 001801F8
.text C:\Windows\system32\svchost.exe[800] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[800] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[800] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[800] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[800] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[800] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[800] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[800] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[800] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[800] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[800] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 002A0600
.text C:\Windows\system32\svchost.exe[800] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 002A0804
.text C:\Windows\system32\svchost.exe[800] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 002A0A08
.text C:\Windows\system32\svchost.exe[800] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 002A01F8
.text C:\Windows\system32\svchost.exe[800] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 002A03FC
.text C:\Windows\System32\hkcmd.exe[860] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 001501F8
.text C:\Windows\System32\hkcmd.exe[860] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 001503FC
.text C:\Windows\System32\hkcmd.exe[860] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\System32\hkcmd.exe[860] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00180600
.text C:\Windows\System32\hkcmd.exe[860] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00180804
.text C:\Windows\System32\hkcmd.exe[860] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00180A08
.text C:\Windows\System32\hkcmd.exe[860] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 001801F8
.text C:\Windows\System32\hkcmd.exe[860] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 001803FC
.text C:\Windows\System32\hkcmd.exe[860] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 001903FC
.text C:\Windows\System32\hkcmd.exe[860] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00190600
.text C:\Windows\System32\hkcmd.exe[860] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00191014
.text C:\Windows\System32\hkcmd.exe[860] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00190804
.text C:\Windows\System32\hkcmd.exe[860] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00190A08
.text C:\Windows\System32\hkcmd.exe[860] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00190C0C
.text C:\Windows\System32\hkcmd.exe[860] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00190E10
.text C:\Windows\System32\hkcmd.exe[860] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 001901F8
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[876] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[876] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 000B0600
.text C:\Windows\system32\svchost.exe[876] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 000B0804
.text C:\Windows\system32\svchost.exe[876] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 000B0A08
.text C:\Windows\system32\svchost.exe[876] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000B01F8
.text C:\Windows\system32\svchost.exe[876] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000B03FC
.text C:\Windows\System32\svchost.exe[936] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[936] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[936] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 000D0600
.text C:\Windows\System32\svchost.exe[936] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 000D0804
.text C:\Windows\System32\svchost.exe[936] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 000D0A08
.text C:\Windows\System32\svchost.exe[936] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000D01F8
.text C:\Windows\System32\svchost.exe[936] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000D03FC
.text C:\Windows\System32\svchost.exe[1004] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[1004] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[1004] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00C80600
.text C:\Windows\System32\svchost.exe[1004] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00C80804
.text C:\Windows\System32\svchost.exe[1004] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00C80A08
.text C:\Windows\System32\svchost.exe[1004] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 00C801F8
.text C:\Windows\System32\svchost.exe[1004] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 00C803FC
.text C:\Windows\system32\svchost.exe[1020] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1020] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1020] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 001A0600
.text C:\Windows\system32\svchost.exe[1020] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 001A0804
.text C:\Windows\system32\svchost.exe[1020] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 001A0A08
.text C:\Windows\system32\svchost.exe[1020] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 001A01F8
.text C:\Windows\system32\svchost.exe[1020] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 001A03FC
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00080600
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00080804
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00080A08
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000801F8
.text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1072] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000803FC
.text C:\Windows\system32\AUDIODG.EXE[1140] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1168] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1168] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1168] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text
Marmalade
Active Member
 
Posts: 9
Joined: May 5th, 2012, 12:41 am

Re: Help with Tojan would be cool please

Unread postby Marmalade » May 6th, 2012, 3:19 am

.text C:\Windows\System32\igfxpers.exe[1220] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 001501F8
.text C:\Windows\System32\igfxpers.exe[1220] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 001503FC
.text C:\Windows\System32\igfxpers.exe[1220] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\System32\igfxpers.exe[1220] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00170600
.text C:\Windows\System32\igfxpers.exe[1220] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00170804
.text C:\Windows\System32\igfxpers.exe[1220] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00170A08
.text C:\Windows\System32\igfxpers.exe[1220] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 001701F8
.text C:\Windows\System32\igfxpers.exe[1220] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 001703FC
.text C:\Windows\System32\igfxpers.exe[1220] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 001803FC
.text C:\Windows\System32\igfxpers.exe[1220] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00180600
.text C:\Windows\System32\igfxpers.exe[1220] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00181014
.text C:\Windows\System32\igfxpers.exe[1220] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00180804
.text C:\Windows\System32\igfxpers.exe[1220] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00180A08
.text C:\Windows\System32\igfxpers.exe[1220] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00180C0C
.text C:\Windows\System32\igfxpers.exe[1220] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00180E10
.text C:\Windows\System32\igfxpers.exe[1220] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 001801F8
.text C:\Windows\system32\svchost.exe[1232] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1232] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1232] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1232] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00950600
.text C:\Windows\system32\svchost.exe[1232] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00950804
.text C:\Windows\system32\svchost.exe[1232] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00950A08
.text C:\Windows\system32\svchost.exe[1232] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 009501F8
.text C:\Windows\system32\svchost.exe[1232] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 009503FC
.text C:\Windows\system32\svchost.exe[1368] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1368] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1368] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1368] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00250600
.text C:\Windows\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00250804
.text C:\Windows\system32\svchost.exe[1368] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00250A08
.text C:\Windows\system32\svchost.exe[1368] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 002501F8
.text C:\Windows\system32\svchost.exe[1368] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 002503FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000903FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00090600
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00091014
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00090804
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00090A08
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00090C0C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00090E10
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000901F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 000A0600
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 000A0804
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 000A0A08
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000A01F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1428] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000A03FC
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00070600
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00070804
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00070A08
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000701F8
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000703FC
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000803FC
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00080600
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00081014
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00080804
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00080A08
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00080C0C
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00080E10
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[1528] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000801F8
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1536] kernel32.dll!SetUnhandledExceptionFilter 764AA8C5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1536] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00070600
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00070804
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00070A08
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000701F8
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000703FC
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000803FC
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00080600
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00081014
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00080804
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00080A08
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00080C0C
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00080E10
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1564] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000801F8
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000601F8
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000603FC
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00070600
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00070804
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00070A08
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000701F8
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000703FC
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000803FC
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00080600
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00081014
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00080804
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00080A08
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00080C0C
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00080E10
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000801F8
.text C:\Windows\system32\Dwm.exe[1612] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\Dwm.exe[1612] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\Dwm.exe[1612] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[1612] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\Dwm.exe[1612] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\Dwm.exe[1612] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\Dwm.exe[1612] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\Dwm.exe[1612] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\Dwm.exe[1612] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\Dwm.exe[1612] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\Dwm.exe[1612] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\Dwm.exe[1612] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00080600
.text C:\Windows\system32\Dwm.exe[1612] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00080804
.text C:\Windows\system32\Dwm.exe[1612] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00080A08
.text C:\Windows\system32\Dwm.exe[1612] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000801F8
.text C:\Windows\system32\Dwm.exe[1612] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000803FC
.text C:\Windows\Explorer.EXE[1644] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\Explorer.EXE[1644] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\Explorer.EXE[1644] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\Explorer.EXE[1644] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\Explorer.EXE[1644] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00080600
.text C:\Windows\Explorer.EXE[1644] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00080804
.text C:\Windows\Explorer.EXE[1644] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00080A08
.text C:\Windows\Explorer.EXE[1644] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000801F8
.text C:\Windows\Explorer.EXE[1644] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000803FC
.text C:\Program Files\AVAST Software\Avast\afwServ.exe[1668] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[1756] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\System32\spoolsv.exe[1756] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\System32\spoolsv.exe[1756] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[1756] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\System32\spoolsv.exe[1756] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\System32\spoolsv.exe[1756] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\System32\spoolsv.exe[1756] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\System32\spoolsv.exe[1756] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\System32\spoolsv.exe[1756] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\System32\spoolsv.exe[1756] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\System32\spoolsv.exe[1756] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\System32\spoolsv.exe[1756] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00230600
.text C:\Windows\System32\spoolsv.exe[1756] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00230804
.text C:\Windows\System32\spoolsv.exe[1756] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00230A08
.text C:\Windows\System32\spoolsv.exe[1756] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 002301F8
.text C:\Windows\System32\spoolsv.exe[1756] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 002303FC
.text C:\Windows\system32\taskeng.exe[1772] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskeng.exe[1772] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskeng.exe[1772] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[1772] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\taskeng.exe[1772] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\taskeng.exe[1772] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\taskeng.exe[1772] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\taskeng.exe[1772] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\taskeng.exe[1772] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\taskeng.exe[1772] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\taskeng.exe[1772] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\taskeng.exe[1772] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00080600
.text C:\Windows\system32\taskeng.exe[1772] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00080804
.text C:\Windows\system32\taskeng.exe[1772] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00080A08
.text C:\Windows\system32\taskeng.exe[1772] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000801F8
.text C:\Windows\system32\taskeng.exe[1772] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000803FC
.text C:\Windows\system32\svchost.exe[1788] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1788] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1788] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1788] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1788] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 000B0600
.text C:\Windows\system32\svchost.exe[1788] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 000B0804
.text C:\Windows\system32\svchost.exe[1788] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 000B0A08
.text C:\Windows\system32\svchost.exe[1788] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000B01F8
.text C:\Windows\system32\svchost.exe[1788] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000B03FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000601F8
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000603FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00070600
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00070804
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00070A08
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000701F8
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000703FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000803FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00080600
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00081014
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00080804
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00080A08
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00080C0C
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00080E10
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1836] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000801F8
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 001501F8
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 001503FC
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00170600
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00170804
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00170A08
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 001701F8
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 001703FC
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 001803FC
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00180600
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00181014
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00180804
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00180A08
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00180C0C
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00180E10
.text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[1968] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 001801F8
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00070600
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00070804
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00070A08
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000701F8
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000703FC
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000803FC
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00080600
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00081014
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00080804
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00080A08
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00080C0C
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00080E10
.text c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe[1996] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000801F8
.text C:\Windows\system32\rundll32.exe[2084] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000601F8
.text C:\Windows\system32\rundll32.exe[2084] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000603FC
.text C:\Windows\system32\rundll32.exe[2084] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\rundll32.exe[2084] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00070600
.text C:\Windows\system32\rundll32.exe[2084] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00070804
.text C:\Windows\system32\rundll32.exe[2084] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00070A08
.text C:\Windows\system32\rundll32.exe[2084] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000701F8
.text C:\Windows\system32\rundll32.exe[2084] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000703FC
.text C:\Windows\system32\rundll32.exe[2084] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000803FC
.text C:\Windows\system32\rundll32.exe[2084] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00080600
.text C:\Windows\system32\rundll32.exe[2084] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00081014
.text C:\Windows\system32\rundll32.exe[2084] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00080804
.text C:\Windows\system32\rundll32.exe[2084] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00080A08
.text C:\Windows\system32\rundll32.exe[2084] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00080C0C
.text C:\Windows\system32\rundll32.exe[2084] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00080E10
.text C:\Windows\system32\rundll32.exe[2084] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000801F8
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2408] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Secunia\PSI\sua.exe[2524] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000601F8
.text C:\Program Files\Secunia\PSI\sua.exe[2524] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000603FC
.text C:\Program Files\Secunia\PSI\sua.exe[2524] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Secunia\PSI\sua.exe[2524] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Program Files\Secunia\PSI\sua.exe[2524] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Program Files\Secunia\PSI\sua.exe[2524] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Program Files\Secunia\PSI\sua.exe[2524] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Program Files\Secunia\PSI\sua.exe[2524] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Program Files\Secunia\PSI\sua.exe[2524] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Program Files\Secunia\PSI\sua.exe[2524] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Program Files\Secunia\PSI\sua.exe[2524] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 001601F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 001603FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 001703FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00170600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00171014
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00170804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00170A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00170C0C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00170E10
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 001701F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00180600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00180804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00180A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 001801F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2532] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 001803FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000803FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00080600
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00081014
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00080804
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00080A08
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00080C0C
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00080E10
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000801F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00090600
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00090804
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00090A08
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000901F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[2664] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000903FC
.text C:\Windows\system32\svchost.exe[2764] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[2764] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[2764] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2764] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[2764] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[2764] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[2764] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[2764] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[2764] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[2764] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[2764] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[2764] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00280600
.text C:\Windows\system32\svchost.exe[2764] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00280804
.text C:\Windows\system32\svchost.exe[2764] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00280A08
.text C:\Windows\system32\svchost.exe[2764] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 002801F8
.text C:\Windows\system32\svchost.exe[2764] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 002803FC
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 001401F8
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 001403FC
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00160600
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00160804
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00160A08
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 001601F8
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 001603FC
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 001703FC
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00170600
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00171014
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00170804
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00170A08
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00170C0C
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00170E10
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[2776] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 001701F8
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00080600
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00080804
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00080A08
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000801F8
.text C:\Program Files\Secunia\PSI\PSIA.exe[2820] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000803FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000803FC
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00080600
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00081014
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00080804
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00080A08
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00080C0C
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00080E10
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000801F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00090600
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00090804
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00090A08
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000901F8
.text C:\Program Files\Windows Sidebar\sidebar.exe[2888] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000903FC
.text C:\Windows\system32\svchost.exe[3112] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[3112] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[3112] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[3112] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[3112] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[3112] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[3112] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[3112] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[3112] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[3112] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[3112] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[3148] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[3148] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[3148] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\System32\svchost.exe[3148] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[3148] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[3148] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[3148] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[3148] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[3148] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[3148] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[3148] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000803FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00080600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00081014
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00080804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00080A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00080C0C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00080E10
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000801F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00090600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00090804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00090A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000901F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3280] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000903FC
.text C:\Windows\system32\SearchIndexer.exe[3296] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\SearchIndexer.exe[3296] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\SearchIndexer.exe[3296] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[3296] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 001703FC
.text C:\Windows\system32\SearchIndexer.exe[3296] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00170600
.text C:\Windows\system32\SearchIndexer.exe[3296] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00171014
.text C:\Windows\system32\SearchIndexer.exe[3296] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00170804
.text C:\Windows\system32\SearchIndexer.exe[3296] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00170A08
.text C:\Windows\system32\SearchIndexer.exe[3296] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00170C0C
.text C:\Windows\system32\SearchIndexer.exe[3296] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00170E10
.text C:\Windows\system32\SearchIndexer.exe[3296] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 001701F8
.text C:\Windows\system32\SearchIndexer.exe[3296] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00180600
.text C:\Windows\system32\SearchIndexer.exe[3296] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00180804
.text C:\Windows\system32\SearchIndexer.exe[3296] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00180A08
.text C:\Windows\system32\SearchIndexer.exe[3296] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 001801F8
.text C:\Windows\system32\SearchIndexer.exe[3296] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 001803FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000901F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000903FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000B03FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 000B0600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 000B1014
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 000B0804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 000B0A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 000B0C0C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 000B0E10
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000B01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 000C0600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 000C0804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 000C0A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000C01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3340] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000C03FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] USER32.dll!SetWindowsHookExA 76566322 3 Bytes JMP 02E20600
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] USER32.dll!SetWindowsHookExA + 4 76566326 1 Byte [8C]
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] USER32.dll!SetWindowsHookExW 765687AD 3 Bytes JMP 02E20804
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] USER32.dll!SetWindowsHookExW + 4 765687B1 1 Byte [8C]
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 02E20A08
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] USER32.dll!SetWinEventHook 76569F3A 3 Bytes JMP 02E201F8
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] USER32.dll!SetWinEventHook + 4 76569F3E 1 Byte [8C]
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 02E203FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 02E303FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 02E30600
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 02E31014
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 02E30804
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 02E30A08
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 02E30C0C
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 02E30E10
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[3368] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 02E301F8
.text C:\Windows\system32\svchost.exe[3588] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[3588] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[3588] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[3588] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[3588] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[3588] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[3588] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[3588] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[3588] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[3588] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[3588] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 001501F8
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 001503FC
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 002603FC
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00260600
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00261014
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00260804
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00260A08
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00260C0C
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00260E10
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 002601F8
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00270600
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00270804
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00270A08
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 002701F8
.text C:\Users\Chris\Desktop\ujzo2niy.exe[3812] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 002703FC
.text
Marmalade
Active Member
 
Posts: 9
Joined: May 5th, 2012, 12:41 am

Re: Help with Tojan would be cool please

Unread postby Marmalade » May 6th, 2012, 3:21 am

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000A03FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 000A0600
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 000A1014
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 000A0804
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 000A0A08
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 000A0C0C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 000A0E10
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000A01F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 000B0600
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 000B0804
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 000B0A08
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000B01F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3852] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000B03FC
.text C:\Windows\system32\taskeng.exe[3868] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskeng.exe[3868] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskeng.exe[3868] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[3868] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\taskeng.exe[3868] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\taskeng.exe[3868] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\taskeng.exe[3868] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\taskeng.exe[3868] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\taskeng.exe[3868] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\taskeng.exe[3868] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\taskeng.exe[3868] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\taskeng.exe[3868] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00080600
.text C:\Windows\system32\taskeng.exe[3868] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00080804
.text C:\Windows\system32\taskeng.exe[3868] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00080A08
.text C:\Windows\system32\taskeng.exe[3868] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000801F8
.text C:\Windows\system32\taskeng.exe[3868] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000803FC
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00080600
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00080804
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00080A08
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000801F8
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3872] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000803FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000401F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000403FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000603FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00060600
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00061014
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00060804
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00060A08
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00060C0C
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00060E10
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000601F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00070600
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00070804
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00070A08
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000701F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3944] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000703FC
.text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[4052] ntdll.dll!DbgUiRemoteBreakin 7766CD44 1 Byte [C3]
.text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[4052] KERNEL32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 001403FC
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00140600
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00141014
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00140804
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00140A08
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00140C0C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00140E10
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 001401F8
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00150600
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00150804
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00150A08
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 001501F8
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 001503FC
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] USER32.dll!GetWindowInfo 7657428E 5 Bytes JMP 5C0E4822 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4844] USER32.dll!TrackPopupMenu 765814F3 5 Bytes JMP 5C0E4DD6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 5BF6C930 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] kernel32.dll!MapViewOfFile 764C6B10 5 Bytes JMP 5C19E083 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] kernel32.dll!VirtualAlloc 764CAF75 5 Bytes JMP 5C19E0AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00070600
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00070804
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00070A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000701F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000703FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] GDI32.dll!CreateDIBSection 75FB7461 5 Bytes JMP 5C19E00D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000803FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00080600
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00081014
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00080804
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00080A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00080C0C
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00080E10
.text C:\Program Files\Mozilla Firefox\firefox.exe[5724] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000801F8
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000401F8
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000403FC
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] kernel32.dll!SetUnhandledExceptionFilter 764AA8C5 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00070600
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00070804
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00070A08
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000701F8
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000703FC
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000803FC
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00080600
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00081014
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00080804
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00080A08
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00080C0C
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00080E10
.text C:\Program Files\Real\RealPlayer\update\realsched.exe[6220] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000801F8
.text C:\Windows\notepad.exe[7556] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\notepad.exe[7556] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\notepad.exe[7556] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\notepad.exe[7556] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\notepad.exe[7556] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\notepad.exe[7556] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\notepad.exe[7556] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\notepad.exe[7556] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\notepad.exe[7556] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\notepad.exe[7556] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\notepad.exe[7556] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\notepad.exe[7556] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00080600
.text C:\Windows\notepad.exe[7556] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00080804
.text C:\Windows\notepad.exe[7556] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00080A08
.text C:\Windows\notepad.exe[7556] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000801F8
.text C:\Windows\notepad.exe[7556] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000803FC
.text C:\Users\Chris\Desktop\OTL.exe[7844] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 001501F8
.text C:\Users\Chris\Desktop\OTL.exe[7844] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 001503FC
.text C:\Users\Chris\Desktop\OTL.exe[7844] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Users\Chris\Desktop\OTL.exe[7844] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 00DC03FC
.text C:\Users\Chris\Desktop\OTL.exe[7844] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00DC0600
.text C:\Users\Chris\Desktop\OTL.exe[7844] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00DC1014
.text C:\Users\Chris\Desktop\OTL.exe[7844] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00DC0804
.text C:\Users\Chris\Desktop\OTL.exe[7844] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00DC0A08
.text C:\Users\Chris\Desktop\OTL.exe[7844] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00DC0C0C
.text C:\Users\Chris\Desktop\OTL.exe[7844] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00DC0E10
.text C:\Users\Chris\Desktop\OTL.exe[7844] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 00DC01F8
.text C:\Windows\notepad.exe[7916] ntdll.dll!LdrLoadDll 77609378 5 Bytes JMP 000501F8
.text C:\Windows\notepad.exe[7916] ntdll.dll!LdrUnloadDll 7761B680 5 Bytes JMP 000503FC
.text C:\Windows\notepad.exe[7916] kernel32.dll!GetBinaryTypeW + 70 764D2467 1 Byte [62]
.text C:\Windows\notepad.exe[7916] ADVAPI32.dll!CreateServiceW 76329EB4 5 Bytes JMP 000703FC
.text C:\Windows\notepad.exe[7916] ADVAPI32.dll!DeleteService 7632A07E 5 Bytes JMP 00070600
.text C:\Windows\notepad.exe[7916] ADVAPI32.dll!SetServiceObjectSecurity 76366CD9 5 Bytes JMP 00071014
.text C:\Windows\notepad.exe[7916] ADVAPI32.dll!ChangeServiceConfigA 76366DD9 5 Bytes JMP 00070804
.text C:\Windows\notepad.exe[7916] ADVAPI32.dll!ChangeServiceConfigW 76366F81 5 Bytes JMP 00070A08
.text C:\Windows\notepad.exe[7916] ADVAPI32.dll!ChangeServiceConfig2A 76367099 5 Bytes JMP 00070C0C
.text C:\Windows\notepad.exe[7916] ADVAPI32.dll!ChangeServiceConfig2W 763671E1 5 Bytes JMP 00070E10
.text C:\Windows\notepad.exe[7916] ADVAPI32.dll!CreateServiceA 763672A1 5 Bytes JMP 000701F8
.text C:\Windows\notepad.exe[7916] USER32.dll!SetWindowsHookExA 76566322 5 Bytes JMP 00080600
.text C:\Windows\notepad.exe[7916] USER32.dll!SetWindowsHookExW 765687AD 5 Bytes JMP 00080804
.text C:\Windows\notepad.exe[7916] USER32.dll!UnhookWindowsHookEx 765698DB 5 Bytes JMP 00080A08
.text C:\Windows\notepad.exe[7916] USER32.dll!SetWinEventHook 76569F3A 5 Bytes JMP 000801F8
.text C:\Windows\notepad.exe[7916] USER32.dll!UnhookWinEvent 7656C06F 5 Bytes JMP 000803FC

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[600] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 000B0002
IAT C:\Windows\system32\services.exe[600] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 000B0000
IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1536] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73ACF6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74507817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7455A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7450BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [744FF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [745075E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [744FE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74538395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7450DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [744FFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [744FFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744F71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7458CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7452C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [744FD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [744F6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744F687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74502AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\AVAST Software\Avast\afwServ.exe[1668] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73ACF6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2408] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73ACF6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\tdx \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)

---- Files - GMER 1.0.15 ----

File C:\avast! sandbox 0 bytes
File C:\avast! sandbox\S-1-5-21-3299710142-3868310564-1978959094-1001 0 bytes
File C:\avast! sandbox\S-1-5-21-3299710142-3868310564-1978959094-1001\r29 0 bytes
File C:\avast! sandbox\S-1-5-21-3299710142-3868310564-1978959094-1001\r29\dds(1).scrcr_{5f464e40-966a-11e1-9bbf-001ec982baaf} 0 bytes
File C:\avast! sandbox\snx_rhive 262144 bytes
File C:\avast! sandbox\snx_rhive.LOG1 13312 bytes
File C:\avast! sandbox\snx_rhive.LOG2 0 bytes
File C:\avast! sandbox\snx_rhive{5f464e42-966a-11e1-9bbf-001ec982baaf}.TM.blf 65536 bytes
File C:\avast! sandbox\snx_rhive{5f464e42-966a-11e1-9bbf-001ec982baaf}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
File C:\avast! sandbox\snx_rhive{5f464e42-966a-11e1-9bbf-001ec982baaf}.TMContainer00000000000000000002.regtrans-ms 524288 bytes
File C:\avast! sandbox\snx_rhive{5f464e4d-966a-11e1-9bbf-001ec982baaf}.TM.blf 65536 bytes
File C:\avast! sandbox\snx_rhive{5f464e4d-966a-11e1-9bbf-001ec982baaf}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
File C:\avast! sandbox\snx_rhive{5f464e4d-966a-11e1-9bbf-001ec982baaf}.TMContainer00000000000000000002.regtrans-ms 524288 bytes

---- EOF - GMER 1.0.15 ----
Marmalade
Active Member
 
Posts: 9
Joined: May 5th, 2012, 12:41 am

Re: Help with Tojan would be cool please

Unread postby Marmalade » May 6th, 2012, 3:21 am

Had to split GMER into 3 seperate posts.
Marmalade
Active Member
 
Posts: 9
Joined: May 5th, 2012, 12:41 am

Re: Help with Tojan would be cool please

Unread postby deltalima » May 6th, 2012, 3:17 pm

Hi Marmalade,

The logs look clean so far so it looks like Avast! found and removed all traces.

As a final check

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Help with Tojan would be cool please

Unread postby Marmalade » May 7th, 2012, 2:14 am

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-01 01:34:31
# local_time=2012-01-01 01:34:31 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 435800 19728172 0 0
# compatibility_mode=5892 16776574 100 100 28598173 162955294 0 0
# compatibility_mode=8192 67108863 100 0 3872 3872 0 0
# scanned=97609
# found=0
# cleaned=0
# scan_time=2305
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-01-09 05:05:38
# local_time=2012-01-09 05:05:38 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 1139972 20432344 0 0
# compatibility_mode=5892 16776574 100 100 29302345 163659466 0 0
# compatibility_mode=8192 67108863 100 0 708044 708044 0 0
# scanned=91468
# found=0
# cleaned=0
# scan_time=1999
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-13 12:56:48
# local_time=2012-01-13 12:56:48 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 1427559 20719931 0 0
# compatibility_mode=5892 16776574 100 100 29589932 163947053 0 0
# compatibility_mode=8192 67108863 100 0 995631 995631 0 0
# scanned=91622
# found=0
# cleaned=0
# scan_time=1882
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-13 02:33:34
# local_time=2012-01-13 02:33:34 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 1433297 20725669 0 0
# compatibility_mode=5892 16776574 100 100 29595670 163952791 0 0
# compatibility_mode=8192 67108863 100 0 1001369 1001369 0 0
# scanned=91481
# found=0
# cleaned=0
# scan_time=1951
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-17 03:13:25
# local_time=2012-01-17 03:13:25 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 1824261 21116633 0 0
# compatibility_mode=5892 16776574 100 100 29986634 164343755 0 0
# compatibility_mode=8192 67108863 100 0 1392333 1392333 0 0
# scanned=92503
# found=1
# cleaned=0
# scan_time=2178
C:\Users\Chris\AppData\Local\Mozilla\Firefox\Profiles\xqs4swdo.default\Cache\E\AE\42687d01 HTML/ScrInject.B.Gen virus (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-17 05:06:37
# local_time=2012-01-17 05:06:37 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 1832705 21125077 0 0
# compatibility_mode=5892 16776574 100 100 29995078 164352199 0 0
# compatibility_mode=8192 67108863 100 0 1400777 1400777 0 0
# scanned=11632
# found=0
# cleaned=0
# scan_time=526
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-17 06:00:34
# local_time=2012-01-17 06:00:34 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 1834472 21126844 0 0
# compatibility_mode=5892 16776574 100 100 29996845 164353966 0 0
# compatibility_mode=8192 67108863 100 0 1402544 1402544 0 0
# scanned=90948
# found=0
# cleaned=0
# scan_time=1996
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-18 07:02:14
# local_time=2012-01-18 07:02:14 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 1881356 21173728 0 0
# compatibility_mode=5892 16776574 100 100 30043729 164400850 0 0
# compatibility_mode=8192 67108863 100 0 1449428 1449428 0 0
# scanned=90950
# found=0
# cleaned=0
# scan_time=2012
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-18 08:20:32
# local_time=2012-01-18 08:20:32 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 1929624 21221996 0 0
# compatibility_mode=5892 16776574 100 100 30091997 164449118 0 0
# compatibility_mode=8192 67108863 100 0 1497696 1497696 0 0
# scanned=91528
# found=0
# cleaned=0
# scan_time=1642
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-21 02:12:26
# local_time=2012-01-21 02:12:26 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 2166288 21458660 0 0
# compatibility_mode=5892 16776574 100 100 30328661 164685782 0 0
# compatibility_mode=8192 67108863 100 0 1734360 1734360 0 0
# scanned=91043
# found=0
# cleaned=0
# scan_time=2092
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-07 10:37:43
# local_time=2012-02-07 10:37:43 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 101187 15174548 0 0
# compatibility_mode=5892 16776574 100 100 31827443 166184564 0 0
# compatibility_mode=8192 67108863 100 0 3233142 3233142 0 0
# scanned=100715
# found=0
# cleaned=0
# scan_time=2427
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-10 05:56:18
# local_time=2012-02-10 05:56:18 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 343430 15416791 0 0
# compatibility_mode=5892 16776574 100 100 32069686 166426807 0 0
# compatibility_mode=8192 67108863 100 0 3475385 3475385 0 0
# scanned=96767
# found=0
# cleaned=0
# scan_time=2498
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-16 12:13:55
# local_time=2012-02-16 12:13:55 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 797577 15870938 0 0
# compatibility_mode=5892 16776574 100 100 32523833 166880954 0 0
# compatibility_mode=8192 67108863 100 0 3929532 3929532 0 0
# scanned=98122
# found=0
# cleaned=0
# scan_time=3009
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-22 04:08:05
# local_time=2012-02-22 04:08:05 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 1330398 16403759 0 0
# compatibility_mode=5892 16776574 100 100 33056654 167413775 0 0
# compatibility_mode=8192 67108863 100 0 4462353 4462353 0 0
# scanned=119171
# found=0
# cleaned=0
# scan_time=2638
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-24 09:57:32
# local_time=2012-02-24 09:57:32 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 1567529 16640890 0 0
# compatibility_mode=5892 16776574 100 100 33293785 167650906 0 0
# compatibility_mode=8192 67108863 100 0 4699484 4699484 0 0
# scanned=98383
# found=0
# cleaned=0
# scan_time=2474
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-28 10:27:00
# local_time=2012-02-28 10:27:00 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 1914890 16988251 0 0
# compatibility_mode=5892 16776574 100 100 33641146 167998267 0 0
# compatibility_mode=8192 67108863 100 0 5046845 5046845 0 0
# scanned=97302
# found=0
# cleaned=0
# scan_time=2480
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-03 07:11:53
# local_time=2012-03-03 07:11:53 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 2248700 17322061 0 0
# compatibility_mode=5892 16776574 100 100 33974956 168332077 0 0
# compatibility_mode=8192 67108863 100 0 5380655 5380655 0 0
# scanned=97482
# found=0
# cleaned=0
# scan_time=2563
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-07 09:25:54
# local_time=2012-03-07 09:25:54 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777214 85 70 2602396 17675757 0 0
# compatibility_mode=5892 16776574 100 100 34328652 168685773 0 0
# compatibility_mode=8192 67108863 100 0 5734351 5734351 0 0
# scanned=97318
# found=0
# cleaned=0
# scan_time=2508
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-09 09:11:20
# local_time=2012-03-09 09:11:20 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3073 16777213 80 71 43398 8832672 0 0
# compatibility_mode=5892 16776574 100 100 34500865 168857986 0 0
# compatibility_mode=8192 67108863 100 0 5906564 5906564 0 0
# scanned=95408
# found=0
# cleaned=0
# scan_time=2221
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-13 05:38:02
# local_time=2012-03-13 05:38:02 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 34833863 169190984 0 0
# compatibility_mode=8192 67108863 100 0 6239562 6239562 0 0
# scanned=95554
# found=0
# cleaned=0
# scan_time=2026
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-25 08:06:44
# local_time=2012-03-25 09:06:44 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 35881611 170238732 0 0
# compatibility_mode=8192 67108863 100 0 7287310 7287310 0 0
# scanned=13
# found=0
# cleaned=0
# scan_time=0
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-25 08:55:51
# local_time=2012-03-25 09:55:51 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 35881683 170238804 0 0
# compatibility_mode=8192 67108863 100 0 7287382 7287382 0 0
# scanned=102935
# found=0
# cleaned=0
# scan_time=2875
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-28 04:33:39
# local_time=2012-03-28 05:33:39 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 36080960 170438081 0 0
# compatibility_mode=8192 67108863 100 0 7486659 7486659 0 0
# scanned=101417
# found=0
# cleaned=0
# scan_time=3865
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-04-10 09:39:44
# local_time=2012-04-10 10:39:44 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 37267128 171624249 0 0
# compatibility_mode=8192 67108863 100 0 8672827 8672827 0 0
# scanned=70159
# found=1
# cleaned=0
# scan_time=2462
C:\Users\Chris\Downloads\videora-android-600-setup.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-04-10 10:54:23
# local_time=2012-04-10 11:54:23 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 37269656 171626777 0 0
# compatibility_mode=8192 67108863 100 0 8675355 8675355 0 0
# scanned=119850
# found=1
# cleaned=1
# scan_time=4413
C:\Users\Chris\Downloads\videora-android-600-setup.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-04-13 03:20:06
# local_time=2012-04-13 04:20:06 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 37502498 171859619 0 0
# compatibility_mode=8192 67108863 100 0 8908197 8908197 0 0
# scanned=116951
# found=0
# cleaned=0
# scan_time=3515
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=248a4aeb50dc944eb1ebd7a4e77799b7
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-05-07 05:42:48
# local_time=2012-05-07 06:42:48 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 39542719 173899840 0 0
# compatibility_mode=8192 67108863 100 0 10948418 10948418 0 0
# scanned=117361
# found=0
# cleaned=0
# scan_time=2256
Marmalade
Active Member
 
Posts: 9
Joined: May 5th, 2012, 12:41 am

Re: Help with Tojan would be cool please

Unread postby deltalima » May 7th, 2012, 7:42 am

Hi Marmalade,

The logs look clean so it looks like Avast! found and removed all traces.

Now that you are clean, please follow these steps in order to keep your computer clean and secure.

Remove GMER

Delete the GMER icon from your desktop.

Clean up with OTL

  • Double-click OTL.exe to start the program. This will remove all the tools we used to clean your pc.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.


Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.

Happy surfing and stay clean!
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Help with Tojan would be cool please

Unread postby Marmalade » May 8th, 2012, 2:35 am

thanks for your help
would you change passwords?
Marmalade
Active Member
 
Posts: 9
Joined: May 5th, 2012, 12:41 am

Re: Help with Tojan would be cool please

Unread postby deltalima » May 8th, 2012, 2:54 am

thanks for your help


You're welcome!

would you change passwords?


It would be a good idea, nothing to be lost so I would say yes.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 57 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware