# Win32:RLoader-B



## blackseat (Mar 11, 2012)

Avast recognizes this infection but is unable to send it to the chest, repair it or delete it. It says that it is unavailable because it is being used by another process. How do I get rid of it. If it makes a difference, I am using a Dell D-4100 with XP Pro.


----------



## Cheeseball81 (Mar 3, 2004)

Hi and welcome

Are you able to run the scan in Safe Mode?


----------



## blackseat (Mar 11, 2012)

I am using Avast and yes I restarted the system, did a scan on the folder containing the infected file and the results showed the same virus threat. I wasn't able to move the file to the chest or repair it though. The same error message appears as before. Actually, 1 new infected file appeared on a scan yesterday with the same results. Unable to repair it or move it to the chest. Now I have two infected files. Do you know how to get rid of this thing? I'd like to remove it before it gets out of hand.


----------



## Cheeseball81 (Mar 3, 2004)

Can you please give us the filenames and locations its being detected?


----------



## blackseat (Mar 11, 2012)

C:\windows\system32\C_72651070.nls (threat = win32:Rloader-B)
C:\system volume information\catalog.wci\00000002.nls (threat = win32:crypt-LUQ [trj])


----------



## Cheeseball81 (Mar 3, 2004)

The one in System Volume Information means it's in System Restore. That can be flushed out if you turn off System Restore, then turn it back on.

The other one is a Code Page National Language Support file. This contains a table for translating text into other alphabets or languages.
Another program must be using the file which is probably why it won't delete. I'm kinda surprised it wouldn't delete in Safe Mode.

Please download *DDS* by sUBs to your desktop from one of the following locations:

http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

Disable any script blocker you may have, as they may interfere and then double-click the DDS.scr to run the tool.

When DDS has finished scanning, it will open two logs named as follows:

*DDS.txt
Attach.txt*

Save them both to your desktop and then proceed on to the next step.

Please download *GMER* from: http://gmer.net/index.php

Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

*Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.*

Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan.

If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are *unchecked *on the right-hand side:

IAT/EAT
Any drive letter other than the primary system drive (which is generally C).

Click the *Scan *button and when the scan is finished, click *Save* and save the log in Notepad with the name ark.txt to your desktop.

*Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the PC during the scan as it may cause it to freeze.*

Please post the requested logs/reports, as follows:

*Copy and paste* the contents of the DDS.txt file.
*Upload as an attachment* the Attach.txt file.
*Copy and paste* the contents of the ark.txt file.


----------



## blackseat (Mar 11, 2012)

I sent this once already but had some difficulty in the sending process so you might get it twice. Hope this is the way you want it. Thanks

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by User at 9:48:55 on 2012-03-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.160 [GMT -7:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = 
uWindow Title = Microsoft Internet Explorer
uSearch Bar = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: {96EED997-5B90-403F-BF1E-6DB8466D300F} - No File
BHO: {c2f23d72-62b0-4d79-80dd-dacf22397231} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - 
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {FD79470F-54F8-4EC0-876C-66BC923AB81A} - No File
TB: {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [PMSpeed] c:\program files\newsoft\presto! pagemanager 8 for ep\PMSpeed.EXE
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [nwiz] nwiz.exe /install
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IndexTray] "c:\program files\sharp\sharpdesk\IndexTray.exe"
mRun: [SharpTray] "c:\program files\sharp\sharpdesk\SharpTray.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [<NO NAME>] 
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio -viewer-\PhAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startn~1.lnk - c:\program files\sharp\sharpdesk\sdFTP.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\winlogin.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
Trusted Zone: microsoft.com\office
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {02E09B2E-2A03-4572-9291-69900C068564} - hxxp://www.learnitcorp.com/cabs/lcsim.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/78/html/gtdownlr.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102275540709
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123538585406
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - hxxp://www.swiftview.com/product/current/licensed/svinstall_a_green.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {944713E8-1F29-42D9-ABD5-557728B9AC97} - hxxps://ilnet.wellsfargo.com/ilonline/clickloan/ptclickloanwf.cab
DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} - hxxps://widow1.factualdata.com/ocx/print3.ocx
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://naasystem.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E08B60AF-05F9-41A5-BF6E-80143269FB81} - hxxp://www.clickloan.com/CAB/ByteClickLoan/1,0,0,1/ByteClickLoan.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5CC8BCC7-1DB1-4BAA-9D0E-C4617DF3074B} : NameServer = 68.4.16.30,68.6.16.30
TCP: Interfaces\{82F94850-E70B-4E35-98D9-A11CA39FB9C5} : DhcpNameServer = 192.168.1.1
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - c:\program files\sharp\sharpdesk\ExplorerExtensions.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = :\windows\system32\srrstr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\k977uck8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\mozilla firefox\extensions\[email protected]\components\qfaservices.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-2 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-2 314456]
R1 cmosa;cmosa;c:\windows\system32\drivers\cmosa.sys [2004-12-4 29344]
R1 prcmondrv;prcmondrv;c:\windows\system32\drivers\prcmondrv1041.sys [2009-9-20 18432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-2 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-2 44768]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2006-9-8 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2006-9-8 3904]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2009-11-15 632792]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2003-6-23 163408]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2003-6-23 499680]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;c:\windows\system32\drivers\DELUSB_51.sys [2009-2-5 606208]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys --> c:\windows\system32\drivers\wg111v2.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2003-6-13 19232]
S3 XIRLINK;Dsc Pro Digital 640 Camera;c:\windows\system32\drivers\C-itNT.sys [2005-11-30 447245]
.
=============== Created Last 30 ================
.
2012-03-11 21:58:32 388096 ----a-r- c:\documents and settings\user\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-03-11 21:58:28 -------- d-----w- c:\program files\Trend Micro
2012-02-15 04:12:56 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 04:12:56 3072 ------w- c:\windows\system32\iacenc.dll
.
==================== Find3M ====================
.
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 9:50:47.14 ===============
*********************************************************

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-13 12:40:52
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_5T040H4 rev.TAH71DP0
Running: rhkj3rru.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\ugtdipow.sys

---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xF0902FC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xF09DF510]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xF09266A9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xF0905456]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xF09054AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xF09055C4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xF092605D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)  ZwCreateMutant [0xF09053AC]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwCreateProcess [0xF4742C1C]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwCreateProcessEx [0xF4742C36]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xF09054FE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xF0905400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xF0905572]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xF0902FE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xF0926D6F]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xF0927025]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xF0905848]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xF0926BDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xF0926A45]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xF09DF5C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xF0902DB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xF090300C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xF09059BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xF0903AA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xF0905486]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xF09054D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xF09055EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xF09263B9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xF09053D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xF0905680]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xF090553E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xF090542E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xF0905764]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xF090559C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xF09DF658]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xF09268C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xF090396A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xF0926712]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF09E79E6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xF09256D0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xF0903030]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xF0903054]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xF0902E0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xF0902F48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xF0926E76]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xF0902F24]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xF0902F6C]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwTerminateProcess [0xF4742C50]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xF0903078]
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 140 804E27AC 4 Bytes CALL 943EB7E0 
.text ntoskrnl.exe!_abnormal_termination + 271 804E28DD 3 Bytes [F6, 9D, F0]
PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BB08 4 Bytes CALL F090400F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text atapi.sys F847F852 1 Byte [CC] {INT 3 }
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF7CE2360, 0x24BB1D, 0xE8000020]
.text win32k.sys!EngSetLastError + 79A8 BF8240CD 5 Bytes JMP F0905B9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + 84ED BF851755 5 Bytes JMP F0905AD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 3581 BF85E2E4 5 Bytes JMP F0905DE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 360C BF85E36F 5 Bytes JMP F0905FBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 88 BF85F5E2 5 Bytes JMP F0905ABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 4128 BF873D00 5 Bytes JMP F0905F76 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 4DEC BF89D970 5 Bytes JMP F0905C0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngEraseSurface + A9E0 BF8C1EF0 5 Bytes JMP F0905CA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1517 BF8CA352 5 Bytes JMP F0905D14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1797 BF8CA5D2 5 Bytes JMP F0905D4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + 3B3E BF8EC027 5 Bytes JMP F09059F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 19DF BF91353B 5 Bytes JMP F0905B56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 25B3 BF91410F 5 Bytes JMP F0905C6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4F2C BF916A88 5 Bytes JMP F09060D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
? C:\DOCUME~1\User\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[264] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\System32\svchost.exe[264] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[264] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\System32\svchost.exe[264] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[264] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014 
.text C:\WINDOWS\System32\svchost.exe[264] ADVAPI32.dll!ChangeServiceConfigA  77E36E69 5 Bytes JMP 002B0804 
.text C:\WINDOWS\System32\svchost.exe[264] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\System32\svchost.exe[264] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C 
.text C:\WINDOWS\System32\svchost.exe[264] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10 
.text C:\WINDOWS\System32\svchost.exe[264] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\System32\svchost.exe[264] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\System32\svchost.exe[264] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600 
.text C:\WINDOWS\System32\svchost.exe[264] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 
.text C:\WINDOWS\System32\svchost.exe[264] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\System32\svchost.exe[264] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 
.text C:\WINDOWS\System32\svchost.exe[264] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\System32\svchost.exe[264] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8 
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[432] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC 
.text C:\WINDOWS\System32\smss.exe[508] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[556] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[556] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[580] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000701F8 
.text C:\WINDOWS\system32\winlogon.exe[580] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[580] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000703FC 
.text C:\WINDOWS\system32\winlogon.exe[580] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[580] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014 
.text C:\WINDOWS\system32\winlogon.exe[580] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804 
.text C:\WINDOWS\system32\winlogon.exe[580] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\system32\winlogon.exe[580] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C 
.text C:\WINDOWS\system32\winlogon.exe[580] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10 
.text C:\WINDOWS\system32\winlogon.exe[580] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\system32\winlogon.exe[580] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\system32\winlogon.exe[580] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600 
.text C:\WINDOWS\system32\winlogon.exe[580] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 
.text C:\WINDOWS\system32\winlogon.exe[580] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\system32\winlogon.exe[580] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 
.text C:\WINDOWS\system32\winlogon.exe[580] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\system32\winlogon.exe[580] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\system32\services.exe[624] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\system32\services.exe[624] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[624] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\system32\services.exe[624] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[624] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014 
.text C:\WINDOWS\system32\services.exe[624] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804 
.text C:\WINDOWS\system32\services.exe[624] ADVAPI32.dll!ChangeServiceConfigW  77E37001 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\system32\services.exe[624] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C 
.text C:\WINDOWS\system32\services.exe[624] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10 
.text C:\WINDOWS\system32\services.exe[624] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\system32\services.exe[624] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\system32\services.exe[624] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600 
.text C:\WINDOWS\system32\services.exe[624] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 
.text C:\WINDOWS\system32\services.exe[624] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\system32\services.exe[624] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 
.text C:\WINDOWS\system32\services.exe[624] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\system32\services.exe[624] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\system32\lsass.exe[636] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\system32\lsass.exe[636] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[636] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\system32\lsass.exe[636] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[636] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014 
.text C:\WINDOWS\system32\lsass.exe[636] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804 
.text C:\WINDOWS\system32\lsass.exe[636] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\system32\lsass.exe[636] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C 
.text C:\WINDOWS\system32\lsass.exe[636] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10 
.text C:\WINDOWS\system32\lsass.exe[636] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\system32\lsass.exe[636] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\system32\lsass.exe[636] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600 
.text C:\WINDOWS\system32\lsass.exe[636] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 
.text C:\WINDOWS\system32\lsass.exe[636] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\system32\lsass.exe[636] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 
.text C:\WINDOWS\system32\lsass.exe[636] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\system32\lsass.exe[636] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600 
.text C:\WINDOWS\system32\svchost.exe[812] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 
.text C:\WINDOWS\system32\svchost.exe[812] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\system32\svchost.exe[812] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 
.text C:\WINDOWS\system32\svchost.exe[812] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\system32\svchost.exe[812] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\system32\svchost.exe[860] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\system32\svchost.exe[860] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[860] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!CreateServiceW  77E373A9 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600 
.text C:\WINDOWS\system32\svchost.exe[860] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 
.text C:\WINDOWS\system32\svchost.exe[860] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\system32\svchost.exe[860] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 
.text C:\WINDOWS\system32\svchost.exe[860] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\system32\svchost.exe[860] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\System32\svchost.exe[956] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\System32\svchost.exe[956] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[956] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014 
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804 
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C 
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10 
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\System32\svchost.exe[956] ADVAPI32.dll!DeleteService  77E374B1 5 Bytes JMP 002B0600 
.text C:\WINDOWS\System32\svchost.exe[956] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 
.text C:\WINDOWS\System32\svchost.exe[956] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\System32\svchost.exe[956] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 
.text C:\WINDOWS\System32\svchost.exe[956] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\System32\svchost.exe[956] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\system32\fxssvc.exe[1004] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8 
.text C:\WINDOWS\system32\fxssvc.exe[1004] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\fxssvc.exe[1004] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC 
.text C:\WINDOWS\system32\fxssvc.exe[1004] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\fxssvc.exe[1004] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014 
.text C:\WINDOWS\system32\fxssvc.exe[1004] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804 
.text C:\WINDOWS\system32\fxssvc.exe[1004] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08 
.text C:\WINDOWS\system32\fxssvc.exe[1004] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C 
.text C:\WINDOWS\system32\fxssvc.exe[1004] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10 
.text C:\WINDOWS\system32\fxssvc.exe[1004] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8 
.text C:\WINDOWS\system32\fxssvc.exe[1004] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC 
.text C:\WINDOWS\system32\fxssvc.exe[1004] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600 
.text C:\WINDOWS\system32\fxssvc.exe[1004] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804 
.text C:\WINDOWS\system32\fxssvc.exe[1004] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08 
.text C:\WINDOWS\system32\fxssvc.exe[1004] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600 
.text C:\WINDOWS\system32\fxssvc.exe[1004] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8 
.text C:\WINDOWS\system32\fxssvc.exe[1004] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC 
.text C:\WINDOWS\System32\svchost.exe[1044] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\System32\svchost.exe[1044] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1044] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014 
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804 
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C 
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10 
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\System32\svchost.exe[1044] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600 
.text C:\WINDOWS\System32\svchost.exe[1044] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 
.text C:\WINDOWS\System32\svchost.exe[1044] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\System32\svchost.exe[1044] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 
.text C:\WINDOWS\System32\svchost.exe[1044] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\System32\svchost.exe[1044] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014 
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804 
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C 
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10 
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600 
.text C:\WINDOWS\System32\svchost.exe[1136] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 
.text C:\WINDOWS\System32\svchost.exe[1136] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\System32\svchost.exe[1136] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 
.text C:\WINDOWS\System32\svchost.exe[1136] USER32.dll!SetWinEventHook  7E4317F7 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\System32\svchost.exe[1136] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC 
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1248] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1248] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1248] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1472] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\system32\spoolsv.exe[1472] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1472] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\system32\spoolsv.exe[1472] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1472] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014 
.text C:\WINDOWS\system32\spoolsv.exe[1472] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804 
.text C:\WINDOWS\system32\spoolsv.exe[1472] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\system32\spoolsv.exe[1472] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C 
.text C:\WINDOWS\system32\spoolsv.exe[1472] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10 
.text C:\WINDOWS\system32\spoolsv.exe[1472] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\system32\spoolsv.exe[1472] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\system32\spoolsv.exe[1472] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600 
.text C:\WINDOWS\system32\spoolsv.exe[1472] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 
.text C:\WINDOWS\system32\spoolsv.exe[1472] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\system32\spoolsv.exe[1472] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 
.text C:\WINDOWS\system32\spoolsv.exe[1472] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\system32\spoolsv.exe[1472] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\System32\svchost.exe[1604] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\System32\svchost.exe[1604] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1604] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\System32\svchost.exe[1604] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014 
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804 
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C 
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10 
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\System32\svchost.exe[1604] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600 
.text C:\WINDOWS\System32\svchost.exe[1604] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 
.text C:\WINDOWS\System32\svchost.exe[1604] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\System32\svchost.exe[1604] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 
.text C:\WINDOWS\System32\svchost.exe[1604] USER32.dll!SetWinEventHook  7E4317F7 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\System32\svchost.exe[1604] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8 
.text C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe[1636] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1788] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC 
.text C:\WINDOWS\system32\cisvc.exe[1800] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\system32\cisvc.exe[1800] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\cisvc.exe[1800] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\system32\cisvc.exe[1800] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\cisvc.exe[1800] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804 
.text C:\WINDOWS\system32\cisvc.exe[1800] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\system32\cisvc.exe[1800] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600 
.text C:\WINDOWS\system32\cisvc.exe[1800] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\system32\cisvc.exe[1800] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\system32\cisvc.exe[1800] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014 
.text C:\WINDOWS\system32\cisvc.exe[1800] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804 
.text C:\WINDOWS\system32\cisvc.exe[1800] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\system32\cisvc.exe[1800] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C 
.text C:\WINDOWS\system32\cisvc.exe[1800] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10 
.text C:\WINDOWS\system32\cisvc.exe[1800] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\system32\cisvc.exe[1800] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\system32\cisvc.exe[1800] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600 
.text C:\WINDOWS\system32\crypserv.exe[1816] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\WINDOWS\system32\crypserv.exe[1816] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\crypserv.exe[1816] ntdll.dll!LdrUnloadDll  7C9171CD 5 Bytes JMP 001503FC 
.text C:\WINDOWS\system32\crypserv.exe[1816] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\crypserv.exe[1816] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014 
.text C:\WINDOWS\system32\crypserv.exe[1816] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804 
.text C:\WINDOWS\system32\crypserv.exe[1816] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08 
.text C:\WINDOWS\system32\crypserv.exe[1816] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C 
.text C:\WINDOWS\system32\crypserv.exe[1816] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10 
.text C:\WINDOWS\system32\crypserv.exe[1816] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8 
.text C:\WINDOWS\system32\crypserv.exe[1816] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC 
.text C:\WINDOWS\system32\crypserv.exe[1816] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600 
.text C:\WINDOWS\system32\crypserv.exe[1816] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804 
.text C:\WINDOWS\system32\crypserv.exe[1816] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08 
.text C:\WINDOWS\system32\crypserv.exe[1816] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600 
.text C:\WINDOWS\system32\crypserv.exe[1816] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8 
.text C:\WINDOWS\system32\crypserv.exe[1816] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000801F8 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000803FC 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] kernel32.dll!GetBinaryTypeW + 80  7C868D8C 1 Byte [62]
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1840] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000801F8 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000803FC 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8 
.text C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1884] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000801F8 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000803FC 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] ADVAPI32.dll!ChangeServiceConfigW  77E37001 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8 
.text C:\WINDOWS\System32\inetsrv\inetinfo.exe[1912] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] ADVAPI32.dll!ChangeServiceConfig2A  77E37101 5 Bytes JMP 00390C0C 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8 
.text C:\Program Files\Java\jre6\bin\jqs.exe[1924] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\nvsvc32.exe[1956] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\nvsvc32.exe[1956] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC 
.text C:\WINDOWS\system32\nvsvc32.exe[1956] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A1014 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A0804 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0A08 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A0C0C 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0E10 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A01F8 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A03FC 
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1984] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A0600 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\System32\tcpsvcs.exe[2024] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\system32\SAgent4.exe[2044] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8 
.text C:\WINDOWS\system32\SAgent4.exe[2044] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\SAgent4.exe[2044] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC 
.text C:\WINDOWS\system32\SAgent4.exe[2044] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\SAgent4.exe[2044] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014 
.text C:\WINDOWS\system32\SAgent4.exe[2044] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804 
.text C:\WINDOWS\system32\SAgent4.exe[2044] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08 
.text C:\WINDOWS\system32\SAgent4.exe[2044] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C 
.text C:\WINDOWS\system32\SAgent4.exe[2044] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10 
.text C:\WINDOWS\system32\SAgent4.exe[2044] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8 
.text C:\WINDOWS\system32\SAgent4.exe[2044] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC 
.text C:\WINDOWS\system32\SAgent4.exe[2044] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600 
.text C:\WINDOWS\system32\SAgent4.exe[2044] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804 
.text C:\WINDOWS\system32\SAgent4.exe[2044] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08 
.text C:\WINDOWS\system32\SAgent4.exe[2044] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600 
.text C:\WINDOWS\system32\SAgent4.exe[2044] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8 
.text C:\WINDOWS\system32\SAgent4.exe[2044] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC 
.text C:\WINDOWS\system32\cidaemon.exe[2084] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\system32\cidaemon.exe[2084] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\cidaemon.exe[2084] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\system32\cidaemon.exe[2084] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\cidaemon.exe[2084] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804 
.text C:\WINDOWS\system32\cidaemon.exe[2084] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\system32\cidaemon.exe[2084] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600 
.text C:\WINDOWS\system32\cidaemon.exe[2084] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\system32\cidaemon.exe[2084] USER32.dll!UnhookWinEvent  7E4318AC 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\system32\cidaemon.exe[2084] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014 
.text C:\WINDOWS\system32\cidaemon.exe[2084] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804 
.text C:\WINDOWS\system32\cidaemon.exe[2084] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\system32\cidaemon.exe[2084] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C 
.text C:\WINDOWS\system32\cidaemon.exe[2084] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10 
.text C:\WINDOWS\system32\cidaemon.exe[2084] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\system32\cidaemon.exe[2084] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\system32\cidaemon.exe[2084] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003E1014 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003E0804 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003E0A08 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003E0C0C 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003E0E10 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] ADVAPI32.dll!CreateServiceA  77E37211 5 Bytes JMP 003E01F8 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003E03FC 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003E0600 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003F0804 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003F0A08 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003F0600 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003F01F8 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003F03FC 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2092] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003E1014 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003E0804 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003E0A08 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003E0C0C 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003E0E10 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003E01F8 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003E03FC 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003E0600 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AA5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD119 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254686 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003F0600 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003F01F8 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003F03FC 
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB70 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2140] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E5717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[2876] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\Explorer.EXE[2876] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[2876] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\Explorer.EXE[2876] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[2876] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014 
.text C:\WINDOWS\Explorer.EXE[2876] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804 
.text C:\WINDOWS\Explorer.EXE[2876] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\Explorer.EXE[2876] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C 
.text C:\WINDOWS\Explorer.EXE[2876] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10 
.text C:\WINDOWS\Explorer.EXE[2876] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\Explorer.EXE[2876] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\Explorer.EXE[2876] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600 
.text C:\WINDOWS\Explorer.EXE[2876] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804 
.text C:\WINDOWS\Explorer.EXE[2876] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08 
.text C:\WINDOWS\Explorer.EXE[2876] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600 
.text C:\WINDOWS\Explorer.EXE[2876] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8 
.text C:\WINDOWS\Explorer.EXE[2876] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC 
.text C:\WINDOWS\System32\alg.exe[2892] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\System32\alg.exe[2892] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2892] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\System32\alg.exe[2892] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2892] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804 
.text C:\WINDOWS\System32\alg.exe[2892] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\System32\alg.exe[2892] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600 
.text C:\WINDOWS\System32\alg.exe[2892] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\System32\alg.exe[2892] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\System32\alg.exe[2892] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014 
.text C:\WINDOWS\System32\alg.exe[2892] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804 
.text C:\WINDOWS\System32\alg.exe[2892] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\System32\alg.exe[2892] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C 
.text C:\WINDOWS\System32\alg.exe[2892] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10 
.text C:\WINDOWS\System32\alg.exe[2892] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\System32\alg.exe[2892] ADVAPI32.dll!CreateServiceW  77E373A9 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\System32\alg.exe[2892] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003E1014 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003E0804 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003E0A08 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003E0C0C 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003E0E10 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003E01F8 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003E03FC 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003E0600 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003F0804 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003F0A08 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003F0600 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003F01F8 
.text C:\Documents and Settings\User\Desktop\rhkj3rru.exe[3120] USER32.dll!UnhookWinEvent  7E4318AC 5 Bytes JMP 003F03FC 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8 
.text C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE[3248] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\system32\cidaemon.exe[3320] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8 
.text C:\WINDOWS\system32\cidaemon.exe[3320] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\cidaemon.exe[3320] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC 
.text C:\WINDOWS\system32\cidaemon.exe[3320] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\cidaemon.exe[3320] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804 
.text C:\WINDOWS\system32\cidaemon.exe[3320] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08 
.text C:\WINDOWS\system32\cidaemon.exe[3320] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600 
.text C:\WINDOWS\system32\cidaemon.exe[3320] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8 
.text C:\WINDOWS\system32\cidaemon.exe[3320] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B03FC 
.text C:\WINDOWS\system32\cidaemon.exe[3320] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014 
.text C:\WINDOWS\system32\cidaemon.exe[3320] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804 
.text C:\WINDOWS\system32\cidaemon.exe[3320] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\system32\cidaemon.exe[3320] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C 
.text C:\WINDOWS\system32\cidaemon.exe[3320] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10 
.text C:\WINDOWS\system32\cidaemon.exe[3320] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\system32\cidaemon.exe[3320] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\system32\cidaemon.exe[3320] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600 
.text C:\WINDOWS\system32\wuauclt.exe[3464] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8 
.text C:\WINDOWS\system32\wuauclt.exe[3464] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[3464] ntdll.dll!LdrUnloadDll  7C9171CD 5 Bytes JMP 000A03FC 
.text C:\WINDOWS\system32\wuauclt.exe[3464] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[3464] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014 
.text C:\WINDOWS\system32\wuauclt.exe[3464] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804 
.text C:\WINDOWS\system32\wuauclt.exe[3464] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\system32\wuauclt.exe[3464] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C 
.text C:\WINDOWS\system32\wuauclt.exe[3464] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10 
.text C:\WINDOWS\system32\wuauclt.exe[3464] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\system32\wuauclt.exe[3464] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\system32\wuauclt.exe[3464] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600 
.text C:\WINDOWS\system32\wuauclt.exe[3464] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804 
.text C:\WINDOWS\system32\wuauclt.exe[3464] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08 
.text C:\WINDOWS\system32\wuauclt.exe[3464] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600 
.text C:\WINDOWS\system32\wuauclt.exe[3464] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8 
.text C:\WINDOWS\system32\wuauclt.exe[3464] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] kernel32.dll!GetBinaryTypeW + 80  7C868D8C 1 Byte [62]
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC 
.text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[3636] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A1014 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A0804 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0A08 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A0C0C 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0E10 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A01F8 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A03FC 
.text C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe[3644] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A0600 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00740804 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00740A08 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00740600 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 007401F8 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 007403FC 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00751014 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00750804 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00750A08 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00750C0C 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00750E10 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 007501F8 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 007503FC 
.text C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe[3696] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00750600 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe[3720] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A1014 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A0804 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0A08 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A0C0C 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0E10 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A01F8 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A03FC 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A0600 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B0804 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0A08 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B0600 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B01F8 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3764] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B03FC 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B1014 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B0804 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0A08 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] ADVAPI32.dll!ChangeServiceConfig2A  77E37101 5 Bytes JMP 003B0C0C 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0E10 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B01F8 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B03FC 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[3804] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B0600 
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[3808] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[3808] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8 
.text C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE[4044] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] ADVAPI32.dll!ChangeServiceConfigA  77E36E69 5 Bytes JMP 00390804 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8 
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe[4060] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC 
.text C:\WINDOWS\system32\ctfmon.exe[4076] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8 
.text C:\WINDOWS\system32\ctfmon.exe[4076] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[4076] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC 
.text C:\WINDOWS\system32\ctfmon.exe[4076] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[4076] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014 
.text C:\WINDOWS\system32\ctfmon.exe[4076] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804 
.text C:\WINDOWS\system32\ctfmon.exe[4076] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08 
.text C:\WINDOWS\system32\ctfmon.exe[4076] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C 
.text C:\WINDOWS\system32\ctfmon.exe[4076] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10 
.text C:\WINDOWS\system32\ctfmon.exe[4076] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8 
.text C:\WINDOWS\system32\ctfmon.exe[4076] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC 
.text C:\WINDOWS\system32\ctfmon.exe[4076] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600 
.text C:\WINDOWS\system32\ctfmon.exe[4076] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804 
.text C:\WINDOWS\system32\ctfmon.exe[4076] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08 
.text C:\WINDOWS\system32\ctfmon.exe[4076] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600 
.text C:\WINDOWS\system32\ctfmon.exe[4076] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8 
.text C:\WINDOWS\system32\ctfmon.exe[4076] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00581014 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00580804 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00580A08 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00580C0C 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00580E10 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 005801F8 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 005803FC 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00580600 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00590804 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00590A08 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00590600 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 005901F8 
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[4084] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 005903FC 
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
---- Threads - GMER 1.0.15 ----
Thread System [4:120] 82EFF39F
Thread System [4:440] 82E720F4
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{C1D66034-199B-5834-FAD091A744E2DF52}\{A9398372-0762-3A7E-A7C8ABB3F38F2F6E}\{F18374B6-D35D-16D4-9DBDDA1016548C70} 
Reg HKLM\SOFTWARE\Classes\CLSID\{C1D66034-199B-5834-FAD091A744E2DF52}\{A9398372-0762-3A7E-A7C8ABB3F38F2F6E}\{F18374B6-D35D-16D4-9DBDDA1016548C70}@Q3FBLH6RIF6MYMN6VD31LVQSMD1 0x01 0x00 0x00 0x00 ...
---- EOF - GMER 1.0.15 ----


----------



## Cheeseball81 (Mar 3, 2004)

Could you try that test with System Restore (turning off then back on) to see if it removes that one infection.

Then proceed to the next step...

Download *ComboFix* from one of these locations:

*Link 1*
*Link 2*

** IMPORTANT! Save ComboFix.exe to your Desktop*


Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.








Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:










Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.


----------



## blackseat (Mar 11, 2012)

ComboFix 12-03-13.01 - User 03/13/2012 15:02:41.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.212 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\User\LOCALS~1\Temp\PST2GB.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\winlogin.exe
c:\documents and settings\User\g2mdlhlpx.exe
c:\documents and settings\User\Local Settings\Temp\PST2GB.exe
C:\install.exe
c:\windows\dasetup.log
c:\windows\EventSystem.log
c:\windows\jestertb.dll
c:\windows\ST6UNST.000
c:\windows\system\DSP8.tmp
c:\windows\system\DSP99.tmp
c:\windows\system32\cnm104.tmp
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\regobj.dll
c:\windows\system32\SET170.tmp
c:\windows\system32\SET199.tmp
c:\windows\system32\SET1A.tmp
c:\windows\system32\SET1A5.tmp
c:\windows\system32\SET1EC.tmp
c:\windows\system32\SET21.tmp
c:\windows\system32\tbc2A.tmp
c:\windows\system32\tbc5.tmp
c:\windows\system32\tbcB5.tmp
c:\windows\system32\wupd.dat
c:\windows\wc98pp.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
.
.
2012-03-11 21:58 . 2012-03-11 21:58 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-11 21:58 . 2012-03-11 21:58 -------- d-----w- c:\program files\Trend Micro
2012-02-15 04:12 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 04:12 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2003-07-16 16:45 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2003-07-16 16:45 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2003-07-16 16:24 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2006-12-13 03:12 . 2006-12-21 15:56 66648 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2006-12-21 15:56 54352 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2006-12-21 15:56 34928 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2006-12-21 15:57 46696 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2006-12-21 15:57 172120 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMSpeed"="c:\program files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE" [2008-12-09 55120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2003-01-22 106496]
"SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2003-01-22 28672]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-06-05 843776]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2008-05-24 26448]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-5-16 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2008-12-25 40960]
Start Network Scanner Tool.lnk - c:\program files\Sharp\Sharpdesk\sdFTP.exe [2003-1-8 347648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start Network Scanner Tool.lnk]
backup=c:\windows\pss\Start Network Scanner Tool.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexTray]
2003-01-22 19:43 106496 ----a-w- c:\program files\Sharp\Sharpdesk\IndexTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SharpTray]
2003-01-22 19:52 28672 ----a-w- c:\program files\Sharp\Sharpdesk\SharpTray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Sharp\\Sharpdesk\\sdFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=
"c:\\Program Files\\NewSoft\\Presto! PageManager 8 for EP\\LicenseCheck.exe"=
"c:\\Program Files\\FreeFileViewer\\FFVCheckForUpdates.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/2/2011 6:46 PM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/2/2011 6:46 PM 314456]
R1 cmosa;cmosa;c:\windows\system32\drivers\cmosa.sys [12/4/2004 5:45 PM 29344]
R1 prcmondrv;prcmondrv;c:\windows\system32\drivers\prcmondrv1041.sys [9/20/2009 2:36 PM 18432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/2/2011 6:46 PM 20568]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [9/8/2006 1:51 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [9/8/2006 1:51 PM 3904]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [11/15/2009 12:41 PM 632792]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [6/23/2003 1:15 PM 163408]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [6/23/2003 1:15 PM 499680]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;c:\windows\system32\drivers\DELUSB_51.sys [2/5/2009 6:58 PM 606208]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [6/13/2003 5:45 PM 19232]
S3 XIRLINK;Dsc Pro Digital 640 Camera;c:\windows\system32\drivers\C-itNT.sys [11/30/2005 7:51 PM 447245]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-13 c:\windows\Tasks\FreeFileViewerUpdateChecker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2011-10-13 22:24]
.
2012-03-09 c:\windows\Tasks\User_Feed_Synchronization-{F9D2F0A3-27FC-4EFF-89F1-2C86863BCAC5}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: microsoft.com\office
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5CC8BCC7-1DB1-4BAA-9D0E-C4617DF3074B}: NameServer = 68.4.16.30,68.6.16.30
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {02E09B2E-2A03-4572-9291-69900C068564} - hxxp://www.learnitcorp.com/cabs/lcsim.cab
DPF: {944713E8-1F29-42D9-ABD5-557728B9AC97} - hxxps://ilnet.wellsfargo.com/ilonline/clickloan/ptclickloanwf.cab
DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} - hxxps://widow1.factualdata.com/ocx/print3.ocx
DPF: {E08B60AF-05F9-41A5-BF6E-80143269FB81} - hxxp://www.clickloan.com/CAB/ByteClickLoan/1,0,0,1/ByteClickLoan.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\k977uck8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
BHO-{96EED997-5B90-403F-BF1E-6DB8466D300F} - (no file)
BHO-{c2f23d72-62b0-4d79-80dd-dacf22397231} - (no file)
WebBrowser-{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E} - (no file)
ShellIconOverlayIdentifiers-{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6} - c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
ShellIconOverlayIdentifiers-{9AE343CB-BA45-4618-AF6A-0230EE6FC793} - c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-Easy-WebPrint - c:\program files\Canon\Easy-WebPrint\Uninst.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-13 15:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1214440339-1563985344-854245398-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C1D66034-199B-5834-FAD091A744E2DF52}\{A9398372-0762-3A7E-A7C8ABB3F38F2F6E}\{F18374B6-D35D-16D4-9DBDDA1016548C70}*]
"Q3FBLH6RIF6MYMN6VD31LVQSMD1"=hex:01,00,00,00,00,00,00,00,5c,63,e8,cf,f7,e6,fd,
3a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2712)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\system32\crypserv.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\windows\System32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\system32\SAgent4.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Logitech\MouseWare\system\em_exec.exe
.
**************************************************************************
.
Completion time: 2012-03-13 15:55:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-13 22:55
.
Pre-Run: 9,850,556,416 bytes free
Post-Run: 9,870,970,880 bytes free
.
- - End Of File - - B796A59640F9D8DF3DCA3877EDA1FD52


----------



## Cheeseball81 (Mar 3, 2004)

That removed quite a bit! Can you rerun Avast now and let me know if any infections come up and if that one nls file will finally remove?


----------



## blackseat (Mar 11, 2012)

I only ran the system 32 folder to see if what we have done had any direct effect on the infected file. I was still unable to move it to the chest. The error message reads "Error: The process can not access the file because it is being used by another process (32)". Is there any way to isolate which process is tying up this file and if it is a process that we can shut down or if it is a required system process? Is it possible that I would be able to access the file in Safe Mode now?


----------



## Cheeseball81 (Mar 3, 2004)

Give it a scan in Safe Mode once more. If no luck, we will figure out another way to take care of this. 
I was thinking we could try using Combofix for it. I just wanna be sure it's 100% safe to delete .nls files.


----------



## blackseat (Mar 11, 2012)

Here we go again, huh?
Last night I tried running the scan in safe mode again. No luck.
What about trying to isolate the other process that is using this process to see if there is a way to separate the dependency?
The more we look at this, the angrier I get. Theres got to be a law that says you can't do this kind of thing, isn't there?
What did you find out about being able to delete an .nls file. Can this be done and just extract and replace it with a new file?


----------



## Cheeseball81 (Mar 3, 2004)

The weird thing is, it's not showing the logs so it must have been created more than 30 days ago.

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
In *Additional Scans *section put a check in Disabled MS Config Items and EventViewer logs
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## blackseat (Mar 11, 2012)

see OTS attached


----------



## Cheeseball81 (Mar 3, 2004)

Sorry I should have added that before you run it, up top do you see "File Age". Can you change that to 60 days? Then run it. Thanks.


----------



## blackseat (Mar 11, 2012)

OTS2.txt


----------



## blackseat (Mar 11, 2012)

I just checked the "properties" switch on the infected file. All of the other .nls files were created on either Jul 16, 03 or Dec 4, 04. This file is the only one created on Mar 2, 2012. Modification dates are all the same as the creation dates. Does this indicate that this is a phoney file? Would it follow that the file could be deleted with no consequences?


----------



## Cheeseball81 (Mar 3, 2004)

Yes, this seems like a scenario where it's not valid at all and the infection just dropped in a similar looking file.

Please proceed with deleting it. If it won't budge, let me know.


----------



## blackseat (Mar 11, 2012)

It won't budge. I tried to delete it in normal and safe modes. No dice. I think that there is a good chance that they have included some code to prevent that. I can open the file in word but it's written in code that I don't understand. Do we need to figure out how to read it or is there another way to delete the file without going that route?


----------



## Cheeseball81 (Mar 3, 2004)

Let's see if this works.

Open Notepad and copy and paste the text in the quote box below into it:



> File::
> C:\windows\system32\C_72651070.nls


Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## blackseat (Mar 11, 2012)

I think I might have made a mistake. I copied this:

File::
C:\windows\system32\C_72651070.nls

Pasted it into notepad, saved it to my desktop as CFScript.txt and then dragged it to the Combo Fix icon as you stated. The Icon does not have the X symbol on it so I was somewhat confused. It brought up the run screen. I clicked on run and it went through a bunch of files, and then everything stopped. A little bit later a blue screen (combo fix) came up and said it was going to start combo fix again. I wasn't sure that this was what was supposed to happen so I X'd out of it. I checked your instructions. Everything seemed to make sense so I dragged the notepad file to the combo fix file again. The run screen appeared again and I clicked on run. It did as before and ran through a bunch of file names and stopped. This time nothing else happened. The blue screen never re appeared. I am hesitant to do anymore. What now?


----------



## Cheeseball81 (Mar 3, 2004)

It didn't produce a log, did it?

Let's try RKill. It's a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then import a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools.

Please download *Rkill* and save to your Desktop.

Double-click on the Rkill desktop icon to run the tool.
_If using Vista or Windows 7 right-click on it and Run As Administrator_.
A *black DOS box* will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use *Link 1* from the following list and so on in sequencial order until one runs successfully. 
*Link 1*

*Link 2*

*Link 3*

*Link 4*

*Link 5*

*Link 6*

A log pops up at the end of the run. This log file is also located at C:\rkill.log. Please post this log in your reply.
If you get an alert from your *own* Security Program, accept it and allow Rkill to run, it is very safe and will not harm your system.
If the alert is from the Infection Malware program (you`ll know by the name) leave the alert open and run the same Rkill version again. You may have to run it several times, it may take up to 9 to work.
If the tool does not run from any of the links provided, please let me know.


----------



## blackseat (Mar 11, 2012)

This log file is located at C:\rkill.log. 
Please post this only if requested to by the person helping you. 
Otherwise you can close this log when you wish. 
Rkill was run on 03/14/2012 at 19:56:19. 
Operating System: Microsoft Windows XP 

Processes terminated by Rkill or while it was running: 

Rkill completed on 03/14/2012 at 19:56:41.


----------



## Cheeseball81 (Mar 3, 2004)

Ok run Rkill again then try running Avast afterwards and see if it will remove the infection.


----------



## blackseat (Mar 11, 2012)

I tried that in regular and safe mode. I took the file in safe mode and copied the file (for backup) then cut the code and tried to save it and then delete it. It didn't work. I was able to delete the copy. Only the original file says that it is being used by another program and denies me the ability to change or delete it. Do you have any other ideas? Is there any way to determine what program or process has a hold on this file? I started to ask myself if the actual infection might be dead and was it possible that there is something in the system files themselves that might cause this but then I looked at the file with Avast again and it still recognizes it as the virus. It's still there.


----------



## Cheeseball81 (Mar 3, 2004)

There may be a driver protecting it.

Download aswMBR.exe to your desktop: http://public.avast.com/~gmerek/aswMBR.exe
Double click the aswMBR.exe to run it.

Click the "Scan" button to start scan.
Upon completion of the scan, click Save log, and save it to your desktop. (Note: Do not select any Fix at this time)
Please post the contents of that log in your next reply.

There will also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.


----------



## blackseat (Mar 11, 2012)

Glad to see you back. I thought I had lost you. Here is the log file you requested and the compressed dat file. Let me know what you see.


----------



## Cheeseball81 (Mar 3, 2004)

Sorry for the delay. I am in the process of moving into a new home. 

I will review your results now.


----------



## Cheeseball81 (Mar 3, 2004)

Let's give this a try and keep our fingers crossed.

1. Please *download* *The Avenger2* by Swandog46 to your *Desktop*.
Right-click on the Avenger.zip folder and select "Extract All..."
 Follow the prompts and extract the *Avenger* folder to your desktop
2. Copy all the text contained in the code box below to your clipboard by highlighting it and pressing (*Ctrl+C*):


```
Files to delete:
C:\windows\system32\C_72651070.nls
```
_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, open the Avenger folder and *start The Avenger program* by clicking on its icon.

 Right-click on the window under *Input script here:*, and select Paste.
 You can also paste the text copied to the clipboard into this window by pressing (*Ctrl+V*).
 Click on *Execute* 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *restart your computer*. ( In cases where the code to execute contains "*Drivers to Delete*", The Avenger will actually *restart your system twice.*) 
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *C:\avenger.txt* into your reply.


----------



## Cheeseball81 (Mar 3, 2004)

Since there has been no reply in 9 days, I will have to unsubscribe from this thread and will not be notified about any new replies. If you need any other assistance or have questions, please PM me.


----------



## Cheeseball81 (Mar 3, 2004)

Re-subscribing


----------



## blackseat (Mar 11, 2012)

Looks like I've got company with this problem. There are a few new posts with the same issue. Here is the Avenger.txt you wanted. I took the liberty to run it in regular and safe mode. No luck. (by the way) when I read the script you sent for Avenger I noticed that the file name you gave me ended in 1070. I ran it that way with no recognition of the file name. I took a second look at the file in system32 and it ends in 170? I also ran it that way with no results. I looked back at some of our conversation and found that this mistake has been going on for some time. I don't think it matters though because we are still getting no results. Anyway, any other ideas? This one has me stumped.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!

Error: could not open file "C:\windows\system32\C_7265170.nls"
Deletion of file "C:\windows\system32\C_7265170.nls" failed!
Status: 0xc0000043 (STATUS_SHARING_VIOLATION)

Completed script processing.
*******************


----------



## Cheeseball81 (Mar 3, 2004)

I was starting to notice that others have been reporting the same issue. I should see if anyone else has had luck. 

Be back shortly.


----------



## Cheeseball81 (Mar 3, 2004)

Oddly... the first thread I checked....they uninstalled Avast. I found that interesting. 

I'm wondering if we could try that.


----------



## blackseat (Mar 11, 2012)

Hi-
You know? I've been waiting for a reply from you for days now. Then today, I decided to check and see if there is an entry in this forum. There was / is. I never received an allert through Outlook though like I did before. Has something changed because you unsubscribed and then came back or do you think that I have a new issue with Outlook?
I am uninstalling Avast. I'll let you know if anything is different when I am done.


----------



## blackseat (Mar 11, 2012)

I uninstalled Avast using the Add & Remove features in the control panel. Then I went to the Windows directory and the desktop and removed any remnants of the program and the shortcut. The I tried to uninstall the infected program in regular mode and safe mode. Both were ineffective and I received the same error message that the program could not be uninstalled because another program was using the file. Please turn off the other programs and try again. (sort of like that). So - - we are right back where we were before. What now?


----------



## Cheeseball81 (Mar 3, 2004)

Hmmm, you never unsubscribed though so I don't think me unsubscribing at the time would have anything to do with it.

Unless my replies are going to a spam folder?

Are you receiving the error when trying to remove Avast remnants? Because we could try the Avast Uninstaller: http://www.avast.com/uninstall-utility


----------



## blackseat (Mar 11, 2012)

nope. message said it was a successful uninstall. I'll go way back to a prior question. Is there any way to determine what program might be using the infected file? Is there any way a hacker could set this up to lock the permissions in the registry? Is there anything stupid that I am not asking?


----------



## Cheeseball81 (Mar 3, 2004)

Open Notepad and copy and paste the text in the quote box below into it:



> KillAll::
> 
> File::
> C:\windows\system32\C_72651070.nls
> C:\windows\system32\C_7265170.nls


Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## blackseat (Mar 11, 2012)

First of all there is no C_72651070.nls file. That was the mistake I referred to earlier. Only the C_7265170.nls file. 
I did what you asked anyway though. the combofix program said that it had become obsolete?, I pushed the yes button anyway to run the program in its limited capacity and the program, icon and everything disappeared. I had to completely download the program again. When I did, I double clicked the file without including the Quote you sent. The program started. I was afraid that it might show something stopping and doing it right might omit. So - you have two instances of the combo fix program. I renamed them combofix1 and combofix2. They are both enclosed here along with the new hijack this file. Let me know.

*COMBOFIX1*
ComboFix 12-04-03.02 - User 04/03/2012 21:49:40.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.215 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\D1B5B4F1.TMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\User\Application Data\SystemProc
c:\documents and settings\User\WINDOWS
c:\program files\Common Files\System\Uninstall
c:\program files\Power Search Tool
c:\program files\Power Search Tool\alert_plugin.dll
c:\program files\Power Search Tool\basis.xml
c:\program files\Power Search Tool\ebay.bmp
c:\program files\Power Search Tool\icons.bmp
c:\program files\Power Search Tool\logo-4.bmp
c:\program files\Power Search Tool\mbback.bmp
c:\program files\Power Search Tool\mbbigopen.bmp
c:\program files\Power Search Tool\mbclose.bmp
c:\program files\Power Search Tool\mbfwd.bmp
c:\program files\Power Search Tool\mbsep.bmp
c:\program files\Power Search Tool\nav1c.bmp
c:\program files\Power Search Tool\options.html
c:\program files\Power Search Tool\PowerSearchTool4_0.crc
c:\program files\Power Search Tool\version.txt
C:\Win.Msi
c:\win.msi\3proxy.cfg
c:\win.msi\alg.exe
c:\win.msi\cssrs.exe
c:\win.msi\DiskDoctor.lnk
c:\win.msi\System.exe
c:\windows\system32\Cache
.
.
((((((((((((((((((((((((( Files Created from 2012-03-04 to 2012-04-04 )))))))))))))))))))))))))))))))
.
.
2012-03-11 21:58 . 2012-03-11 21:58 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-11 21:58 . 2012-03-11 21:58 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2003-07-16 16:45 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 04:12 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2005-01-21 04:26 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2006-12-13 03:12 . 2006-12-21 15:56 66648 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2006-12-21 15:56 54352 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2006-12-21 15:56 34928 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2006-12-21 15:57 46696 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2006-12-21 15:57 172120 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((( [email protected]_22.40.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-03 22:04 . 2012-04-03 22:04 16384 c:\windows\Temp\Perflib_Perfdata_64c.dat
- 2004-12-04 23:12 . 2012-02-06 22:37 65536 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-12-04 23:12 . 2012-03-25 16:37 65536 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-12-04 23:12 . 2012-02-06 22:37 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-12-04 23:12 . 2012-03-25 16:37 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-03-25 16:37 . 2012-03-25 16:37 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-12-04 23:12 . 2012-02-06 22:37 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-10-03 21:16 . 2012-04-03 22:04 221083 c:\windows\system32\inetsrv\MetaBase.bin
- 2004-12-04 14:47 . 2012-02-17 21:26 278944 c:\windows\system32\FNTCACHE.DAT
+ 2004-12-04 14:47 . 2012-03-14 22:59 278944 c:\windows\system32\FNTCACHE.DAT
+ 2011-08-09 19:48 . 2012-01-09 16:20 139784 c:\windows\system32\dllcache\rdpwd.sys
+ 2008-10-14 21:56 . 2012-02-03 09:22 1860096 c:\windows\system32\dllcache\win32k.sys
+ 2005-06-20 17:18 . 2012-03-04 23:23 54215544 c:\windows\system32\MRT.exe
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3d329fc.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3a38ab4.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\373bf6a.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3732e53.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3713a6d.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\37026f3.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3701454.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\36f4103.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3590ea9.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\34e80c4.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3440896.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\336273c.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\334cde.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\32287af.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\31f7ca2.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\318235f.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3119d6f.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\22e822b.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\20236f9.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\1e7580f.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\19e4009.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\136ad76.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMSpeed"="c:\program files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE" [2008-12-09 55120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2003-01-22 106496]
"SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2003-01-22 28672]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-06-05 843776]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2008-05-24 26448]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
DiskDoctor.lnk - c:\win.msi\alg.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-5-16 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2008-12-25 40960]
Start Network Scanner Tool.lnk - c:\program files\Sharp\Sharpdesk\sdFTP.exe [2003-1-8 347648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:145ca263dd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start Network Scanner Tool.lnk]
backup=c:\windows\pss\Start Network Scanner Tool.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexTray]
2003-01-22 19:43 106496 ----a-w- c:\program files\Sharp\Sharpdesk\IndexTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SharpTray]
2003-01-22 19:52 28672 ----a-w- c:\program files\Sharp\Sharpdesk\SharpTray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Sharp\\Sharpdesk\\sdFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=
"c:\\Program Files\\NewSoft\\Presto! PageManager 8 for EP\\LicenseCheck.exe"=
"c:\\Program Files\\FreeFileViewer\\FFVCheckForUpdates.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
.
R1 cmosa;cmosa;c:\windows\system32\drivers\cmosa.sys [12/4/2004 5:45 PM 29344]
R1 prcmondrv;prcmondrv;c:\windows\system32\drivers\prcmondrv1041.sys [9/20/2009 2:36 PM 18432]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [9/8/2006 1:51 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [9/8/2006 1:51 PM 3904]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [6/23/2003 1:15 PM 163408]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [6/23/2003 1:15 PM 499680]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;c:\windows\system32\drivers\DELUSB_51.sys [2/5/2009 6:58 PM 606208]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [6/13/2003 5:45 PM 19232]
S3 XIRLINK;Dsc Pro Digital 640 Camera;c:\windows\system32\drivers\C-itNT.sys [11/30/2005 7:51 PM 447245]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-03 c:\windows\Tasks\FreeFileViewerUpdateChecker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2011-10-13 22:24]
.
2012-03-30 c:\windows\Tasks\User_Feed_Synchronization-{F9D2F0A3-27FC-4EFF-89F1-2C86863BCAC5}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: microsoft.com\office
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5CC8BCC7-1DB1-4BAA-9D0E-C4617DF3074B}: NameServer = 68.4.16.30,68.6.16.30
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {02E09B2E-2A03-4572-9291-69900C068564} - hxxp://www.learnitcorp.com/cabs/lcsim.cab
DPF: {944713E8-1F29-42D9-ABD5-557728B9AC97} - hxxps://ilnet.wellsfargo.com/ilonline/clickloan/ptclickloanwf.cab
DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} - hxxps://widow1.factualdata.com/ocx/print3.ocx
DPF: {E08B60AF-05F9-41A5-BF6E-80143269FB81} - hxxp://www.clickloan.com/CAB/ByteClickLoan/1,0,0,1/ByteClickLoan.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\k977uck8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-03 22:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1214440339-1563985344-854245398-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C1D66034-199B-5834-FAD091A744E2DF52}\{A9398372-0762-3A7E-A7C8ABB3F38F2F6E}\{F18374B6-D35D-16D4-9DBDDA1016548C70}*]
"Q3FBLH6RIF6MYMN6VD31LVQSMD1"=hex:01,00,00,00,00,00,00,00,5c,63,e8,cf,f7,e6,fd,
3a
.
Completion time: 2012-04-03 22:21:25
ComboFix-quarantined-files.txt 2012-04-04 05:21
ComboFix2.txt 2012-03-13 22:55
.
Pre-Run: 7,703,244,800 bytes free
Post-Run: 7,705,792,512 bytes free
.
- - End Of File - - 287A63E5FEAB386C115344D2077EF7AB

*COMBOFIX2*
ComboFix 12-04-03.02 - User 04/03/2012 22:34:03.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.123 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\C_72651070.nls"
"c:\windows\system32\C_7265170.nls"
.
.
((((((((((((((((((((((((( Files Created from 2012-03-04 to 2012-04-04 )))))))))))))))))))))))))))))))
.
.
2012-03-25 16:40 . 2012-03-25 16:51 -------- d-----w- c:\program files\Google
2012-03-18 01:20 . 2012-03-23 05:05 -------- d-----w- C:\Sites
2012-03-11 21:58 . 2012-03-11 21:58 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-11 21:58 . 2012-03-11 21:58 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2003-07-16 16:45 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 04:12 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2005-01-21 04:26 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2006-12-13 03:12 . 2006-12-21 15:56 66648 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2006-12-21 15:56 54352 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2006-12-21 15:56 34928 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2006-12-21 15:57 46696 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2006-12-21 15:57 172120 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((( [email protected]_22.40.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-04 05:57 . 2012-04-04 05:57 16384 c:\windows\temp\Perflib_Perfdata_660.dat
- 2011-10-03 21:16 . 2012-03-13 22:38 221079 c:\windows\system32\inetsrv\MetaBase.bin
+ 2011-10-03 21:16 . 2012-04-04 05:59 221079 c:\windows\system32\inetsrv\MetaBase.bin
+ 2011-08-09 19:48 . 2012-01-09 16:20 139784 c:\windows\system32\dllcache\rdpwd.sys
+ 2008-10-14 21:56 . 2012-02-03 09:22 1860096 c:\windows\system32\dllcache\win32k.sys
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3d329fc.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3a38ab4.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\373bf6a.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3732e53.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3713a6d.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\37026f3.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3701454.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\36f4103.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3590ea9.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\34e80c4.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3440896.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\336273c.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\334cde.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\32287af.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\31f7ca2.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\318235f.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\3119d6f.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\22e822b.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\20236f9.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\1e7580f.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\19e4009.msp
+ 2011-12-26 16:02 . 2011-12-26 16:02 19677184 c:\windows\Installer\136ad76.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMSpeed"="c:\program files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE" [2008-12-09 55120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2003-01-22 106496]
"SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2003-01-22 28672]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-06-05 843776]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2008-05-24 26448]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
DiskDoctor.lnk - c:\win.msi\alg.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-5-16 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2008-12-25 40960]
Start Network Scanner Tool.lnk - c:\program files\Sharp\Sharpdesk\sdFTP.exe [2003-1-8 347648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:145ca263dd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start Network Scanner Tool.lnk]
backup=c:\windows\pss\Start Network Scanner Tool.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexTray]
2003-01-22 19:43 106496 ----a-w- c:\program files\Sharp\Sharpdesk\IndexTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SharpTray]
2003-01-22 19:52 28672 ----a-w- c:\program files\Sharp\Sharpdesk\SharpTray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Sharp\\Sharpdesk\\sdFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=
"c:\\Program Files\\NewSoft\\Presto! PageManager 8 for EP\\LicenseCheck.exe"=
"c:\\Program Files\\FreeFileViewer\\FFVCheckForUpdates.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
.
R1 cmosa;cmosa;c:\windows\system32\drivers\cmosa.sys [12/4/2004 5:45 PM 29344]
R1 prcmondrv;prcmondrv;c:\windows\system32\drivers\prcmondrv1041.sys [9/20/2009 2:36 PM 18432]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [9/8/2006 1:51 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [9/8/2006 1:51 PM 3904]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [11/15/2009 12:41 PM 632792]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [6/23/2003 1:15 PM 163408]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [6/23/2003 1:15 PM 499680]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;c:\windows\system32\drivers\DELUSB_51.sys [2/5/2009 6:58 PM 606208]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [6/13/2003 5:45 PM 19232]
S3 XIRLINK;Dsc Pro Digital 640 Camera;c:\windows\system32\drivers\C-itNT.sys [11/30/2005 7:51 PM 447245]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-04 c:\windows\Tasks\FreeFileViewerUpdateChecker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2011-10-13 22:24]
.
2012-03-30 c:\windows\Tasks\User_Feed_Synchronization-{F9D2F0A3-27FC-4EFF-89F1-2C86863BCAC5}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: microsoft.com\office
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5CC8BCC7-1DB1-4BAA-9D0E-C4617DF3074B}: NameServer = 68.4.16.30,68.6.16.30
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {02E09B2E-2A03-4572-9291-69900C068564} - hxxp://www.learnitcorp.com/cabs/lcsim.cab
DPF: {944713E8-1F29-42D9-ABD5-557728B9AC97} - hxxps://ilnet.wellsfargo.com/ilonline/clickloan/ptclickloanwf.cab
DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} - hxxps://widow1.factualdata.com/ocx/print3.ocx
DPF: {E08B60AF-05F9-41A5-BF6E-80143269FB81} - hxxp://www.clickloan.com/CAB/ByteClickLoan/1,0,0,1/ByteClickLoan.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\k977uck8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-03 22:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1214440339-1563985344-854245398-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C1D66034-199B-5834-FAD091A744E2DF52}\{A9398372-0762-3A7E-A7C8ABB3F38F2F6E}\{F18374B6-D35D-16D4-9DBDDA1016548C70}*]
"Q3FBLH6RIF6MYMN6VD31LVQSMD1"=hex:01,00,00,00,00,00,00,00,5c,63,e8,cf,f7,e6,fd,
3a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3456)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\system32\crypserv.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\windows\System32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\system32\SAgent4.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Sharp\SHARPD~1\Indexer.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
.
**************************************************************************
.
Completion time: 2012-04-03 23:09:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-04 06:09
ComboFix2.txt 2012-03-13 22:55
.
Pre-Run: 7,719,124,992 bytes free
Post-Run: 7,707,856,896 bytes free
.
- - End Of File - - F983E708B069244A132C861C15746AE8

*HIJACK THIS*
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:42:12 PM, on 4/3/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\crypserv.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe
C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\rundll32.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [FUFAXSTM] "C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [PMSpeed] C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DiskDoctor.lnk = C:\Win.Msi\alg.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PHOTOfunSTUDIO -viewer-.lnk = C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {02E09B2E-2A03-4572-9291-69900C068564} (LCSim Control) - http://www.learnitcorp.com/cabs/lcsim.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - 
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/78/html/gtdownlr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102275540709
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123538585406
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - http://www.swiftview.com/product/current/licensed/svinstall_a_green.cab
O16 - DPF: {944713E8-1F29-42D9-ABD5-557728B9AC97} (PtClickLoanWF Control) - https://ilnet.wellsfargo.com/ilonline/clickloan/ptclickloanwf.cab
O16 - DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} (ActiveFormX Control) - https://widow1.factualdata.com/ocx/print3.ocx
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://naasystem.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {E08B60AF-05F9-41A5-BF6E-80143269FB81} (ByteClickLoan Control) - http://www.clickloan.com/CAB/ByteClickLoan/1,0,0,1/ByteClickLoan.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CC8BCC7-1DB1-4BAA-9D0E-C4617DF3074B}: NameServer = 68.4.16.30,68.6.16.30
O18 - Protocol: remgopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 11238 bytes


----------



## Cheeseball81 (Mar 3, 2004)

I put both files in because of the confusion with the filename. In your fifth post, it was written as 1070.

Is it still being detected? I have something else to try if it is. I have been getting suggestions from other security gurus.


----------



## blackseat (Mar 11, 2012)

Yes it is still being detected and I am still getting multiple redirects. See if the other guys have any experience with this one.


----------



## Cheeseball81 (Mar 3, 2004)

Okay next thing we are gonna try is the program called Unlocker. It can be downloaded here: http://www.filehippo.com/download_unlocker/

If this doesn't work, I was advised we can try changing permissions on the file so that it can be deleted.


----------



## blackseat (Mar 11, 2012)

It worked! That did it for the file we were after. Should have done that one first. Problem though, I hope this one is simple. After I deleted the "170" file, I ran the normal scan and then a boot time scan to make sure the computer was cleared. I had suspicions because I still was being redirected on the web. Normal scan was clear but the boot time scan showed 2 infections. An RP file which I just moved to the chest and another one that I am hoping won't be too big of an issue. This one is a driver file, acpi.sys. The full path is C:\windows\sys32\drivers\acpi.sys. I used the unlocker to unlock it (only) but it came back to me as "there is no lock handle but can help [delete, move, etc] I am a little afraid to try to delete this file because I don't know how critical it is to Windows. Do you have any knowledge on this? If the file is critical, can another driver be extracted anywhere to replace this one? Is there another possible solution?


----------



## Cheeseball81 (Mar 3, 2004)

I'm glad that worked finally!

I still wanna look into the redirections though. That file is pretty imperative for an OS.

Download  aswMBR.exe  to your desktop. Double click the aswMBR.exe to run it


Click the "Scan" button to start scan. 
Upon completion of the scan, click *Save log*, and save it to your desktop. (*Note - do not select any Fix at this time*)
Please post the contents of that log in your next reply.
There will also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply


----------



## blackseat (Mar 11, 2012)

I also sent you a copy of the aswBoot.txt

*aswMBR.txt*

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-06 11:00:18
-----------------------------
11:00:18.771 OS Version: Windows 5.1.2600 Service Pack 3
11:00:18.771 Number of processors: 1 586 0x806
11:00:18.771 ComputerName: TED UserName: 
11:00:25.431 Initialize success
11:00:27.935 AVAST engine defs: 12040600
11:01:25.327 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:01:25.327 Disk 0 Vendor: Maxtor_5T040H4 TAH71DP0 Size: 38146MB BusType: 3
11:01:25.347 Disk 0 MBR read successfully
11:01:25.347 Disk 0 MBR scan
11:01:27.020 Disk 0 Windows XP default MBR code
11:01:27.040 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
11:01:28.592 Disk 0 scanning sectors +78124095
11:01:29.433 Disk 0 scanning C:\WINDOWS\system32\drivers
11:02:10.362 Service scanning
11:02:45.082 Modules scanning
11:03:04.700 Disk 0 trace - called modules:
11:03:04.710 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys 
11:03:04.710 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f75ab8]
11:03:04.710 3 CLASSPNP.SYS[f8536fd7] -> nt!IofCallDriver -> \Device\00000066[0x82fdc168]
11:03:04.940 5 ACPI.sys[f84ad620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82f91d98]
11:03:07.154 AVAST engine scan C:\WINDOWS
11:04:03.755 AVAST engine scan C:\WINDOWS\system32
11:10:24.853 AVAST engine scan C:\WINDOWS\system32\drivers
11:10:55.136 AVAST engine scan C:\Documents and Settings\User
11:30:02.647 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
11:30:02.667 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"

*aswBoot.txt*

04/05/2012 19:42
Scan of all local drives
File C:\System Volume Information\_restore{A77514BB-9028-4DC8-84E8-131E05E36012}\RP3445\A0429537.exe is infected by Win32:VBCrypt-AFH [Trj], Moved to chest
File C:\WINDOWS\system32\drivers\acpi.sys is infected by Win32:RLoader-B, Move to chest: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}
Number of searched folders: 12319
Number of tested files: 531438
Number of infected files: 2
----------------------------------------


----------



## Cheeseball81 (Mar 3, 2004)

Did you attempt to fix the file(s)?
It wasn't advised in the original post, so let's give it a shot.


 Double click aswMBR.exe







to run it as before.
 Click the Scan button.










 After a short while the scan will report "Scan finished successfully" 
 You should see the Fix button become active.










 Click to fix the infection & and wait till the scanner reports "Infection fixed successfully"
 Click Save log & save the log to your desktop
 *Click EXIT & REBOOT your computer immediately.*
 After reboot, copy & Paste the contents of aswMBR.txt into your next reply.


----------



## blackseat (Mar 11, 2012)

I ran the scan twice. The "FIX" button didn't become active on either run. The scans appear to be identical with the initial scan. I think that the "quick scan" setting is not sensitive enough and might not be recognizing the infected file.


----------



## Cheeseball81 (Mar 3, 2004)

Please run the following:


Download *TDSSKiller* and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on *TDSSKiller.exe* to run the application, then on *Start Scan.*










If an infected file is detected, the default action will be *Cure*, click on *Continue.*










If a suspicious file is detected, the default action will be *Skip*, click on *Continue.*










It may ask you to reboot the computer to complete the process. Click on *Reboot Now*.










If no reboot is required, click on *Report*. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "*TDSSKiller.[Version]_[Date]_[Time]_log.txt*". Please copy and paste the contents of that file here.


----------



## Cheeseball81 (Mar 3, 2004)

I also wanted to add you could try running aswMBR in Safe Mode and see if it can fix it.


----------



## blackseat (Mar 11, 2012)

Good suggestion to run aswMBR in safe mode. I brain faded. When I did this I got a favorable result. The scan seemed to pick up the infection and the fix button appeared and the results report indicated a successful fix. Is there anything else that I should do now to insure a clean fix or should I just move on to getting rid of all the fix it software?
I have posted below the before scan and after fix reports if you need to refer to them.

*SCAN*
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-07 08:18:06
-----------------------------
08:18:06.970 OS Version: Windows 5.1.2600 Service Pack 3
08:18:06.970 Number of processors: 1 586 0x806
08:18:06.970 ComputerName: TED UserName: 
08:18:08.172 Initialize success
08:18:11.296 AVAST engine defs: 12040700
08:18:16.624 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:18:16.644 Disk 0 Vendor: Maxtor_5T040H4 TAH71DP0 Size: 38146MB BusType: 3
08:18:16.664 Device \Driver\atapi -> DriverStartIo 82eb62c6
08:18:16.684 Disk 0 MBR read successfully
08:18:16.704 Disk 0 MBR scan
08:18:18.817 Disk 0 MBR:Alureon-M [Rtk]
08:18:18.837 Disk 0 [email protected] code has been found
08:18:18.857 Disk 0 Windows XP default MBR code found via API
08:18:18.877 Disk 0 MBR hidden
08:18:18.917 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
08:18:20.249 Disk 0 MBR [TDL4] **ROOTKIT**
08:18:20.269 Disk 0 trace - called modules:
08:18:20.299 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82eb649f]<<
08:18:20.329 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f6aab8]
08:18:21.561 3 CLASSPNP.SYS[f8536fd7] -> nt!IofCallDriver -> \Device\00000066[0x82f923b8]
08:18:21.691 5 ACPI.sys[f84ad620] -> nt!IofCallDriver -> [0x82f91d98]
08:18:21.811 \Driver\atapi[0x82ed59f8] -> IRP_MJ_CREATE -> 0x82eb649f
08:18:22.753 AVAST engine scan C:\WINDOWS
08:19:14.527 AVAST engine scan C:\WINDOWS\system32
08:26:05.538 AVAST engine scan C:\WINDOWS\system32\drivers
08:26:38.215 AVAST engine scan C:\Documents and Settings\User
08:51:15.009 AVAST engine scan C:\Documents and Settings\All Users
08:53:09.663 Scan finished successfully
08:53:40.838 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
08:53:40.908 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBRsafe mode.txt"

*FIX*
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-07 08:18:06
-----------------------------
08:18:06.970 OS Version: Windows 5.1.2600 Service Pack 3
08:18:06.970 Number of processors: 1 586 0x806
08:18:06.970 ComputerName: TED UserName: 
08:18:08.172 Initialize success
08:18:11.296 AVAST engine defs: 12040700
08:18:16.624 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:18:16.644 Disk 0 Vendor: Maxtor_5T040H4 TAH71DP0 Size: 38146MB BusType: 3
08:18:16.664 Device \Driver\atapi -> DriverStartIo 82eb62c6
08:18:16.684 Disk 0 MBR read successfully
08:18:16.704 Disk 0 MBR scan
08:18:18.817 Disk 0 MBR:Alureon-M [Rtk]
08:18:18.837 Disk 0 [email protected] code has been found
08:18:18.857 Disk 0 Windows XP default MBR code found via API
08:18:18.877 Disk 0 MBR hidden
08:18:18.917 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
08:18:20.249 Disk 0 MBR [TDL4] **ROOTKIT**
08:18:20.269 Disk 0 trace - called modules:
08:18:20.299 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82eb649f]<<
08:18:20.329 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f6aab8]
08:18:21.561 3 CLASSPNP.SYS[f8536fd7] -> nt!IofCallDriver -> \Device\00000066[0x82f923b8]
08:18:21.691 5 ACPI.sys[f84ad620] -> nt!IofCallDriver -> [0x82f91d98]
08:18:21.811 \Driver\atapi[0x82ed59f8] -> IRP_MJ_CREATE -> 0x82eb649f
08:18:22.753 AVAST engine scan C:\WINDOWS
08:19:14.527 AVAST engine scan C:\WINDOWS\system32
08:26:05.538 AVAST engine scan C:\WINDOWS\system32\drivers
08:26:38.215 AVAST engine scan C:\Documents and Settings\User
08:51:15.009 AVAST engine scan C:\Documents and Settings\All Users
08:53:09.663 Scan finished successfully
08:53:40.838 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
08:53:40.908 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBRsafe mode.txt"
08:53:47.298 Disk 0 MBR read successfully
08:53:48.189 Disk 0 MBR:Alureon-M [Rtk]
08:53:48.319 Disk 0 [email protected] code has been found
08:53:48.469 Disk 0 fixing MBR ...
08:53:48.609 Disk 0 MBR restored successfully
08:53:48.740 Verifying disinfection
08:53:58.994 Infection fixed successfully - please reboot ASAP
08:54:23.550 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
08:54:23.580 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBRsafemodefix.txt"


----------



## Cheeseball81 (Mar 3, 2004)

I would do another scan with Avast and then I think we should set a new restore point.

1.Close any programs that are open.
2.Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. The System Restore Wizard opens.

Note: If the System Restore Wizard does not open, the System Restore feature may be turned off. To turn System Restore on, see the "More Information" section in this article.
3.Click Create a restore point, and then click Next.
4.In Restore point description box, type a description for the restore point. Use a description that is easy to understand. If you are creating a restore point before you install specific software or hardware, you could use that information in the description.

Note: The date and time are automatically added to your restore point. Therefore, you do not have to use them in your description.
5.Do one of the following:&#9702;To finish creating this restore point, click the Create button. The System Restore Wizard notifies you when the restore point is created.
&#9702;To stop creating a restore point and to return to the Welcome to System Restore page, click the Back button.
&#9702;To stop creating a restore point and to exit the System Restore Wizard, click the Cancel button.

6.When you are finished, click the Close button.


----------



## blackseat (Mar 11, 2012)

Thanks for everything. I am really surprised that you hung in there. I ran the scan again and then ran another boot time scan. It produced 2 minor infections and moved them both to the chest. Then I ran another one. It was clean so I established a restore point, as you suggested. The infection is gone and the re directs aren't happening right now. I think I am finally good. 
It's two days later now and I still don't have new infections and no re directs. Seems like I am finally good. I am going to mark the thread solved. Thanks again for all your help.


----------



## Cheeseball81 (Mar 3, 2004)

You're welcome 

I'm really glad we were able to resolve this and happy to hear things are running better.


----------

