Forum Home |  MWR University |  New to the Board? |  IRC Chatroom |  Who Runs This Site? |  ASAP Members |  Microsoft MVP Members |  Downloads |  Good & Bad P2P Programs |  Our Rules

MalWare Removal Forum

Malware Removal University - Teaching people how to support those with infected computers - Teaching them to never give up untill your computer is clean and secure.

Tutorials (etc.) : Boot to Safe Mode - Safely - What to do if your Computer's running slowly
It is currently Sat 18 May, 2013 5:09 pm

View unanswered posts | View active topics


Board index » Malware Removal » Malware Removal

All times are UTC [ DST ]

Forum rules


Please read > >THIS ANNOUNCEMENT< < before posting your NEW topic about your problem.

Please do NOT reply to your topic until a staff member has responded as they are looking for topics that have ZERO replies.

Paste your logs into your post. DO NOT USE ATTACHMENTS! Logs posted as attachments will be ignored and the topic will be closed.

If no expert has replied after 3 days, and you still require assistance, please post in our 72 hour bump room > > CLICK HERE < < Please do NOT reply to your own topic in an attempt to "bump" it. Bumped topics will be closed, requiring you to start again from the beginning.

If you are being helped and you haven't replied to your helper within 3 days of their last post, your topic will be closed as inactive. If that happens, you will need to start a new topic when you have the time available to promptly complete all instructions.

If your topic has been closed due to inactivity, do NOT request that your topic be reopened - we do NOT reopen topics unless they have been closed in error - you will need to start a NEW topic with NEW DDS logs. Do NOT attempt to start a new topic with a post that is essentially a reply to your closed topic.



Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 2
  [ 18 posts ]  Go to page 1, 2  Next
  Previous topic | First unread post | Next topic 
Author Message
leroy69
 Post subject: Assistance required Please!Paypal Account hacked(Malware?)
New postPosted: Fri 20 Apr, 2012 11:54 am 
Offline
Active Member

Joined: Thu 19 Apr, 2012 6:25 pm
Posts: 10
Hi there
I had my paypal account hacked into last week.I never open any unwanted emails and I always make sure my antivirus/malware programs are up to date.I have done scans and they all come back clean but paypal are saying it must have been via spyware that somone got my paypal password/details!I don't think it was!
I would really appreciate if someone here could take the time to have a look and see if there is anything lurking on my computer because I am very wary now and it has left me feeling terrible that someone has been able to use my account fraudulently even though I am always taking steps to make sure my computer is as secure as it can be!Thank you in advance.Here are my logs

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19222
Run by liz at 11:42:26 on 2012-04-20
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://format.packardbell.com/cgi-bin/r ... ey=IESTART
mStart Page = hxxp://format.packardbell.com/cgi-bin/r ... ey=IESTART
mDefault_Page_URL = hxxp://format.packardbell.com/cgi-bin/r ... ey=IESTART
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [BOC-427] c:\progra~1\comodo\cboclean\BOC427.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan ... stubie.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{FB24DB9F-B30A-4F32-99E3-816EBEFC6360} : DhcpNameServer = 194.168.4.100 194.168.8.100
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\liz.paul-pc\appdata\roaming\mozilla\firefox\profiles\dqdms9bk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - http://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&o ... &gfns=1&q=
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
.
============= SERVICES / DRIVERS ===============
.
R? AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? DCamUSBSTK014;STK014 Camera
R? WDC_SAM;WD SCSI Pass Thru driver
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? aswFsBlk;aswFsBlk
S? aswMonFlt;aswMonFlt
S? aswSnx;aswSnx
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? BOCore;BOCore
S? FontCache;Windows Font Cache Service
S? pavboot;pavboot
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
.
=============== File Associations ===============
.
txtfile=c:\windows\NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2012-04-20 10:38:01 -------- d-----w- c:\programdata\InstallMate
2012-04-20 10:38:01 -------- d-----w- c:\program files\BillP Studios
2012-04-19 17:06:34 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-19 17:06:33 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 19:13:42 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2012-04-11 19:13:31 -------- d-----w- c:\program files\Panda Security
2012-04-11 16:20:35 6582328 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b09998aa-3d29-4d17-80dc-46a9b71969ff}\mpengine.dll
2012-04-11 16:19:15 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 16:19:15 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 16:19:14 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 16:19:14 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 16:17:12 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 16:17:11 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-11 16:03:41 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-04-05 17:29:57 -------- d-----w- c:\users\liz.paul-pc\appdata\roaming\WinPatrol
2012-04-05 17:23:18 -------- d-----w- c:\program files\CCleaner
.
==================== Find3M ====================
.
2012-04-04 14:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-28 11:30:48 916992 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 11:25:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-02-28 11:25:17 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 11:25:03 71680 ----a-w- c:\windows\system32\iesetup.dll
2012-02-28 11:25:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
2012-02-28 10:07:57 385024 ----a-w- c:\windows\system32\html.iec
2012-02-28 08:12:52 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2012-02-28 08:08:30 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 08:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-14 15:45:30 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45:30 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-13 14:12:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47:57 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44:40 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-02 15:16:25 2044416 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 11:45:26.07 ===============


.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Flash Player 11 Plugin
Adobe Shockwave Player
Ashampoo Burning Studio 6 FREE v.6.80
µTorrent
Auslogics Disk Defrag
avast! Free Antivirus
BOClean
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
CCleaner
DVD Flick 1.3.0.7
DVD Shrink 3.2
ESET Online Scanner v3
Foxit Reader 5.1
Google Desktop
Google Update Helper
HDReg
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Mozilla Firefox 11.0 (x86 en-GB)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nokia Connectivity Cable Driver
Nokia PC Suite
NVIDIA Drivers
Packard Bell - Skype 2.5
Panda ActiveScan 2.0
PC Connectivity Solution
Realtek High Definition Audio Driver
Revo Uninstaller 1.93
Roxio Creator 9 LE
RTC Client API v1.2
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
SpywareBlaster 4.6
SUPERAntiSpyware
System Requirements Lab
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Winamp
WinASO Registry Optimizer 4.7.5
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
Windows Media Player Firefox Plugin
WinPatrol
WinRAR archiver
Xvid 1.1.3 final uninstall
.
==== End Of File ===========================

Top
 Profile E-mail  
 
deltalima
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Fri 20 Apr, 2012 8:22 pm 
Offline
Admin/Teacher
Admin/Teacher
User avatar

Joined: Sat 28 Feb, 2009 9:38 pm
Posts: 7362
Location: UK
Checking your logs - back soon.
_________________

Top
 Profile E-mail  
 
deltalima
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Fri 20 Apr, 2012 8:31 pm 
Offline
Admin/Teacher
Admin/Teacher
User avatar

Joined: Sat 28 Feb, 2009 9:38 pm
Posts: 7362
Location: UK
Hi leroy69,

Welcome to the forum.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please do not run any scans or make any changes to the system unless I ask you too.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Remove P2P Programs

  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    Quote:
    µTorrent


  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.
Top
 Profile E-mail  
 
leroy69
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Sun 22 Apr, 2012 1:18 pm 
Offline
Active Member

Joined: Thu 19 Apr, 2012 6:25 pm
Posts: 10
Hi there.Thank you for your assistance!I have uninstalled Utorrent as per your instructions and the OTL logs are as follows:

OTL logfile created on: 22/04/2012 13:05:27 - Run 1
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Users\liz.paul-PC\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19222)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

765.82 Mb Total Physical Memory | 278.99 Mb Available Physical Memory | 36.43% Memory free
2.21 Gb Paging File | 1.53 Gb Available in Paging File | 69.11% Paging File free
Paging file location(s): c:\pagefile.sys 1536 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 141.04 Gb Total Space | 64.58 Gb Free Space | 45.79% Space Free | Partition Type: NTFS

Computer Name: LIZ-PC | User Name: liz | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\liz.paul-PC\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe (BillP Studios)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Comodo\CBOClean\BOC427.EXE (COMODO)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\BillP Studios\WinPatrol\sqlite3.dll ()
MOD - C:\Program Files\WinRAR\RarExt.dll ()


========== Win32 Services (SafeList) ==========

SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV - (BOCore) -- C:\Program Files\Comodo\CBOClean\BOCore.exe (COMODO)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
SRV - (GoogleDesktopManager) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe (Google)


========== Driver Services (SafeList) ==========

DRV - (tmcomm) -- C:\Windows\system32\drivers\tmcomm.sys File not found
DRV - (StarOpen) -- File not found
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found
DRV - (aswSnx) -- C:\Windows\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (pavboot) -- C:\Windows\System32\drivers\pavboot.sys (Panda Security, S.L.)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (WDC_SAM) -- C:\Windows\System32\drivers\wdcsam.sys (Western Digital Technologies)
DRV - (nvstor32) -- C:\Windows\System32\drivers\nvstor32.sys (NVIDIA Corporation)
DRV - (irsir) -- C:\Windows\System32\drivers\irsir.sys (Microsoft Corporation)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (BOCDRIVE) -- C:\Program Files\Comodo\CBOClean\BOCDRIVE.SYS ()
DRV - (nmwcd) -- C:\Windows\System32\drivers\nmwcd.sys (Nokia)
DRV - (nmwcdcm) -- C:\Windows\System32\drivers\nmwcdcm.sys (Nokia)
DRV - (nmwcdcj) -- C:\Windows\System32\drivers\nmwcdcj.sys (Nokia)
DRV - (nmwcdc) -- C:\Windows\System32\drivers\nmwcdc.sys (Nokia)
DRV - (wanatw) WAN Miniport (ATW) -- C:\Windows\System32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (sscdmdm) -- C:\Windows\System32\drivers\sscdmdm.sys (MCCI)
DRV - (sscdmdfl) -- C:\Windows\System32\drivers\sscdmdfl.sys (MCCI)
DRV - (sscdbus) SAMSUNG USB Composite Device driver (WDM) -- C:\Windows\System32\drivers\sscdbus.sys (MCCI)
DRV - (DCamUSBSTK014) -- C:\Windows\System32\drivers\STK014W2.sys (Syntek Ltd.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://format.packardbell.com/cgi-bin/r ... ey=IESTART
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://format.packardbell.com/cgi-bin/r ... ey=IESTART
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://format.packardbell.com/cgi-bin/r ... ey=IESTART
IE - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Yahoo.co.uk"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.google.co.uk"
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100908
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/12/13 19:56:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/18 20:12:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/02/02 19:47:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\liz.paul-PC\AppData\Roaming\mozilla\Extensions
[2012/03/31 08:29:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\liz.paul-PC\AppData\Roaming\mozilla\Firefox\Profiles\dqdms9bk.default\extensions
[2012/03/02 19:11:58 | 000,000,000 | ---D | M] (WOT) -- C:\Users\liz.paul-PC\AppData\Roaming\mozilla\Firefox\Profiles\dqdms9bk.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2012/03/31 08:29:18 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\liz.paul-PC\AppData\Roaming\mozilla\Firefox\Profiles\dqdms9bk.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012/02/02 19:47:37 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/03/18 20:12:53 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/02/11 19:58:07 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/02/11 19:58:07 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/11 19:58:07 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/02/11 19:58:07 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/02/11 19:58:07 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2012/03/30 15:22:58 | 000,601,715 | ---- | M]) - C:\Windows\System32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost #[IPv6]
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 abcstats.com
O1 - Hosts: 127.0.0.1 a.abv.bg
O1 - Hosts: 127.0.0.1 adserver.abv.bg
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 ca.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 achmedia.com
O1 - Hosts: 127.0.0.1 aconti.net
O1 - Hosts: 127.0.0.1 secure.aconti.net
O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]
O1 - Hosts: 127.0.0.1 am1.activemeter.com
O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ads.activepower.net
O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 cms.ad2click.nl
O1 - Hosts: 16118 more lines...
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BOC-427] C:\Program Files\Comodo\CBOClean\BOC427.EXE (COMODO)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKU\.DEFAULT..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-18..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\##aswSnx private storage\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\##aswSnx private storage\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 0
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan ... stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FB24DB9F-B30A-4F32-99E3-816EBEFC6360}: DhcpNameServer = 194.168.4.100 194.168.8.100
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\liz.paul-PC\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\liz.paul-PC\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{3d551d8b-3382-11e0-9486-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{3d551d8b-3382-11e0-9486-00038a000015}\Shell\AutoRun\command - "" = "J:\WD SmartWare.exe" autoplay=true
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/22 12:58:42 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\liz.paul-PC\Desktop\OTL.exe
[2012/04/20 11:40:40 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\liz.paul-PC\Desktop\dds.scr
[2012/04/20 11:38:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPatrol
[2012/04/20 11:38:01 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate
[2012/04/20 11:38:01 | 000,000,000 | ---D | C] -- C:\Program Files\BillP Studios
[2012/04/20 07:02:04 | 000,000,000 | ---D | C] -- C:\Users\liz.paul-PC\AppData\Roaming\Adobe
[2012/04/19 18:17:21 | 000,000,000 | ---D | C] -- C:\Users\liz.paul-PC\AppData\Roaming\Macromedia
[2012/04/19 18:06:34 | 000,418,464 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/04/19 18:06:33 | 000,070,304 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/04/19 18:06:32 | 000,000,000 | ---D | C] -- C:\Windows\System32\Macromed
[2012/04/19 18:05:19 | 004,139,680 | ---- | C] (Adobe Systems Incorporated) -- C:\Users\liz.paul-PC\Desktop\install_flash_player_32bit.exe
[2012/04/11 20:13:42 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\pavboot.sys
[2012/04/11 20:13:31 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2012/04/11 17:17:12 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2012/04/11 17:17:11 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2012/04/11 17:04:50 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/04/11 17:04:49 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/04/11 17:04:42 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/04/11 17:04:42 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2012/04/11 17:04:42 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2012/04/11 17:04:41 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2012/04/11 17:04:41 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2012/04/11 17:04:41 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/04/11 17:04:40 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2012/04/11 17:04:40 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2012/04/11 17:04:40 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2012/04/11 17:04:39 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2012/04/11 17:04:39 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2012/04/11 17:04:39 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2012/04/11 17:04:39 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2012/04/11 17:04:33 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/04/11 17:04:33 | 000,174,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2012/04/11 17:04:33 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2012/04/05 18:29:57 | 000,000,000 | ---D | C] -- C:\Users\liz.paul-PC\AppData\Roaming\WinPatrol
[2012/04/05 18:23:18 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/04/05 17:51:20 | 000,000,000 | ---D | C] -- C:\Users\liz.paul-PC\Documents\hosts
[2012/03/26 19:03:56 | 000,000,000 | ---D | C] -- C:\Users\liz.paul-PC\Desktop\New Folder

========== Files - Modified Within 30 Days ==========

[2012/04/22 12:58:50 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\liz.paul-PC\Desktop\OTL.exe
[2012/04/22 12:56:42 | 000,007,132 | ---- | M] () -- C:\Users\liz.paul-PC\Documents\cc_20120422_125636.reg
[2012/04/22 12:51:34 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/04/22 12:51:34 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/04/22 12:51:22 | 000,025,169 | ---- | M] () -- C:\Windows\BOC427.INI
[2012/04/22 12:46:11 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/22 12:45:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/04/22 12:45:15 | 803,688,448 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/20 18:33:06 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/04/20 18:16:00 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/20 17:48:00 | 000,617,088 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/04/20 17:48:00 | 000,111,958 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/04/20 11:40:50 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\liz.paul-PC\Desktop\dds.scr
[2012/04/20 11:37:30 | 000,000,176 | ---- | M] () -- C:\Users\liz.paul-PC\Documents\cc_20120420_113727.reg
[2012/04/19 18:06:34 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/04/19 18:06:33 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/04/19 18:05:26 | 004,139,680 | ---- | M] (Adobe Systems Incorporated) -- C:\Users\liz.paul-PC\Desktop\install_flash_player_32bit.exe
[2012/04/19 17:56:07 | 000,001,312 | ---- | M] () -- C:\Users\liz.paul-PC\Documents\cc_20120419_175603.reg
[2012/04/08 18:49:32 | 000,001,234 | ---- | M] () -- C:\Users\liz.paul-PC\Documents\cc_20120408_184928.reg
[2012/04/05 18:25:21 | 000,002,386 | ---- | M] () -- C:\Users\liz.paul-PC\Documents\cc_20120405_182517.reg
[2012/04/05 18:23:21 | 000,000,807 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/03/30 15:22:58 | 000,601,715 | ---- | M] () -- C:\Windows\System32\drivers\etc\HOSTS.MVP
[2012/03/30 15:22:58 | 000,601,715 | ---- | M] () -- C:\Windows\System32\drivers\etc\HOSTS
[2012/03/29 18:17:18 | 000,089,600 | ---- | M] () -- C:\Users\liz.paul-PC\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2012/04/22 12:56:38 | 000,007,132 | ---- | C] () -- C:\Users\liz.paul-PC\Documents\cc_20120422_125636.reg
[2012/04/20 11:37:29 | 000,000,176 | ---- | C] () -- C:\Users\liz.paul-PC\Documents\cc_20120420_113727.reg
[2012/04/19 18:06:36 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/04/19 17:56:04 | 000,001,312 | ---- | C] () -- C:\Users\liz.paul-PC\Documents\cc_20120419_175603.reg
[2012/04/08 18:49:30 | 000,001,234 | ---- | C] () -- C:\Users\liz.paul-PC\Documents\cc_20120408_184928.reg
[2012/04/05 18:25:19 | 000,002,386 | ---- | C] () -- C:\Users\liz.paul-PC\Documents\cc_20120405_182517.reg
[2012/04/05 18:23:21 | 000,000,807 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2010/09/26 12:11:13 | 000,016,968 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\shortcuts:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\s_15kgbut.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\My Google Gadgets:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\Liz's photos:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\hosts:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\Downloads:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\Bookmarks(back up file):Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Desktop\New Folder:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Desktop\IMG_0708.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Desktop\Desk top Shortcuts:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Desktop\Cat show 2012:Roxio EMC Stream
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:5C321E34

< End of report >

OTL Extras logfile created on: 22/04/2012 13:05:27 - Run 1
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Users\liz.paul-PC\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19222)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

765.82 Mb Total Physical Memory | 278.99 Mb Available Physical Memory | 36.43% Memory free
2.21 Gb Paging File | 1.53 Gb Available in Paging File | 69.11% Paging File free
Paging file location(s): c:\pagefile.sys 1536 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 141.04 Gb Total Space | 64.58 Gb Free Space | 45.79% Space Free | Partition Type: NTFS

Computer Name: LIZ-PC | User Name: liz | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
http [open] -- Reg Error: Value error.
https [open] -- Reg Error: Value error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-760914142-2743886509-1717870916-1002]
"EnableNotificationsRef" = 3
"EnableNotifications" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-760914142-2743886509-1717870916-1004]
"EnableNotificationsRef" = 3
"EnableNotifications" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{6A178F75-C820-4017-8D87-8D4A928C73C2}" = lport=139 | protocol=6 | dir=in | app=system |
"{7671FAF2-1523-4EB4-A243-058987AE6FD9}" = lport=138 | protocol=17 | dir=in | app=system |
"{8EB3911F-2906-4962-A7B0-F6895473A0A5}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{92369EDD-CB1C-4BF6-9F56-361FFB71B68E}" = rport=445 | protocol=6 | dir=out | app=system |
"{973ABBCA-0CF9-437E-9006-0611A6762279}" = lport=45682 | protocol=6 | dir=in | name=utorrent |
"{98C7106C-7075-492E-8EC5-EC8AD668BA82}" = lport=137 | protocol=17 | dir=in | app=system |
"{A7BF112C-B054-4114-82DA-E22D9B497F8B}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{BEB64BF7-766B-4839-80EE-28702C56928F}" = lport=445 | protocol=6 | dir=in | app=system |
"{D862E637-B735-4010-BD9C-141AC85BC3D6}" = rport=138 | protocol=17 | dir=out | app=system |
"{DF047193-8A24-4F24-9A74-0B0CA2B4F92A}" = rport=139 | protocol=6 | dir=out | app=system |
"{EA301AEB-F890-4C24-8D28-4DA6F89B5905}" = rport=137 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{58785683-5078-4BC4-AC9C-358890C8E648}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{80DD9243-68AF-49F6-B8B3-272306B198DE}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{ED4CE6BA-7C70-49CF-BDB3-D8496B4B3495}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{FD0486A2-D8AA-4564-8FCE-B501B7DDC924}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{066D65EA-ED53-44E4-A96A-F81B6E409D2E}" = PC Connectivity Solution
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{302A1E2E-DD58-4673-BC99-9CC10EC2637A}" = WinPatrol
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{44CDBD1B-89FB-4E02-8319-2A4C550F664A}" = RTC Client API v1.2
"{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}" = Nokia PC Suite
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{972B1D9B-0EAD-49E8-B7D6-3B83FD5665B1}" = Nokia Connectivity Cable Driver
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A7DB362E-16DC-4E29-8A34-E74381E00B5B}" = Adobe Shockwave Player
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB7032FF-AFED-4C58-AA5C-8473B273793A}" = HDReg
"{B7FB0C86-41A4-4402-9A33-912C462042A0}" = Roxio Creator 9 LE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"0852D05415AB9A4F1EF451E342267F76C776ED2F" = Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Ashampoo Burning Studio 6 FREE_is1" = Ashampoo Burning Studio 6 FREE v.6.80
"avast" = avast! Free Antivirus
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"CBOClean" = BOClean
"CCleaner" = CCleaner
"DVD Flick_is1" = DVD Flick 1.3.0.7
"DVD Shrink_is1" = DVD Shrink 3.2
"ESET Online Scanner" = ESET Online Scanner v3
"Foxit Reader_is1" = Foxit Reader 5.1
"Google Desktop" = Google Desktop
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox 11.0 (x86 en-GB)" = Mozilla Firefox 11.0 (x86 en-GB)
"Nokia PC Suite" = Nokia PC Suite
"NVIDIA Drivers" = NVIDIA Drivers
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"Revo Uninstaller" = Revo Uninstaller 1.93
"Skype_is1" = Packard Bell - Skype 2.5
"SpywareBlaster_is1" = SpywareBlaster 4.6
"SystemRequirementsLab" = System Requirements Lab
"Winamp" = Winamp
"WinASO Registry Optimizer_is1" = WinASO Registry Optimizer 4.7.5
"WinRAR archiver" = WinRAR archiver
"Xvid_is1" = Xvid 1.1.3 final uninstall
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >
_________________

Top
 Profile E-mail  
 
deltalima
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Sun 22 Apr, 2012 5:58 pm 
Offline
Admin/Teacher
Admin/Teacher
User avatar

Joined: Sat 28 Feb, 2009 9:38 pm
Posts: 7362
Location: UK
Hi leroy69,

Registry Cleaners

Re. WinASO Registry Optimizer 4.7.5

I don't personally recommend the use of ANY registry cleaners. Here is an excerpt from a discussion on regcleaners
Quote:
Most reg cleaners aren't bad as such, but they aren't perfect and even the best have been known to cause problems. The point we are trying to make is that the risk of using one far outweighs any benefit. If it does work perfectly you will not see any difference. If it doesn't work properly you may end up with an expensive doorstop.


This post by Bill Castner is veryinformative: WhatTheTech Forum

Please uninstall WinASO Registry Optimizer 4.7.5

You have too many security programs running, they will slow the computer down and provide less protection as they will interfere with each other.

Please uninstall BOClean

Download SystemLook and save it to your Desktop.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :service
    Winmgmt
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code:
    :processes
    killallprocesses
    :otl
    FF - prefs.js..browser.search.defaultengine: "Ask.com"
    FF - prefs.js..browser.search.defaultenginename: "Ask.com"
    FF - prefs.js..browser.search.order.1: "Ask.com"
    O3 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    @Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:5C321E34
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
    "DisableMonitoring" = 0
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring" = 0
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
    "DisableMonitoring" = 0
    :commands
    [EMPTYTEMP]
    [EMPTYFLASH]
    [EMPTYJAVA]
    [RESETHOSTS]
    [REBOOT]
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Please download GMER Rootkit Scanner from here.
  • Right click the .exe file and select: Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log in your next reply.

Top
 Profile E-mail  
 
leroy69
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Sun 22 Apr, 2012 10:42 pm 
Offline
Active Member

Joined: Thu 19 Apr, 2012 6:25 pm
Posts: 10
Hi there
I have uninstalled Winaso.The only "Real time" scanners I have are Avast antivirus and Comodo Boclean.I only use the rest as "on demand" scanners now and again!I know Boclean is not updated anymore so if you still want me to uninstall it I will.
I copy and pasted the fixes into OTL script and it said "processing complete" it then said to reboot to remove files but it did not reboot when I clicked OK.I rebooted manually though,will that be ok?
My computer crashed when running the GMER scan and went to a blue screen with an error code!Will I try again?Below is the SystemLook scan results.Thank you.
SystemLook 30.07.11 by jpshortstuff
Log created at 21:41 on 22/04/2012 by liz
Administrator - Elevation successful

========== service ==========

Winmgmt
Windows Management Instrumentation
"Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."
Current Status: Started
Startup Type: Automatic
Error Control: Severe
Binary: C:\Windows\system32\svchost.exe -k netsvcs
Group: (none)
SafeBoot: Minimal Network
Dependencies:
->RPCSS
Dependant Services:
->Security Center (wscsvc) (Started)
->Internet Connection Sharing (ICS) (SharedAccess) (Stopped)
->IP Helper (iphlpsvc) (Started)

-= EOF =-

Top
 Profile E-mail  
 
deltalima
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Sun 22 Apr, 2012 10:56 pm 
Offline
Admin/Teacher
Admin/Teacher
User avatar

Joined: Sat 28 Feb, 2009 9:38 pm
Posts: 7362
Location: UK
Hi leroy69,

Quote:
The only "Real time" scanners I have are Avast antivirus and Comodo Boclean.I only use the rest as "on demand" scanners now and again!I know Boclean is not updated anymore so if you still want me to uninstall it I will.


Windows Defender also looks to be running real time, please remove Boclean as without updates it is of very little use.

Quote:
My computer crashed when running the GMER scan and went to a blue screen with an error code!


If GMER continues to blue screen then please run this alternative scan.

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in a reply here.
Top
 Profile E-mail  
 
leroy69
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Mon 23 Apr, 2012 7:25 pm 
Offline
Active Member

Joined: Thu 19 Apr, 2012 6:25 pm
Posts: 10
Hi I've uninstalled Comodo.
The results of the RK unhooker are as follows:During the scan a message popped up saying select discs for scan and C:\HDD was ticked so I clicked ok.It then said something about dummy message and then Avast said it blocked malware and that something was trying to modify RK unhooker?

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #1
==============================================
>Drivers
==============================================
0x8A204000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 7467008 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 175.19 )
0x82633000 C:\Windows\system32\ntkrnlpa.exe 3907584 bytes (Microsoft Corporation, NT Kernel & System)
0x82633000 PnpManager 3907584 bytes
0x82633000 RAW 3907584 bytes
0x82633000 WMIxWDM 3907584 bytes
0x948A0000 Win32k 2113536 bytes
0x948A0000 C:\Windows\System32\win32k.sys 2113536 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8B803000 C:\Windows\system32\drivers\RTKVHDA.sys 1642496 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0x86A0D000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x8327B000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x89EA6000 C:\Windows\system32\DRIVERS\nvmfdx32.sys 1036288 bytes (NVIDIA Corporation, NVIDIA MCP Networking Function Driver.)
0x86802000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x80661000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0x9C894000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x9884C000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x8A923000 C:\Windows\System32\drivers\dxgkrnl.sys 655360 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x89E01000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x80741000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x83209000 C:\Windows\System32\Drivers\ksecdd.sys 466944 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x8AC94000 C:\Windows\System32\Drivers\aswSnx.SYS 446464 bytes (AVAST Software, avast! Virtualization Driver)
0x9893D000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xA0C03000 C:\Windows\System32\DRIVERS\srv.sys 323584 bytes (Microsoft Corporation, Server driver)
0x8BCF8000 C:\Windows\System32\Drivers\aswSP.SYS 307200 bytes (AVAST Software, avast! self protection module)
0x830A7000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8ADA5000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x8300B000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x80620000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8314F000 C:\Windows\system32\drivers\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x86945000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8BC9B000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x833B1000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0x9C82B000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x86B1D000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x98809000 C:\Windows\system32\drivers\aswMonFlt.sys 229376 bytes (AVAST Software, avast! File System Minifilter for Windows 2003/Vista)
0x8AC4E000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x82600000 ACPI_HAL 208896 bytes
0x82600000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x807CA000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8BC0A000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x89FA3000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x8B994000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x83386000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8AC0D000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x9C9CC000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x86B6D000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x83062000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x831C8000 C:\Windows\system32\DRIVERS\SCSIPORT.SYS 155648 bytes (Microsoft Corporation, SCSI Port Driver)
0x8B9C1000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x8BD5A000 C:\Windows\System32\Drivers\dump_nvstor32.sys 147456 bytes
0x83190000 C:\Windows\system32\DRIVERS\nvstor32.sys 147456 bytes (NVIDIA Corporation, NVIDIA® nForce(TM) Sata Performance Driver)
0x86992000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x8BC73000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x86BB6000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x989D8000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x8AD1D000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x9C80C000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x83124000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x988FC000 C:\Windows\system32\DRIVERS\irda.sys 122880 bytes (Microsoft Corporation, IRDA Protocol Driver)
0x9C97C000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x868EC000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x86907000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x989AA000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x89E8E000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x9C864000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x8BCE1000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x89FD2000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x8BD7E000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xA0C57000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x8BC3C000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x8AD70000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0x989C3000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x869D8000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8BDB8000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 86016 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0x9C9A5000 C:\Windows\system32\DRIVERS\WUDFRd.sys 86016 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
0x831B4000 C:\Windows\system32\DRIVERS\djsvs.sys 81920 bytes (Adaptec, Inc., Adaptec Ultra SCSI miniport)
0x869C4000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8AD91000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8A9CF000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x9892A000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8BC60000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x9C9BA000 C:\Windows\system32\DRIVERS\WUDFPf.sys 73728 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x86BA5000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x86B94000 C:\Windows\system32\DRIVERS\gagp30kx.sys 69632 bytes (Microsoft Corporation, MS Generic AGPv3.0 Filter for K8/9 Processor Platforms)
0x8AC83000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x80607000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8692B000 C:\Windows\system32\DRIVERS\amdk8.sys 65536 bytes (Microsoft Corporation, Processor Device Driver)
0x831EE000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x8BDA0000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
0x9891A000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x83106000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x869ED000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x8BDD7000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x86B5E000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x83089000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x869B5000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x86983000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x83098000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x94AE0000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x8BC52000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8AD59000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x830F8000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x8BD43000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x83142000 C:\Windows\system32\drivers\nvstor.sys 53248 bytes (NVIDIA Corporation, NVIDIA® nForce(TM) Sata Performance Driver)
0x8AC41000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x807BD000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x9C999000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8AD11000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8A9C3000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x8AD86000 C:\Windows\System32\Drivers\aswTdi.SYS 45056 bytes (AVAST Software, avast! TDI Filter Driver)
0x8A9E2000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x89FF4000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8AD4E000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x89FE9000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8A9ED000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x86A00000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8BD50000 C:\Windows\System32\Drivers\dump_diskdump.sys 40960 bytes
0x8BDCD000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8AC37000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8BCD7000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x9C972000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x8693B000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xA0C6D000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0x86BD7000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x8B9E6000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x8BD97000 C:\Windows\system32\DRIVERS\hidusb.sys 36864 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x83000000 C:\Windows\System32\Drivers\PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x8AD67000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x94AC0000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x86BF7000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x83051000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8311C000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x80618000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8BDB0000 C:\Windows\system32\DRIVERS\mouhid.sys 32768 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x8305A000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8AD3E000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8AD46000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x86B56000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8ADED000 C:\Windows\System32\Drivers\aswRdr.SYS 28672 bytes (AVAST Software, avast! TDI RDR Driver)
0x8B9F6000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x8AD0A000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x80600000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x8B9EF000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x830F1000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x83116000 C:\Windows\system32\drivers\pavboot.sys 24576 bytes (Panda Security, S.L., Panda Boot Driver)
0x8BC95000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0x8A9F8000 C:\Windows\system32\DRIVERS\wanatw4.sys 24576 bytes (America Online, Inc., Wan Miniport (ATW))
0xA0C52000 C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys 20480 bytes
0x98841000 C:\Windows\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
0x8A9FE000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x8BD95000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x000A87AA, Type: Inline - RelativeJump 0x826DB7AA-->826DB7B1 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000AC9A8, Type: Inline - RelativeJump 0x826DF9A8-->826DF943 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000ACA4C, Type: Inline - RelativeCall 0x826DFA4C-->F1F8C4C0 [unknown_code_page]
ntkrnlpa.exe+0x000ACB40, Type: Inline - RelativeJump 0x826DFB40-->826DFB15 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000ACDE0, Type: Inline - RelativeJump 0x826DFDE0-->826DFE56 [ntkrnlpa.exe]
ntkrnlpa.exe-->NtCreateProcessEx, Type: Inline - RelativeJump 0x828C4E70-->8BD167A6 [aswSP.SYS]
ntkrnlpa.exe-->ObInsertObject, Type: Inline - RelativeJump 0x82863573-->8BD1515C [aswSP.SYS]
ntkrnlpa.exe-->ObMakeTemporaryObject, Type: Inline - RelativeJump 0x8280A633-->8BD1369C [aswSP.SYS]
[1056]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[1056]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[1056]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[1056]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[1056]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[1056]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[1056]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[1056]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[1056]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[1056]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[1056]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[1056]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->001E0600 [unknown_code_page]
[1056]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->001E0804 [unknown_code_page]
[1056]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->001E01F8 [unknown_code_page]
[1056]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->001E0A08 [unknown_code_page]
[1056]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->001E03FC [unknown_code_page]
[1124]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[1124]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[1124]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[1124]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[1124]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[1124]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[1124]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[1124]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[1124]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[1124]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[1124]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[1124]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00860600 [unknown_code_page]
[1124]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00860804 [unknown_code_page]
[1124]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->008601F8 [unknown_code_page]
[1124]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00860A08 [unknown_code_page]
[1124]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->008603FC [unknown_code_page]
[1136]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->000B0C0C [unknown_code_page]
[1136]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->000B0E10 [unknown_code_page]
[1136]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->000B0804 [unknown_code_page]
[1136]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->000B0A08 [unknown_code_page]
[1136]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000B01F8 [unknown_code_page]
[1136]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000B03FC [unknown_code_page]
[1136]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->000B0600 [unknown_code_page]
[1136]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->000B1014 [unknown_code_page]
[1136]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[1136]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000901F8 [unknown_code_page]
[1136]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000903FC [unknown_code_page]
[1136]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->009F0600 [unknown_code_page]
[1136]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->009F0804 [unknown_code_page]
[1136]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->009F01F8 [unknown_code_page]
[1136]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->009F0A08 [unknown_code_page]
[1136]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->009F03FC [unknown_code_page]
[1236]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[1236]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[1236]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[1236]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[1236]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[1236]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[1236]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[1236]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[1236]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[1236]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[1236]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[1280]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->000B0C0C [unknown_code_page]
[1280]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->000B0E10 [unknown_code_page]
[1280]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->000B0804 [unknown_code_page]
[1280]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->000B0A08 [unknown_code_page]
[1280]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000B01F8 [unknown_code_page]
[1280]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000B03FC [unknown_code_page]
[1280]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->000B0600 [unknown_code_page]
[1280]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->000B1014 [unknown_code_page]
[1280]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[1280]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[1280]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[1280]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->009F0600 [unknown_code_page]
[1280]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->009F0804 [unknown_code_page]
[1280]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->009F01F8 [unknown_code_page]
[1280]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->009F0A08 [unknown_code_page]
[1280]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->009F03FC [unknown_code_page]
[1300]dwm.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[1300]dwm.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[1300]dwm.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[1300]dwm.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[1300]dwm.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[1300]dwm.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[1300]dwm.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[1300]dwm.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[1300]dwm.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[1300]dwm.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[1300]dwm.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[1300]dwm.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00080600 [unknown_code_page]
[1300]dwm.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00080804 [unknown_code_page]
[1300]dwm.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->000801F8 [unknown_code_page]
[1300]dwm.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00080A08 [unknown_code_page]
[1300]dwm.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->000803FC [unknown_code_page]
[1348]rundll32.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->002C0C0C [unknown_code_page]
[1348]rundll32.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->002C0E10 [unknown_code_page]
[1348]rundll32.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->002C0804 [unknown_code_page]
[1348]rundll32.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->002C0A08 [unknown_code_page]
[1348]rundll32.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->002C01F8 [unknown_code_page]
[1348]rundll32.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->002C03FC [unknown_code_page]
[1348]rundll32.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->002C0600 [unknown_code_page]
[1348]rundll32.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->73E84618 [shimeng.dll]
[1348]rundll32.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->002C1014 [unknown_code_page]
[1348]rundll32.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B61170-->73E84618 [shimeng.dll]
[1348]rundll32.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[1348]rundll32.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000601F8 [unknown_code_page]
[1348]rundll32.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000603FC [unknown_code_page]
[1348]rundll32.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x768E1414-->73E84618 [shimeng.dll]
[1348]rundll32.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->73E84618 [shimeng.dll]
[1348]rundll32.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00170600 [unknown_code_page]
[1348]rundll32.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00170804 [unknown_code_page]
[1348]rundll32.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->001701F8 [unknown_code_page]
[1348]rundll32.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00170A08 [unknown_code_page]
[1348]rundll32.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->001703FC [unknown_code_page]
[1348]rundll32.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->73E84618 [shimeng.dll]
[1428]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[1428]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[1428]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[1428]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[1428]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[1428]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->001B0600 [unknown_code_page]
[1428]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->001B0804 [unknown_code_page]
[1428]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->001B01F8 [unknown_code_page]
[1428]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->001B0A08 [unknown_code_page]
[1428]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->001B03FC [unknown_code_page]
[1560]AvastSvc.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[1560]AvastSvc.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet 0x75E0A8C5-->EC900004 [unknown_code_page]
[1560]AvastSvc.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Code Mismatch 0x75E0A8C5 + 3 [90]
[1900]spoolsv.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->000B0C0C [unknown_code_page]
[1900]spoolsv.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->000B0E10 [unknown_code_page]
[1900]spoolsv.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->000B0804 [unknown_code_page]
[1900]spoolsv.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->000B0A08 [unknown_code_page]
[1900]spoolsv.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000B01F8 [unknown_code_page]
[1900]spoolsv.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000B03FC [unknown_code_page]
[1900]spoolsv.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->000B0600 [unknown_code_page]
[1900]spoolsv.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->000B1014 [unknown_code_page]
[1900]spoolsv.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[1900]spoolsv.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000901F8 [unknown_code_page]
[1900]spoolsv.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000903FC [unknown_code_page]
[1900]spoolsv.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00160600 [unknown_code_page]
[1900]spoolsv.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00160804 [unknown_code_page]
[1900]spoolsv.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->001601F8 [unknown_code_page]
[1900]spoolsv.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00160A08 [unknown_code_page]
[1900]spoolsv.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->001603FC [unknown_code_page]
[1924]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[1924]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[1924]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[1924]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[1924]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[1924]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[1924]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[1924]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[1924]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[1924]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[1924]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[1924]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->001B0600 [unknown_code_page]
[1924]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->001B0804 [unknown_code_page]
[1924]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->001B01F8 [unknown_code_page]
[1924]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->001B0A08 [unknown_code_page]
[1924]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->001B03FC [unknown_code_page]
[2136]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[2136]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[2136]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[2136]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[2136]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[2136]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[2136]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[2136]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[2136]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[2136]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[2136]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[2148]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[2148]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[2148]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[2148]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[2148]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[2148]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[2148]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[2148]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[2148]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[2148]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[2148]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[2148]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00140600 [unknown_code_page]
[2148]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00140804 [unknown_code_page]
[2148]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->001401F8 [unknown_code_page]
[2148]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00140A08 [unknown_code_page]
[2148]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->001403FC [unknown_code_page]
[2216]RoxWatch9.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00170C0C [unknown_code_page]
[2216]RoxWatch9.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00170E10 [unknown_code_page]
[2216]RoxWatch9.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00170804 [unknown_code_page]
[2216]RoxWatch9.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00170A08 [unknown_code_page]
[2216]RoxWatch9.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->001701F8 [unknown_code_page]
[2216]RoxWatch9.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->001703FC [unknown_code_page]
[2216]RoxWatch9.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00170600 [unknown_code_page]
[2216]RoxWatch9.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00171014 [unknown_code_page]
[2216]RoxWatch9.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[2216]RoxWatch9.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->001401F8 [unknown_code_page]
[2216]RoxWatch9.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->001403FC [unknown_code_page]
[2216]RoxWatch9.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00180600 [unknown_code_page]
[2216]RoxWatch9.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00180804 [unknown_code_page]
[2216]RoxWatch9.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->001801F8 [unknown_code_page]
[2216]RoxWatch9.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00180A08 [unknown_code_page]
[2216]RoxWatch9.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->001803FC [unknown_code_page]
[2380]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[2380]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[2380]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[2380]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[2380]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[2380]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[2380]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[2380]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[2380]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[2380]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[2380]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[2420]wmpnetwk.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00060C0C [unknown_code_page]
[2420]wmpnetwk.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00060E10 [unknown_code_page]
[2420]wmpnetwk.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00060804 [unknown_code_page]
[2420]wmpnetwk.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00060A08 [unknown_code_page]
[2420]wmpnetwk.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000601F8 [unknown_code_page]
[2420]wmpnetwk.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000603FC [unknown_code_page]
[2420]wmpnetwk.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00060600 [unknown_code_page]
[2420]wmpnetwk.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00061014 [unknown_code_page]
[2420]wmpnetwk.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[2420]wmpnetwk.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000401F8 [unknown_code_page]
[2420]wmpnetwk.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000403FC [unknown_code_page]
[2420]wmpnetwk.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00070600 [unknown_code_page]
[2420]wmpnetwk.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00070804 [unknown_code_page]
[2420]wmpnetwk.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->000701F8 [unknown_code_page]
[2420]wmpnetwk.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00070A08 [unknown_code_page]
[2420]wmpnetwk.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->000703FC [unknown_code_page]
[2520]AvastUI.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[2564]WinPatrol.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[2564]WinPatrol.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[2564]WinPatrol.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[2564]WinPatrol.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[2564]WinPatrol.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[2564]WinPatrol.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[2564]WinPatrol.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[2564]WinPatrol.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[2564]WinPatrol.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[2564]WinPatrol.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[2564]WinPatrol.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[2564]WinPatrol.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00080600 [unknown_code_page]
[2564]WinPatrol.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00080804 [unknown_code_page]
[2564]WinPatrol.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->000801F8 [unknown_code_page]
[2564]WinPatrol.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00080A08 [unknown_code_page]
[2564]WinPatrol.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->000803FC [unknown_code_page]
[2652]taskeng.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[2652]taskeng.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[2652]taskeng.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[2652]taskeng.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[2652]taskeng.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[2652]taskeng.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[2652]taskeng.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[2652]taskeng.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[2652]taskeng.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[2652]taskeng.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[2652]taskeng.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[2652]taskeng.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00080600 [unknown_code_page]
[2652]taskeng.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00080804 [unknown_code_page]
[2652]taskeng.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->000801F8 [unknown_code_page]
[2652]taskeng.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00080A08 [unknown_code_page]
[2652]taskeng.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->000803FC [unknown_code_page]
[2708]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->000B0C0C [unknown_code_page]
[2708]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->000B0E10 [unknown_code_page]
[2708]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->000B0804 [unknown_code_page]
[2708]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->000B0A08 [unknown_code_page]
[2708]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000B01F8 [unknown_code_page]
[2708]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000B03FC [unknown_code_page]
[2708]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->000B0600 [unknown_code_page]
[2708]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->000B1014 [unknown_code_page]
[2708]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[2708]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000901F8 [unknown_code_page]
[2708]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000903FC [unknown_code_page]
[2756]SearchIndexer.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[2756]SearchIndexer.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[2756]SearchIndexer.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[2756]SearchIndexer.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[2756]SearchIndexer.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[2756]SearchIndexer.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[2756]SearchIndexer.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[2756]SearchIndexer.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[2756]SearchIndexer.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[2756]SearchIndexer.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[2756]SearchIndexer.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[2756]SearchIndexer.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00080600 [unknown_code_page]
[2756]SearchIndexer.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00080804 [unknown_code_page]
[2756]SearchIndexer.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->000801F8 [unknown_code_page]
[2756]SearchIndexer.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00080A08 [unknown_code_page]
[2756]SearchIndexer.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->000803FC [unknown_code_page]
[2828]WUDFHost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[2828]WUDFHost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[2828]WUDFHost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[2828]WUDFHost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[2828]WUDFHost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[2828]WUDFHost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[2828]WUDFHost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[2828]WUDFHost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[2828]WUDFHost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[2828]WUDFHost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[2828]WUDFHost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[2828]WUDFHost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00080600 [unknown_code_page]
[2828]WUDFHost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00080804 [unknown_code_page]
[2828]WUDFHost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->000801F8 [unknown_code_page]
[2828]WUDFHost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00080A08 [unknown_code_page]
[2828]WUDFHost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->000803FC [unknown_code_page]
[3112]RoxMediaDB9.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00170C0C [unknown_code_page]
[3112]RoxMediaDB9.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00170E10 [unknown_code_page]
[3112]RoxMediaDB9.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00170804 [unknown_code_page]
[3112]RoxMediaDB9.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00170A08 [unknown_code_page]
[3112]RoxMediaDB9.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->001701F8 [unknown_code_page]
[3112]RoxMediaDB9.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->001703FC [unknown_code_page]
[3112]RoxMediaDB9.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00170600 [unknown_code_page]
[3112]RoxMediaDB9.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00171014 [unknown_code_page]
[3112]RoxMediaDB9.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[3112]RoxMediaDB9.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->001401F8 [unknown_code_page]
[3112]RoxMediaDB9.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->001403FC [unknown_code_page]
[3112]RoxMediaDB9.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00160600 [unknown_code_page]
[3112]RoxMediaDB9.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00160804 [unknown_code_page]
[3112]RoxMediaDB9.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->001601F8 [unknown_code_page]
[3112]RoxMediaDB9.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00160A08 [unknown_code_page]
[3112]RoxMediaDB9.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->001603FC [unknown_code_page]
[3520]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[3520]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[3520]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[3520]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[3520]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[3520]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[3520]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[3520]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[3520]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[3520]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[3520]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[4044]firefox.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00080C0C [unknown_code_page]
[4044]firefox.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00080E10 [unknown_code_page]
[4044]firefox.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00080804 [unknown_code_page]
[4044]firefox.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00080A08 [unknown_code_page]
[4044]firefox.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000801F8 [unknown_code_page]
[4044]firefox.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000803FC [unknown_code_page]
[4044]firefox.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00080600 [unknown_code_page]
[4044]firefox.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00081014 [unknown_code_page]
[4044]firefox.exe-->gdi32.dll-->CreateDIBSection, Type: Inline - RelativeJump 0x75D97461-->67E6E17E [xul.dll]
[4044]firefox.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[4044]firefox.exe-->kernel32.dll-->MapViewOfFile, Type: Inline - RelativeJump 0x75E26B10-->67E6E1F4 [xul.dll]
[4044]firefox.exe-->kernel32.dll-->VirtualAlloc, Type: Inline - RelativeJump 0x75E2AF75-->67E6E21B [xul.dll]
[4044]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->67C39720 [xul.dll]
[4044]firefox.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[4044]firefox.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00070600 [unknown_code_page]
[4044]firefox.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00070804 [unknown_code_page]
[4044]firefox.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->000701F8 [unknown_code_page]
[4044]firefox.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00070A08 [unknown_code_page]
[4044]firefox.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->000703FC [unknown_code_page]
[484]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[484]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[484]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[484]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[484]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[484]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[484]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[484]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[484]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[484]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[484]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[484]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00180600 [unknown_code_page]
[484]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00180804 [unknown_code_page]
[484]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->001801F8 [unknown_code_page]
[484]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00180A08 [unknown_code_page]
[484]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->001803FC [unknown_code_page]
[528]csrss.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[576]wininit.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00050C0C [unknown_code_page]
[576]wininit.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00050E10 [unknown_code_page]
[576]wininit.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00050804 [unknown_code_page]
[576]wininit.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00050A08 [unknown_code_page]
[576]wininit.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000501F8 [unknown_code_page]
[576]wininit.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000503FC [unknown_code_page]
[576]wininit.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00050600 [unknown_code_page]
[576]wininit.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00051014 [unknown_code_page]
[576]wininit.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[576]wininit.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000301F8 [unknown_code_page]
[576]wininit.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000303FC [unknown_code_page]
[576]wininit.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00060600 [unknown_code_page]
[576]wininit.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00060804 [unknown_code_page]
[576]wininit.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->000601F8 [unknown_code_page]
[576]wininit.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00060A08 [unknown_code_page]
[576]wininit.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->000603FC [unknown_code_page]
[584]csrss.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[588]taskeng.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->001B0C0C [unknown_code_page]
[588]taskeng.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->001B0E10 [unknown_code_page]
[588]taskeng.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->001B0804 [unknown_code_page]
[588]taskeng.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->001B0A08 [unknown_code_page]
[588]taskeng.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->001B01F8 [unknown_code_page]
[588]taskeng.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->001B03FC [unknown_code_page]
[588]taskeng.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->001B0600 [unknown_code_page]
[588]taskeng.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->001B1014 [unknown_code_page]
[588]taskeng.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[588]taskeng.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[588]taskeng.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[588]taskeng.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->001D0600 [unknown_code_page]
[588]taskeng.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->001D0804 [unknown_code_page]
[588]taskeng.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->001D01F8 [unknown_code_page]
[588]taskeng.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->001D0A08 [unknown_code_page]
[588]taskeng.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->001D03FC [unknown_code_page]
[624]services.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->000B0C0C [unknown_code_page]
[624]services.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->000B0E10 [unknown_code_page]
[624]services.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->000B0804 [unknown_code_page]
[624]services.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->000B0A08 [unknown_code_page]
[624]services.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000B01F8 [unknown_code_page]
[624]services.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000B03FC [unknown_code_page]
[624]services.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->000B0600 [unknown_code_page]
[624]services.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->000B1014 [unknown_code_page]
[624]services.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[624]services.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000901F8 [unknown_code_page]
[624]services.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000903FC [unknown_code_page]
[624]services.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->000C0600 [unknown_code_page]
[624]services.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->000C0804 [unknown_code_page]
[624]services.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->000C01F8 [unknown_code_page]
[624]services.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->000C0A08 [unknown_code_page]
[624]services.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->000C03FC [unknown_code_page]
[652]lsass.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->000B0C0C [unknown_code_page]
[652]lsass.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->000B0E10 [unknown_code_page]
[652]lsass.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->000B0804 [unknown_code_page]
[652]lsass.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->000B0A08 [unknown_code_page]
[652]lsass.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000B01F8 [unknown_code_page]
[652]lsass.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000B03FC [unknown_code_page]
[652]lsass.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->000B0600 [unknown_code_page]
[652]lsass.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->000B1014 [unknown_code_page]
[652]lsass.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[652]lsass.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000901F8 [unknown_code_page]
[652]lsass.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000903FC [unknown_code_page]
[652]lsass.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->000C0600 [unknown_code_page]
[652]lsass.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->000C0804 [unknown_code_page]
[652]lsass.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->000C01F8 [unknown_code_page]
[652]lsass.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->000C0A08 [unknown_code_page]
[652]lsass.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->000C03FC [unknown_code_page]
[660]winlogon.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00090C0C [unknown_code_page]
[660]winlogon.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00090E10 [unknown_code_page]
[660]winlogon.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00090804 [unknown_code_page]
[660]winlogon.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00090A08 [unknown_code_page]
[660]winlogon.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000901F8 [unknown_code_page]
[660]winlogon.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000903FC [unknown_code_page]
[660]winlogon.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00090600 [unknown_code_page]
[660]winlogon.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00091014 [unknown_code_page]
[660]winlogon.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[660]winlogon.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000701F8 [unknown_code_page]
[660]winlogon.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000703FC [unknown_code_page]
[660]winlogon.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->000A0600 [unknown_code_page]
[660]winlogon.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->000A0804 [unknown_code_page]
[660]winlogon.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->000A01F8 [unknown_code_page]
[660]winlogon.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->000A0A08 [unknown_code_page]
[660]winlogon.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->000A03FC [unknown_code_page]
[668]lsm.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[668]lsm.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[668]lsm.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[668]lsm.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[668]lsm.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[668]lsm.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[668]lsm.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[668]lsm.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[668]lsm.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[668]lsm.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[668]lsm.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[840]taskeng.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[840]taskeng.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[840]taskeng.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[840]taskeng.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[840]taskeng.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[840]taskeng.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[840]taskeng.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[840]taskeng.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[840]taskeng.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[840]taskeng.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[840]taskeng.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[840]taskeng.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00080600 [unknown_code_page]
[840]taskeng.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00080804 [unknown_code_page]
[840]taskeng.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->000801F8 [unknown_code_page]
[840]taskeng.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00080A08 [unknown_code_page]
[840]taskeng.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->000803FC [unknown_code_page]
[848]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[848]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[848]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[848]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[848]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[848]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[848]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[848]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[848]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[848]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[848]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[904]nvvsvc.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00180C0C [unknown_code_page]
[904]nvvsvc.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00180E10 [unknown_code_page]
[904]nvvsvc.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00180804 [unknown_code_page]
[904]nvvsvc.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00180A08 [unknown_code_page]
[904]nvvsvc.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->001801F8 [unknown_code_page]
[904]nvvsvc.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->001803FC [unknown_code_page]
[904]nvvsvc.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00180600 [unknown_code_page]
[904]nvvsvc.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00181014 [unknown_code_page]
[904]nvvsvc.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[904]nvvsvc.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->001401F8 [unknown_code_page]
[904]nvvsvc.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->001403FC [unknown_code_page]
[904]nvvsvc.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00170600 [unknown_code_page]
[904]nvvsvc.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00170804 [unknown_code_page]
[904]nvvsvc.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->001701F8 [unknown_code_page]
[904]nvvsvc.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00170A08 [unknown_code_page]
[904]nvvsvc.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->001703FC [unknown_code_page]
[928]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[928]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[928]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[928]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[928]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[928]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[928]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[928]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[928]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[928]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[928]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[928]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->001D0600 [unknown_code_page]
[928]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->001D0804 [unknown_code_page]
[928]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->001D01F8 [unknown_code_page]
[928]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->001D0A08 [unknown_code_page]
[928]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->001D03FC [unknown_code_page]
[936]explorer.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[936]explorer.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[936]explorer.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[936]explorer.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[936]explorer.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[936]explorer.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[936]explorer.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[936]explorer.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[936]explorer.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[936]explorer.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[936]explorer.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[936]explorer.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->00080600 [unknown_code_page]
[936]explorer.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->00080804 [unknown_code_page]
[936]explorer.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->000801F8 [unknown_code_page]
[936]explorer.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->00080A08 [unknown_code_page]
[936]explorer.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->000803FC [unknown_code_page]
[964]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x763E7099-->00070C0C [unknown_code_page]
[964]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x763E71E1-->00070E10 [unknown_code_page]
[964]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x763E6DD9-->00070804 [unknown_code_page]
[964]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x763E6F81-->00070A08 [unknown_code_page]
[964]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x763E72A1-->000701F8 [unknown_code_page]
[964]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x763A9EB4-->000703FC [unknown_code_page]
[964]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x763AA07E-->00070600 [unknown_code_page]
[964]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x763E6CD9-->00071014 [unknown_code_page]
[964]svchost.exe-->kernel32.dll+0x00052467, Type: Code Mismatch 0x75E32467 + 336999 [62]
[964]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77309378-->000501F8 [unknown_code_page]
[964]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7731B680-->000503FC [unknown_code_page]
[964]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x77456322-->001E0600 [unknown_code_page]
[964]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x774587AD-->001E0804 [unknown_code_page]
[964]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x77459F3A-->001E01F8 [unknown_code_page]
[964]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x774598DB-->001E0A08 [unknown_code_page]
[964]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7745C06F-->001E03FC [unknown_code_page]

Top
 Profile E-mail  
 
leroy69
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Mon 23 Apr, 2012 7:31 pm 
Offline
Active Member

Joined: Thu 19 Apr, 2012 6:25 pm
Posts: 10
The "Malware" that avast detected is 1EE3260A.EXE.Scotty also detected this new service trying to install in C:\WINDOWS\SYSTEM32?

Top
 Profile E-mail  
 
deltalima
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Mon 23 Apr, 2012 9:11 pm 
Offline
Admin/Teacher
Admin/Teacher
User avatar

Joined: Sat 28 Feb, 2009 9:38 pm
Posts: 7362
Location: UK
Hi leroy69,

Quote:
Avast said it blocked malware and that something was trying to modify RK unhooker


That's OK, RKUnHooker digs deep into the operating system and can often cause a false positive with the resident antivirus.

Please run a new scan with OTL and post only the OTL.txt log.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.
    Quote:
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Top
 Profile E-mail  
 
leroy69
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Tue 24 Apr, 2012 6:53 pm 
Offline
Active Member

Joined: Thu 19 Apr, 2012 6:25 pm
Posts: 10
Hi there.Below are the scans you asked for.Eset didn't find anything!Can you tell me if the first fixes you made with OTL were sucessfull as it didn't reboot when asked to?Thank you.

OTL logfile created on: 24/04/2012 17:09:09 - Run 1
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Users\liz.paul-PC\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19222)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

765.82 Mb Total Physical Memory | 182.14 Mb Available Physical Memory | 23.78% Memory free
2.21 Gb Paging File | 1.53 Gb Available in Paging File | 69.21% Paging File free
Paging file location(s): c:\pagefile.sys 1536 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 141.04 Gb Total Space | 65.83 Gb Free Space | 46.67% Space Free | Partition Type: NTFS

Computer Name: LIZ-PC | User Name: liz | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\liz.paul-PC\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe (BillP Studios)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files\BillP Studios\WinPatrol\sqlite3.dll ()


========== Win32 Services (SafeList) ==========

SRV - (1EE3260A) -- C:\Windows\system32\1EE3260A.exe File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
SRV - (GoogleDesktopManager) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe (Google)


========== Driver Services (SafeList) ==========

DRV - (tmcomm) -- C:\Windows\system32\drivers\tmcomm.sys File not found
DRV - (StarOpen) -- File not found
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (BOCDRIVE) -- C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys File not found
DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found
DRV - (aswSnx) -- C:\Windows\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (pavboot) -- C:\Windows\System32\drivers\pavboot.sys (Panda Security, S.L.)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (WDC_SAM) -- C:\Windows\System32\drivers\wdcsam.sys (Western Digital Technologies)
DRV - (nvstor32) -- C:\Windows\System32\drivers\nvstor32.sys (NVIDIA Corporation)
DRV - (irsir) -- C:\Windows\System32\drivers\irsir.sys (Microsoft Corporation)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (nmwcd) -- C:\Windows\System32\drivers\nmwcd.sys (Nokia)
DRV - (nmwcdcm) -- C:\Windows\System32\drivers\nmwcdcm.sys (Nokia)
DRV - (nmwcdcj) -- C:\Windows\System32\drivers\nmwcdcj.sys (Nokia)
DRV - (nmwcdc) -- C:\Windows\System32\drivers\nmwcdc.sys (Nokia)
DRV - (wanatw) WAN Miniport (ATW) -- C:\Windows\System32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (sscdmdm) -- C:\Windows\System32\drivers\sscdmdm.sys (MCCI)
DRV - (sscdmdfl) -- C:\Windows\System32\drivers\sscdmdfl.sys (MCCI)
DRV - (sscdbus) SAMSUNG USB Composite Device driver (WDM) -- C:\Windows\System32\drivers\sscdbus.sys (MCCI)
DRV - (DCamUSBSTK014) -- C:\Windows\System32\drivers\STK014W2.sys (Syntek Ltd.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://format.packardbell.com/cgi-bin/r ... ey=IESTART
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://format.packardbell.com/cgi-bin/r ... ey=IESTART
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://format.packardbell.com/cgi-bin/r ... ey=IESTART
IE - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Yahoo.co.uk"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.google.co.uk"
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100908
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/12/13 19:56:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/18 20:12:54 | 000,000,000 | ---D | M]

[2012/02/02 19:47:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\liz.paul-PC\AppData\Roaming\mozilla\Extensions
[2012/03/31 08:29:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\liz.paul-PC\AppData\Roaming\mozilla\Firefox\Profiles\dqdms9bk.default\extensions
[2012/03/02 19:11:58 | 000,000,000 | ---D | M] (WOT) -- C:\Users\liz.paul-PC\AppData\Roaming\mozilla\Firefox\Profiles\dqdms9bk.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2012/03/31 08:29:18 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\liz.paul-PC\AppData\Roaming\mozilla\Firefox\Profiles\dqdms9bk.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012/02/02 19:47:37 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/03/18 20:12:53 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/02/11 19:58:07 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/02/11 19:58:07 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/11 19:58:07 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/02/11 19:58:07 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/02/11 19:58:07 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2012/03/30 15:22:58 | 000,601,715 | ---- | M]) - C:\Windows\System32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost #[IPv6]
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 abcstats.com
O1 - Hosts: 127.0.0.1 a.abv.bg
O1 - Hosts: 127.0.0.1 adserver.abv.bg
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 ca.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 achmedia.com
O1 - Hosts: 127.0.0.1 aconti.net
O1 - Hosts: 127.0.0.1 secure.aconti.net
O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]
O1 - Hosts: 127.0.0.1 am1.activemeter.com
O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ads.activepower.net
O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 cms.ad2click.nl
O1 - Hosts: 16118 more lines...
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKU\.DEFAULT..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-18..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 0
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-760914142-2743886509-1717870916-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan ... stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FB24DB9F-B30A-4F32-99E3-816EBEFC6360}: DhcpNameServer = 194.168.4.100 194.168.8.100
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\liz.paul-PC\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\liz.paul-PC\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{3d551d8b-3382-11e0-9486-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{3d551d8b-3382-11e0-9486-00038a000015}\Shell\AutoRun\command - "" = "J:\WD SmartWare.exe" autoplay=true
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/23 19:03:52 | 000,000,000 | ---D | C] -- C:\Users\liz.paul-PC\Desktop\Desktop
[2012/04/22 12:58:42 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\liz.paul-PC\Desktop\OTL.exe
[2012/04/20 11:40:40 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\liz.paul-PC\Desktop\dds.scr
[2012/04/20 11:38:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPatrol
[2012/04/20 11:38:01 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate
[2012/04/20 11:38:01 | 000,000,000 | ---D | C] -- C:\Program Files\BillP Studios
[2012/04/20 07:02:04 | 000,000,000 | ---D | C] -- C:\Users\liz.paul-PC\AppData\Roaming\Adobe
[2012/04/19 18:17:21 | 000,000,000 | ---D | C] -- C:\Users\liz.paul-PC\AppData\Roaming\Macromedia
[2012/04/19 18:06:34 | 000,418,464 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/04/19 18:06:33 | 000,070,304 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/04/19 18:06:32 | 000,000,000 | ---D | C] -- C:\Windows\System32\Macromed
[2012/04/11 20:13:42 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\pavboot.sys
[2012/04/11 20:13:31 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2012/04/11 17:17:12 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2012/04/11 17:17:11 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2012/04/11 17:04:50 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/04/11 17:04:49 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/04/11 17:04:42 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/04/11 17:04:42 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2012/04/11 17:04:42 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2012/04/11 17:04:41 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2012/04/11 17:04:41 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2012/04/11 17:04:41 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/04/11 17:04:40 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2012/04/11 17:04:40 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2012/04/11 17:04:40 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2012/04/11 17:04:39 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2012/04/11 17:04:39 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2012/04/11 17:04:39 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2012/04/11 17:04:39 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2012/04/11 17:04:33 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/04/11 17:04:33 | 000,174,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2012/04/11 17:04:33 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2012/04/05 18:29:57 | 000,000,000 | ---D | C] -- C:\Users\liz.paul-PC\AppData\Roaming\WinPatrol
[2012/04/05 18:23:18 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/04/05 17:51:20 | 000,000,000 | ---D | C] -- C:\Users\liz.paul-PC\Documents\hosts
[2012/03/26 19:03:56 | 000,000,000 | ---D | C] -- C:\Users\liz.paul-PC\Desktop\New Folder

========== Files - Modified Within 30 Days ==========

[2012/04/24 16:33:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/04/24 16:18:37 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/04/24 16:18:37 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/04/24 16:16:56 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/24 16:16:25 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/04/24 16:16:21 | 803,737,600 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/23 19:25:12 | 000,167,150 | ---- | M] () -- C:\Users\liz.paul-PC\Desktop\RKUnhooker Report
[2012/04/23 19:16:00 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/23 19:03:51 | 000,139,264 | ---- | M] () -- C:\Users\liz.paul-PC\Desktop\RKUnhookerLE.EXE
[2012/04/22 21:36:30 | 000,139,264 | ---- | M] () -- C:\Users\liz.paul-PC\Desktop\SystemLook.exe
[2012/04/22 12:58:50 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\liz.paul-PC\Desktop\OTL.exe
[2012/04/22 12:56:42 | 000,007,132 | ---- | M] () -- C:\Users\liz.paul-PC\Documents\cc_20120422_125636.reg
[2012/04/20 17:48:00 | 000,617,088 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/04/20 17:48:00 | 000,111,958 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/04/20 11:40:50 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\liz.paul-PC\Desktop\dds.scr
[2012/04/20 11:37:30 | 000,000,176 | ---- | M] () -- C:\Users\liz.paul-PC\Documents\cc_20120420_113727.reg
[2012/04/19 18:06:34 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/04/19 18:06:33 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/04/19 17:56:07 | 000,001,312 | ---- | M] () -- C:\Users\liz.paul-PC\Documents\cc_20120419_175603.reg
[2012/04/08 18:49:32 | 000,001,234 | ---- | M] () -- C:\Users\liz.paul-PC\Documents\cc_20120408_184928.reg
[2012/04/05 18:25:21 | 000,002,386 | ---- | M] () -- C:\Users\liz.paul-PC\Documents\cc_20120405_182517.reg
[2012/04/05 18:23:21 | 000,000,807 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/03/30 15:22:58 | 000,601,715 | ---- | M] () -- C:\Windows\System32\drivers\etc\HOSTS.MVP
[2012/03/30 15:22:58 | 000,601,715 | ---- | M] () -- C:\Windows\System32\drivers\etc\HOSTS
[2012/03/29 18:17:18 | 000,089,600 | ---- | M] () -- C:\Users\liz.paul-PC\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2012/04/23 19:25:12 | 000,167,150 | ---- | C] () -- C:\Users\liz.paul-PC\Desktop\RKUnhooker Report
[2012/04/23 19:03:52 | 000,139,264 | ---- | C] () -- C:\Users\liz.paul-PC\Desktop\RKUnhookerLE.EXE
[2012/04/22 23:42:09 | 803,737,600 | -HS- | C] () -- C:\hiberfil.sys
[2012/04/22 21:36:27 | 000,139,264 | ---- | C] () -- C:\Users\liz.paul-PC\Desktop\SystemLook.exe
[2012/04/22 12:56:38 | 000,007,132 | ---- | C] () -- C:\Users\liz.paul-PC\Documents\cc_20120422_125636.reg
[2012/04/20 11:37:29 | 000,000,176 | ---- | C] () -- C:\Users\liz.paul-PC\Documents\cc_20120420_113727.reg
[2012/04/19 18:06:36 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/04/19 17:56:04 | 000,001,312 | ---- | C] () -- C:\Users\liz.paul-PC\Documents\cc_20120419_175603.reg
[2012/04/08 18:49:30 | 000,001,234 | ---- | C] () -- C:\Users\liz.paul-PC\Documents\cc_20120408_184928.reg
[2012/04/05 18:25:19 | 000,002,386 | ---- | C] () -- C:\Users\liz.paul-PC\Documents\cc_20120405_182517.reg
[2012/04/05 18:23:21 | 000,000,807 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2010/09/26 12:11:13 | 000,016,968 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\shortcuts:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\s_15kgbut.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\My Google Gadgets:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\Liz's photos:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\hosts:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\Downloads:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Documents\Bookmarks(back up file):Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Desktop\New Folder:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Desktop\IMG_0708.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Desktop\Desktop:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Desktop\Desk top Shortcuts:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\liz.paul-PC\Desktop\Cat show 2012:Roxio EMC Stream
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:5C321E34

< End of report >



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=b80b6992cf01b845b77094c4e53d80ee
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-04-24 05:26:43
# local_time=2012-04-24 06:26:43 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=4352 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 341600 172817826 0 0
# compatibility_mode=8192 67108863 100 0 67388886 67388886 0 0
# scanned=97654
# found=0
# cleaned=0
# scan_time=3302

Top
 Profile E-mail  
 
deltalima
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Tue 24 Apr, 2012 7:55 pm 
Offline
Admin/Teacher
Admin/Teacher
User avatar

Joined: Sat 28 Feb, 2009 9:38 pm
Posts: 7362
Location: UK
Hi leroy69,

Quote:
Can you tell me if the first fixes you made with OTL were sucessfull as it didn't reboot


No, the fixes were not successful.

Please reboot the computer then run the OTL fix again using the previous instructions and post the log if successful.

If no log is produced then please check in the folder C:\_OTL\MovedFiles

The log file should be named mmddyyyy_hhmmss.log (named after the date and time of the run)

Top
 Profile E-mail  
 
leroy69
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Wed 25 Apr, 2012 6:49 pm 
Offline
Active Member

Joined: Thu 19 Apr, 2012 6:25 pm
Posts: 10
Hi there
Here is the OTL log.It seems to have been successful this time as it rebooted when asked this time and produced the log.

All processes killed
========== PROCESSES ==========
========== OTL ==========
Prefs.js: "Ask.com" removed from browser.search.defaultengine
Prefs.js: "Ask.com" removed from browser.search.defaultenginename
Prefs.js: "Ask.com" removed from browser.search.order.1
Registry value HKEY_USERS\S-1-5-21-760914142-2743886509-1717870916-1002\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
ADS C:\ProgramData\TEMP:5C321E34 deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\\"DisableMonitoring" | 0 /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\"DisableMonitoring" | 0 /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\\"DisableMonitoring" | 0 /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: liz
->Temp folder emptied: 115301 bytes
->Temporary Internet Files folder emptied: 64189 bytes

User: liz.paul-PC
->Temp folder emptied: 36200 bytes
->Temporary Internet Files folder emptied: 1630324 bytes
->FireFox cache emptied: 49517662 bytes
->Flash cache emptied: 470 bytes

User: Paul
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->FireFox cache emptied: 11477013 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 524288 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 9654837 bytes

Total Files Cleaned = 70.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default

User: Default User

User: liz

User: liz.paul-PC
->Flash cache emptied: 0 bytes

User: Paul

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: Default

User: Default User

User: liz

User: liz.paul-PC

User: Paul

User: Public

Total Java Files Cleaned = 0.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.40.0 log created on 04252012_184027

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
C:\Windows\temp\JET7290.tmp moved successfully.

Registry entries deleted on Reboot...

Top
 Profile E-mail  
 
deltalima
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Wed 25 Apr, 2012 8:15 pm 
Offline
Admin/Teacher
Admin/Teacher
User avatar

Joined: Sat 28 Feb, 2009 9:38 pm
Posts: 7362
Location: UK
Hi leroy69,

Quote:
I have done scans and they all come back clean but paypal are saying it must have been via spyware that somone got my paypal password/details!I don't think it was!
I would really appreciate if someone here could take the time to have a look and see if there is anything lurking on my computer


So far I see no real signs of infection on the computer, the OTL fix removed some minor adware but nothing that could have stolen your password for paypal.

Let's do one more scan to confirm -

TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista - W7 users: Right-click and select "Run As Administrator".
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com). If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure SKIP is selected... DO NOT attempt to FIX anything yet!
    • Now click on Report to open the log file created by TDSSKiller in your root directory C:\
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
  6. Copy and paste the contents of that file in your next reply.
Top
 Profile E-mail  
 
leroy69
 Post subject: Re: Assistance required Please!Paypal Account hacked(Malware
New postPosted: Wed 25 Apr, 2012 10:13 pm 
Offline
Active Member

Joined: Thu 19 Apr, 2012 6:25 pm
Posts: 10
Hi there.Thank you for your help with this!
TDS killer didn't find anything!If it helps I got GMER to run sucessfully(results below)Have you any idea how someone could have got our paypal account details if not through spyware/malware?

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-25 22:06:53
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000054 ST316021 rev.3.AA
Running: 48spklmg.exe; Driver: C:\Users\LIZ~1.PAU\AppData\Local\Temp\uwtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8B2BCFC4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8B2BF456]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8B2BF4AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8B2BF5C4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8B2BF3AC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8B2BF4FE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8B2BF400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8B2BF572]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8B2BCFE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8B2BCDB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8B2BD00C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8B2BF9BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8B2BDAA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8B2BF486]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8B2BF4D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8B2BF5EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8B2BF3D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8B2BF53E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8B2BF42E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8B2BF59C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8B2BD96A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8B2BD030]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8B2BD054]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8B2BCE0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8B2BCF48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8B2BCF24]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8B2BCF6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8B2BD078]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8C75D7A2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 10D 826BF890 4 Bytes [C4, CF, 2B, 8B]
.text ntkrnlpa.exe!KeSetEvent + 1D1 826BF954 8 Bytes [56, F4, 2B, 8B, AE, F4, 2B, ...] {PUSH ESI; HLT ; SUB ECX, [EBX-0x74d40b52]}
.text ntkrnlpa.exe!KeSetEvent + 1DD 826BF960 4 Bytes [C4, F5, 2B, 8B]
.text ntkrnlpa.exe!KeSetEvent + 1F5 826BF978 4 Bytes [AC, F3, 2B, 8B]
.text ntkrnlpa.exe!KeSetEvent + 215 826BF998 8 Bytes [FE, F4, 2B, 8B, 00, F4, 2B, ...]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 827EA633 5 Bytes JMP 8C75A69C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 82843573 5 Bytes JMP 8C75C15C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 8284CE98 4 Bytes CALL 8B2BE025 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82850B0C 4 Bytes CALL 8B2BE03B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 828A4E70 7 Bytes JMP 8C75D7A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8A605340, 0x3DA817, 0xE8000020]
.text win32k.sys!EngCreateRectRgn + 4537 9485FC70 5 Bytes JMP 8B2C00D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTransparentBlt + 8C03 94882427 5 Bytes JMP 8B2BF9F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XFORMOBJ_iGetXform + 30F6 9488EAB7 5 Bytes JMP 8B2BFF90 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XFORMOBJ_iGetXform + 4569 9488FF2A 5 Bytes JMP 8B2BFB9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMapFontFileFD + 119EE 948A9A85 5 Bytes JMP 8B2BFDE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMapFontFileFD + 11A42 948A9AD9 5 Bytes JMP 8B2BFFBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 60DE 948D341D 5 Bytes JMP 8B2BFABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMulDiv + 4D3F 948D9D6E 5 Bytes JMP 8B2BFC0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 5FF 948E70F4 5 Bytes JMP 8B2BFAD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!STROBJ_vEnumStart + 4728 94916DE9 5 Bytes JMP 8B2BFB56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + E80 94935384 5 Bytes JMP 8B2BFD14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!CLIPOBJ_bEnum + 248 9493AC02 5 Bytes JMP 8B2BFC6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngLineTo + A0F 9495CC47 5 Bytes JMP 8B2BFCA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngLineTo + D229 94969461 2 Bytes JMP 8B2BFD4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngLineTo + D22C 94969464 2 Bytes [95, F6]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\Dwm.exe[200] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000501F8
.text C:\Windows\system32\Dwm.exe[200] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\Dwm.exe[200] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[200] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\Dwm.exe[200] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\Dwm.exe[200] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\Dwm.exe[200] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\Dwm.exe[200] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\Dwm.exe[200] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\Dwm.exe[200] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\Dwm.exe[200] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\Dwm.exe[200] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 00080600
.text C:\Windows\system32\Dwm.exe[200] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 00080804
.text C:\Windows\system32\Dwm.exe[200] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 00080A08
.text C:\Windows\system32\Dwm.exe[200] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 000801F8
.text C:\Windows\system32\Dwm.exe[200] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 000803FC
.text C:\Windows\Explorer.EXE[300] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000501F8
.text C:\Windows\Explorer.EXE[300] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000503FC
.text C:\Windows\Explorer.EXE[300] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\Explorer.EXE[300] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000703FC
.text C:\Windows\Explorer.EXE[300] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 00070600
.text C:\Windows\Explorer.EXE[300] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 00071014
.text C:\Windows\Explorer.EXE[300] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 00070804
.text C:\Windows\Explorer.EXE[300] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 00070A08
.text C:\Windows\Explorer.EXE[300] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 00070C0C
.text C:\Windows\Explorer.EXE[300] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 00070E10
.text C:\Windows\Explorer.EXE[300] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000701F8
.text C:\Windows\Explorer.EXE[300] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 00080600
.text C:\Windows\Explorer.EXE[300] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 00080804
.text C:\Windows\Explorer.EXE[300] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 00080A08
.text C:\Windows\Explorer.EXE[300] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 000801F8
.text C:\Windows\Explorer.EXE[300] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 000803FC
.text C:\Windows\system32\csrss.exe[528] KERNEL32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\wininit.exe[576] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000701F8
.text C:\Windows\system32\wininit.exe[576] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000703FC
.text C:\Windows\system32\wininit.exe[576] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000903FC
.text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 00090600
.text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 00091014
.text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 00090804
.text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 00090A08
.text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 00090C0C
.text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 00090E10
.text C:\Windows\system32\wininit.exe[576] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000901F8
.text C:\Windows\system32\wininit.exe[576] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 000A0600
.text C:\Windows\system32\wininit.exe[576] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 000A0804
.text C:\Windows\system32\wininit.exe[576] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 000A0A08
.text C:\Windows\system32\wininit.exe[576] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 000A01F8
.text C:\Windows\system32\wininit.exe[576] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 000A03FC
.text C:\Windows\system32\csrss.exe[584] KERNEL32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\services.exe[624] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000501F8
.text C:\Windows\system32\services.exe[624] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\services.exe[624] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\services.exe[624] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000803FC
.text C:\Windows\system32\services.exe[624] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 00080600
.text C:\Windows\system32\services.exe[624] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 00081014
.text C:\Windows\system32\services.exe[624] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 00080804
.text C:\Windows\system32\services.exe[624] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 00080A08
.text C:\Windows\system32\services.exe[624] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 00080C0C
.text C:\Windows\system32\services.exe[624] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 00080E10
.text C:\Windows\system32\services.exe[624] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000801F8
.text C:\Windows\system32\services.exe[624] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 00090600
.text C:\Windows\system32\services.exe[624] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 00090804
.text C:\Windows\system32\services.exe[624] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 00090A08
.text C:\Windows\system32\services.exe[624] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 000901F8
.text C:\Windows\system32\services.exe[624] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 000903FC
.text C:\Windows\system32\lsass.exe[652] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000501F8
.text C:\Windows\system32\lsass.exe[652] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\lsass.exe[652] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 00080600
.text C:\Windows\system32\lsass.exe[652] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 00080804
.text C:\Windows\system32\lsass.exe[652] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 00080A08
.text C:\Windows\system32\lsass.exe[652] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 000801F8
.text C:\Windows\system32\lsass.exe[652] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 000803FC
.text C:\Windows\system32\winlogon.exe[660] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[660] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[660] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[660] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000503FC
.text C:\Windows\system32\winlogon.exe[660] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 00050600
.text C:\Windows\system32\winlogon.exe[660] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 00051014
.text C:\Windows\system32\winlogon.exe[660] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 00050804
.text C:\Windows\system32\winlogon.exe[660] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 00050A08
.text C:\Windows\system32\winlogon.exe[660] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 00050C0C
.text C:\Windows\system32\winlogon.exe[660] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 00050E10
.text C:\Windows\system32\winlogon.exe[660] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000501F8
.text C:\Windows\system32\winlogon.exe[660] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 00060600
.text C:\Windows\system32\winlogon.exe[660] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 00060804
.text C:\Windows\system32\winlogon.exe[660] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 00060A08
.text C:\Windows\system32\winlogon.exe[660] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 000601F8
.text C:\Windows\system32\winlogon.exe[660] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsm.exe[668] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000501F8
.text C:\Windows\system32\lsm.exe[668] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\lsm.exe[668] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\lsm.exe[668] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\lsm.exe[668] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\lsm.exe[668] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\lsm.exe[668] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\lsm.exe[668] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\lsm.exe[668] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\lsm.exe[668] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\lsm.exe[668] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000901F8
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000903FC
.text C:\Windows\system32\svchost.exe[844] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000B03FC
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 000B0600
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 000B1014
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 000B0804
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 000B0A08
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 000B0C0C
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 000B0E10
.text C:\Windows\system32\svchost.exe[844] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000B01F8
.text C:\Windows\system32\nvvsvc.exe[900] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 001401F8
.text C:\Windows\system32\nvvsvc.exe[900] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 001403FC
.text C:\Windows\system32\nvvsvc.exe[900] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\nvvsvc.exe[900] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 00160600
.text C:\Windows\system32\nvvsvc.exe[900] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 00160804
.text C:\Windows\system32\nvvsvc.exe[900] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 00160A08
.text C:\Windows\system32\nvvsvc.exe[900] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 001601F8
.text C:\Windows\system32\nvvsvc.exe[900] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 001603FC
.text C:\Windows\system32\nvvsvc.exe[900] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 001703FC
.text C:\Windows\system32\nvvsvc.exe[900] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 00170600
.text C:\Windows\system32\nvvsvc.exe[900] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 00171014
.text C:\Windows\system32\nvvsvc.exe[900] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 00170804
.text C:\Windows\system32\nvvsvc.exe[900] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 00170A08
.text C:\Windows\system32\nvvsvc.exe[900] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 00170C0C
.text C:\Windows\system32\nvvsvc.exe[900] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 00170E10
.text C:\Windows\system32\nvvsvc.exe[900] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 001701F8
.text C:\Windows\system32\svchost.exe[924] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000901F8
.text C:\Windows\system32\svchost.exe[924] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000903FC
.text C:\Windows\system32\svchost.exe[924] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000B03FC
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 000B0600
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 000B1014
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 000B0804
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 000B0A08
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 000B0C0C
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 000B0E10
.text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000B01F8
.text C:\Windows\system32\svchost.exe[924] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 00940600
.text C:\Windows\system32\svchost.exe[924] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 00940804
.text C:\Windows\system32\svchost.exe[924] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 00940A08
.text C:\Windows\system32\svchost.exe[924] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 009401F8
.text C:\Windows\system32\svchost.exe[924] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 009403FC
.text C:\Windows\System32\svchost.exe[960] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[960] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[960] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000803FC
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 00080600
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 00081014
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 00080804
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 00080A08
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 00080C0C
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 00080E10
.text C:\Windows\System32\svchost.exe[960] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000801F8
.text C:\Windows\System32\svchost.exe[960] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 002A0600
.text C:\Windows\System32\svchost.exe[960] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 002A0804
.text C:\Windows\System32\svchost.exe[960] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 002A0A08
.text C:\Windows\System32\svchost.exe[960] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 002A01F8
.text C:\Windows\System32\svchost.exe[960] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 002A03FC
.text C:\Windows\System32\svchost.exe[992] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000901F8
.text C:\Windows\System32\svchost.exe[992] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000903FC
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000B03FC
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 000B0600
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 000B1014
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 000B0804
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 000B0A08
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 000B0C0C
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 000B0E10
.text C:\Windows\System32\svchost.exe[992] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000B01F8
.text C:\Windows\System32\svchost.exe[992] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 001E0600
.text C:\Windows\System32\svchost.exe[992] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 001E0804
.text C:\Windows\System32\svchost.exe[992] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 001E0A08
.text C:\Windows\System32\svchost.exe[992] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 001E01F8
.text C:\Windows\System32\svchost.exe[992] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 001E03FC
.text C:\Windows\System32\svchost.exe[1048] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[1048] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[1048] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1048] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[1048] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[1048] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[1048] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[1048] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[1048] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[1048] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[1048] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[1048] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 001B0600
.text C:\Windows\System32\svchost.exe[1048] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 001B0804
.text C:\Windows\System32\svchost.exe[1048] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 001B0A08
.text C:\Windows\System32\svchost.exe[1048] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 001B01F8
.text C:\Windows\System32\svchost.exe[1048] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 001B03FC
.text C:\Windows\System32\svchost.exe[1108] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[1108] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 00380600
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 00380804
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 00380A08
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 003801F8
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 003803FC
.text C:\Windows\system32\svchost.exe[1128] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1128] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 00210600
.text C:\Windows\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 00210804
.text C:\Windows\system32\svchost.exe[1128] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 00210A08
.text C:\Windows\system32\svchost.exe[1128] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 002101F8
.text C:\Windows\system32\svchost.exe[1128] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 002103FC
.text C:\Windows\system32\AUDIODG.EXE[1200] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000801F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000803FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000A03FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 000A0600
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 000A1014
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 000A0804
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 000A0A08
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 000A0C0C
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 000A0E10
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000A01F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 000B0600
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 000B0804
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 000B0A08
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] USER32.dll!SetWinEventHook 764D9F3A 5 Bytes JMP 000B01F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[1224] USER32.dll!UnhookWinEvent 764DC06F 5 Bytes JMP 000B03FC
.text C:\Windows\system32\svchost.exe[1236] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000901F8
.text C:\Windows\system32\svchost.exe[1236] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000903FC
.text C:\Windows\system32\svchost.exe[1236] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000B03FC
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 000B0600
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 000B1014
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 000B0804
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 000B0A08
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 000B0C0C
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 000B0E10
.text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000B01F8
.text C:\Windows\system32\svchost.exe[1292] ntdll.dll!LdrLoadDll 77B59378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1292] ntdll.dll!LdrUnloadDll 77B6B680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1292] kernel32.dll!GetBinaryTypeW + 70 76C42467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!CreateServiceW 769E9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!DeleteService 769EA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!SetServiceObjectSecurity 76A26CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!ChangeServiceConfigA 76A26DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!ChangeServiceConfigW 76A26F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!ChangeServiceConfig2A 76A27099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!ChangeServiceConfig2W 76A271E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!CreateServiceA 76A272A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1292] USER32.dll!SetWindowsHookExA 764D6322 5 Bytes JMP 00CA0600
.text C:\Windows\system32\svchost.exe[1292] USER32.dll!SetWindowsHookExW 764D87AD 5 Bytes JMP 00CA0804
.text C:\Windows\system32\svchost.exe[1292] USER32.dll!UnhookWindowsHookEx 764D98DB 5 Bytes JMP 00CA0A08
.text C:\Windows\system32\svchost.exe[1292] USER32.dll!SetWinEventHook

Top
 Profile E-mail  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 2
  [ 18 posts ]  Go to page 1, 2  Next

Board index » Malware Removal » Malware Removal

All times are UTC [ DST ]

Who is online

Users browsing this forum: No registered users and 10 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.

Member site: Alliance of Security Analysis Professionals | UNITE Against Malware

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group