Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page HJT log
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 11-01-2008, 02:14 PM   #1 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 11
OS: xp


HJT log
Ad-Aware keeps detecting 70+ hits, I clean it out and run it again and they come back

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:06 PM, on 11/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Microgaming\Poker\pokertimeMPP\MPPoker.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\mike\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144112257468
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...CX/flashax.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O24 - Desktop Component 0: (no name) - http://www.uogamers.com/forum/images...artakus_bg.gif

--
End of file - 8657 bytes
cindyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 11-04-2008, 12:07 PM   #2 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,241
OS: XP SP3


Re: HJT log
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

If you're not receiving help elsewhere and still require assistance for this issue, please follow the process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post/attach as instructed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your next reply.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-04-2008, 09:13 PM   #3 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 11
OS: xp


Re: HJT log
Hi chemist, thanks for your reply.

Here is the gmer.txt

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-05 00:18:06
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xF600A7B6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xF6009D16]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xF600A372]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xF600AF80]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xF6009A70]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xF600BC70]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xF600A99C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xF6009646]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xF600ABEA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xF600AD9A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xF60094F8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xF600B8F2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xF6009F5C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xF600A5AA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xF6009228]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xF600A1EC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xF60093A0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xF600B346]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xF6009B8E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xF600B6AA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xF600BAA0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xF600B146]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xF6009EF6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xF600A0E0]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF5EF1F20]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xF6009808]

---- Kernel code sections - GMER 1.0.14 ----

? MFX.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\wdfmgr.exe[244] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[244] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[244] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 26, 84 ]
.text C:\WINDOWS\system32\wdfmgr.exe[244] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[244] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wdfmgr.exe[244] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[244] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[244] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[244] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[244] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[244] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[244] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[244] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\wdfmgr.exe[244] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[244] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 22, 84 ]
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\MsPMSPSv.exe[360] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\csrss.exe[580] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 9E, 84 ]
.text C:\WINDOWS\system32\csrss.exe[580] KERNEL32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[580] KERNEL32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[580] KERNEL32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[604] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[604] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, FB, 84 ]
.text C:\WINDOWS\system32\winlogon.exe[604] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[604] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[604] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\winlogon.exe[604] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[604] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[604] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[604] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[604] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[604] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[604] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[604] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[604] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[648] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 75, 84 ]
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[648] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\services.exe[648] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[648] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[648] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[648] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[648] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[648] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[648] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\services.exe[648] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[648] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[660] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, AC, 84 ]
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[660] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\lsass.exe[660] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[660] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[660] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[660] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[660] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[660] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[660] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\lsass.exe[660] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[660] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 5F, 84 ]
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[808] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[860] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[860] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 80, 84 ]
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[860] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[860] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[860] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[860] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[860] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[860] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[860] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[860] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[860] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[960] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[960] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[960] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BB, 85 ]
.text C:\WINDOWS\System32\svchost.exe[960] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[960] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[960] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\svchost.exe[960] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[960] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[960] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[960] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[960] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[960] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[960] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[960] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[960] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1072] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1072] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 5B, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1072] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1072] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1072] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1072] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1072] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1072] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1072] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[1072] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1072] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 73, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1188] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1188] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1188] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1188] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1188] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1188] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1188] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[1188] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1188] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 003B5690 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003B55C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, C6, 88 ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 003B1860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 003B1230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 003B13C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 49, 88 ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 003B5250 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 003B16D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003B1550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 003B4F60 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1256] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 003B50E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1296] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1296] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1296] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 5C, 84 ]
.text C:\WINDOWS\Explorer.EXE[1296] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1296] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\Explorer.EXE[1296] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1296] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1296] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1296] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1296] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1296] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\Explorer.EXE[1296] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1296] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1296] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1296] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1296] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1348] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1348] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1348] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 54, 84 ]
.text C:\WINDOWS\system32\spoolsv.exe[1348] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1348] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1348] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1348] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1348] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1348] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1348] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\spoolsv.exe[1348] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1348] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1348] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1348] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1348] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1420] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1420] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1420] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, EA, 83 ]
.text C:\WINDOWS\System32\alg.exe[1420] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\alg.exe[1420] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\System32\alg.exe[1420] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[1420] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\alg.exe[1420] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1420] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1420] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1420] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1420] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1420] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1420] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\alg.exe[1420] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1420] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2A, 84 ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1692] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 74, 84 ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1848] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 00385690 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003855C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 3E, 85 ]
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0B001E
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F05001E
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0E001E
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 00385250 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 003816D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] USER32.dll!keybd_event 7E466783 5 Bytes JMP 00381550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00381860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 00381230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 003813C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 46, 88 ]
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00384F60 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1864] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 003850E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\CTsvcCDA.exe[1960] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 50, 84 ]
.text C:\WINDOWS\system32\CTsvcCDA.exe[1960] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\CTsvcCDA.exe[1960] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\CTsvcCDA.exe[1960] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2000] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 7D, 84 ]
.text C:\WINDOWS\system32\nvsvc32.exe[2000] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2000] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2000] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[2024] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[2024] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[2024] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[2024] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[2024] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[2024] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[2024] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[2024] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[2024] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[2024] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[2024] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003855C0 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 3A, 84 ]
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 00385250 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 003816D0 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] USER32.dll!keybd_event 7E466783 5 Bytes JMP 00381550 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00381860 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 00381230 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 003813C0 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 46, 88 ]
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00384F60 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\mike\LOCALS~1\Temp\Temporary Directory 3 for gmer.zip\gmer.exe[2052] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 003850E0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 20, 84 ]
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe[2272] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\Rundll32.exe[2492] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\Rundll32.exe[2492] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\Rundll32.exe[2492] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 22, 84 ]
.text C:\WINDOWS\system32\Rundll32.exe[2492] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\Rundll32.exe[2492] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\Rundll32.exe[2492] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\Rundll32.exe[2492] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\Rundll32.exe[2492] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\Rundll32.exe[2492] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\Rundll32.exe[2492] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\Rundll32.exe[2492] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\Rundll32.exe[2492] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\Rundll32.exe[2492] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\Rundll32.exe[2492] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\Rundll32.exe[2492] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\Rundll32.exe[2492] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 22, 84 ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\RUNDLL32.EXE[2580] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2624] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, CA, 84 ]
.text C:\Program Files\COMODO\Firewall\cfp.exe[2624] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0B001E
.text C:\Program Files\COMODO\Firewall\cfp.exe[2624] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\COMODO\Firewall\cfp.exe[2624] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F05001E
.text C:\Program Files\COMODO\Firewall\cfp.exe[2624] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0E001E
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 50, 84 ]
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2680] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2768] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2768] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2768] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 24, 84 ]
.text C:\WINDOWS\system32\ctfmon.exe[2768] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2768] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\ctfmon.exe[2768] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[2768] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2768] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2768] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2768] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2768] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2768] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2768] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2768] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\ctfmon.exe[2768] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2768] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, A0, 84 ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2872] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F8478710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F8478770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F8478990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F8478950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F8478950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F8478770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F8478710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F8478990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F8478990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F8478950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F8478770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F8478710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F8478950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F8478990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F8478710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F8478770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F8478710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F8478770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F8478950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F8478990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F8478950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F8478770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F8478710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F8478950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F8478990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F8478710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F8478770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs MFX.sys
AttachedDevice \FileSystem\Ntfs \Ntfs AVHook.sys (PC Tools Filter Driver for Windows 2000/XP/PC Tools Research Pty Ltd.)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \FileSystem\Fastfat \Fat MFX.sys
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVRec.sys (PC Tools Recognizer Driver for Windows 2000/XP/PC Tools Research Pty Ltd )

---- Files - GMER 1.0.14 ----

File C:\SYZ_DAT 0 bytes
File C:\SYZ_DAT\ali.exe 28672 bytes executable
File C:\SYZ_DAT\cdlock.dll 49152 bytes executable
File C:\SYZ_DAT\cpy.exe 32768 bytes executable
File C:\SYZ_DAT\dirlist 250 bytes
File C:\SYZ_DAT\dirlist_bak 250 bytes
File C:\SYZ_DAT\DL.BAK 250 bytes
File C:\SYZ_DAT\EMF_Decrypt.exe 126976 bytes executable
File C:\SYZ_DAT\fldrvw61.ocx 417792 bytes
File C:\SYZ_DAT\install.exe 1138688 bytes executable
File C:\SYZ_DAT\magic.exe 24576 bytes executable
File C:\SYZ_DAT\mf.chm 33137 bytes
File C:\SYZ_DAT\mf.txx 24994 bytes
File C:\SYZ_DAT\mfx 52108 bytes executable
File C:\SYZ_DAT\MFX.CFG 104 bytes
File C:\SYZ_DAT\mfx_cfg.org 93 bytes
File C:\SYZ_DAT\readme.txt 3162 bytes
File C:\SYZ_DAT\systray.exe 32768 bytes executable
File C:\SYZ_DAT\tb.exe 24576 bytes executable
File C:\WINDOWS\system32\drivers\MFX.SYS 52108 bytes executable

---- EOF - GMER 1.0.14 ----
cindyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-04-2008, 09:14 PM   #4 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 11
OS: xp


Re: HJT log
Here's the RSIT log.txt

Logfile of random's system information tool 1.04 (written by random/random)
Run by mike at 2008-11-05 00:22:27
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 22 GB (57%) free of 38 GB
Total RAM: 511 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:48 AM, on 11/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\mike\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\mike.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Microgaming\Poker\pokertimeMPP\MPPoker.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\mike\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144112257468
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...CX/flashax.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O24 - Desktop Component 0: (no name) - http://www.uogamers.com/forum/images...artakus_bg.gif

--
End of file - 8853 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SideWinderTrayV4"=C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe [2000-06-02 24650]
"hcsystray"=C:\Program Files\Kuma Games\hcsystray\hc_tray.exe [2006-11-01 30928]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-12-05 8523776]
"nwiz"=nwiz.exe /install []
"P17Helper"=Rundll32 P17.dll []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2007-12-05 81920]
"COMODO Firewall Pro"=C:\Program Files\COMODO\Firewall\cfp.exe [2008-10-30 1797880]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"PCTAVApp"=C:\Program Files\PC Tools AntiVirus\PCTAV.exe [2008-09-25 1370000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2008-01-03 50528]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-10-14 1576176]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=" C:\WINDOWS\system32\guard32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2008-08-25 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-20 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PCTAVSvc]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"RunStartupScriptSync"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"RunStartupScriptSync"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\EA Games\Ultima Online Mondain's Legacy\client.exe"="C:\Program Files\EA Games\Ultima Online Mondain's Legacy\client.exe:*:Enabled:client"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\CarbonPoker\client.exe"="C:\Program Files\CarbonPoker\client.exe:*:Enabled:Carbon Poker Client"
"C:\Program Files\Poker.com\client.exe"="C:\Program Files\Poker.com\client.exe:*:Enabled:Poker.com Client"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 2 months======

2008-11-05 00:22:27 ----D---- C:\rsit
2008-11-04 23:38:46 ----A---- C:\WINDOWS\gmer.ini
2008-11-04 23:38:45 ----RA---- C:\WINDOWS\gmer.exe
2008-11-04 23:38:45 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-11-04 23:38:45 ----A---- C:\WINDOWS\gmer.dll
2008-11-04 01:39:36 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-24 20:59:15 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-19 17:21:44 ----D---- C:\Documents and Settings\mike\Application Data\PC Tools
2008-10-19 17:20:44 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-19 17:20:26 ----D---- C:\Program Files\Common Files\PC Tools
2008-10-19 17:20:17 ----D---- C:\Program Files\PC Tools AntiVirus
2008-10-19 17:20:17 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-10-19 16:23:00 ----D---- C:\Program Files\Lavasoft
2008-10-19 16:22:59 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-14 20:34:52 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-14 20:34:40 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-14 20:34:23 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-14 20:33:17 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-14 20:32:55 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-09-20 19:28:42 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-09-20 08:08:34 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-09-20 08:04:35 ----D---- C:\WINDOWS\Prefetch
2008-09-20 02:57:19 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-09-20 02:57:04 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-09-20 02:56:50 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-09-20 02:56:36 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-09-20 02:56:23 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-09-20 02:56:09 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-09-20 02:55:51 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-09-20 02:55:37 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-09-20 02:55:23 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-09-20 02:55:07 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-09-20 02:54:54 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-20 02:49:10 ----D---- C:\WINDOWS\system32\scripting
2008-09-20 02:49:09 ----D---- C:\WINDOWS\l2schemas
2008-09-20 02:49:07 ----D---- C:\WINDOWS\system32\en
2008-09-20 02:49:06 ----D---- C:\WINDOWS\system32\bits
2008-09-20 02:45:01 ----D---- C:\WINDOWS\ServicePackFiles
2008-09-20 02:36:30 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-09-20 02:36:27 ----D---- C:\WINDOWS\EHome
2008-09-20 01:56:51 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-09-20 01:56:49 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-09-20 01:56:46 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-09-20 01:56:45 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-09-20 01:56:18 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-09-20 01:56:18 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-09-20 01:56:11 ----N---- C:\WINDOWS\system32\spupdwxp.exe
2008-09-20 01:56:08 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2008-09-20 01:56:06 ----N---- C:\WINDOWS\system32\slserv.exe
2008-09-20 01:56:06 ----N---- C:\WINDOWS\system32\slrundll.exe
2008-09-20 01:56:06 ----N---- C:\WINDOWS\system32\slgen.dll
2008-09-20 01:56:06 ----N---- C:\WINDOWS\system32\slextspk.dll
2008-09-20 01:56:06 ----N---- C:\WINDOWS\system32\slcoinst.dll
2008-09-20 01:56:06 ----N---- C:\WINDOWS\slrundll.exe
2008-09-20 01:56:01 ----N---- C:\WINDOWS\system32\setupn.exe
2008-09-20 01:55:58 ----N---- C:\WINDOWS\system32\s3gnb.dll
2008-09-20 01:55:57 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-09-20 01:55:54 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-09-20 01:55:53 ----N---- C:\WINDOWS\system32\qutil.dll
2008-09-20 01:55:49 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-09-20 01:55:49 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-09-20 01:55:49 ----N---- C:\WINDOWS\system32\qagent.dll
2008-09-20 01:55:46 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-09-20 01:55:43 ----N---- C:\WINDOWS\system32\onex.dll
2008-09-20 01:55:30 ----N---- C:\WINDOWS\system32\napstat.exe
2008-09-20 01:55:30 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-09-20 01:55:30 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-09-20 01:55:29 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2008-09-20 01:55:29 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-09-20 01:55:28 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-09-20 01:55:25 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-09-20 01:55:25 ----N---- C:\WINDOWS\system32\mssha.dll
2008-09-20 01:55:09 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-09-20 01:55:09 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-09-20 01:55:09 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-09-20 01:55:09 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-09-20 01:55:07 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2008-09-20 01:54:55 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-09-20 01:54:54 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-09-20 01:54:54 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-09-20 01:54:54 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-09-20 01:54:54 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-09-20 01:54:54 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-09-20 01:54:51 ----N---- C:\WINDOWS\system32\ir50_qcx.dll
2008-09-20 01:54:51 ----N---- C:\WINDOWS\system32\ir50_qc.dll
2008-09-20 01:54:51 ----N---- C:\WINDOWS\system32\ir50_32.dll
2008-09-20 01:54:41 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2008-09-20 01:54:35 ----N---- C:\WINDOWS\system32\faxpatch.exe
2008-09-20 01:54:35 ----A---- C:\WINDOWS\002776_.tmp
2008-09-20 01:54:32 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-09-20 01:54:32 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-09-20 01:54:32 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-09-20 01:54:32 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-09-20 01:54:32 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-09-20 01:54:32 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-09-20 01:54:32 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-09-20 01:54:32 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-09-20 01:54:30 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-09-20 01:54:30 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-09-20 01:54:30 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-09-20 01:54:30 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-09-20 01:54:30 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-09-20 01:54:29 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-09-20 01:54:29 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-09-20 01:54:28 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-09-20 01:54:28 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-09-20 01:54:27 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-09-20 01:54:24 ----N---- C:\WINDOWS\system32\credssp.dll
2008-09-20 01:54:17 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-09-20 01:54:17 ----N---- C:\WINDOWS\system32\azroles.dll
2008-09-20 01:54:15 ----N---- C:\WINDOWS\system32\ativvaxx.dll
2008-09-20 01:54:15 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2008-09-20 01:54:14 ----N---- C:\WINDOWS\system32\ati3duag.dll
2008-09-20 01:54:14 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2008-09-20 01:54:14 ----N---- C:\WINDOWS\system32\ati2dvag.dll
2008-09-20 01:54:14 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2008-09-20 01:54:14 ----N---- C:\WINDOWS\system32\ati2cqag.dll
2008-09-20 01:54:08 ----N---- C:\WINDOWS\system32\aaclient.dll
2008-09-14 20:34:29 ----D---- C:\Program Files\Common Files\Apple
2008-09-14 20:34:12 ----D---- C:\Program Files\QuickTime
2008-09-14 20:32:25 ----D---- C:\Program Files\Apple Software Update
2008-09-10 07:36:31 ----HDC---- C:\WINDOWS\$NtUninstallKB938464_0$

======List of files/folders modified in the last 2 months======

2008-11-05 00:21:01 ----D---- C:\WINDOWS
2008-11-04 23:38:45 ----D---- C:\WINDOWS\system32\drivers
2008-11-04 22:53:53 ----D---- C:\WINDOWS\TEMP
2008-11-04 22:46:39 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-04 01:40:59 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-04 00:57:31 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-03 00:56:46 ----AD---- C:\Program Files
2008-11-03 00:08:24 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-02 09:01:07 ----D---- C:\WINDOWS\system32
2008-11-02 09:01:07 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-30 22:40:33 ----A---- C:\WINDOWS\system32\guard32.dll
2008-10-29 00:08:16 ----D---- C:\WINDOWS\Minidump
2008-10-24 20:59:24 ----HD---- C:\WINDOWS\inf
2008-10-24 20:59:17 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-24 20:58:35 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-19 17:20:26 ----D---- C:\Program Files\Common Files
2008-10-19 16:24:17 ----SHD---- C:\WINDOWS\Installer
2008-10-19 16:22:28 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-19 10:07:50 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-19 08:24:31 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-10-19 00:25:17 ----D---- C:\Program Files\Yahoo!
2008-10-15 10:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-14 23:49:36 ----D---- C:\WINDOWS\Debug
2008-10-14 20:57:17 ----D---- C:\Program Files\SUPERAntiSpyware
2008-10-14 20:36:08 ----D---- C:\Program Files\Internet Explorer
2008-10-14 20:33:38 ----D---- C:\WINDOWS\ie7updates
2008-10-12 22:42:14 ----D---- C:\Program Files\CarbonPoker
2008-10-07 13:19:40 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-03 22:01:56 ----D---- C:\Documents and Settings\mike\Application Data\Microgaming
2008-10-03 11:41:15 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-09-23 20:50:57 ----D---- C:\Program Files\Bodog Poker
2008-09-20 19:24:13 ----D---- C:\Program Files\Google
2008-09-20 08:10:44 ----D---- C:\Documents and Settings\mike\Application Data\Google
2008-09-20 08:08:36 ----D---- C:\WINDOWS\system32\Adobe
2008-09-20 08:04:11 ----D---- C:\WINDOWS\system32\wbem
2008-09-20 08:04:11 ----D---- C:\WINDOWS\system32\Setup
2008-09-20 08:04:11 ----D---- C:\WINDOWS\AppPatch
2008-09-20 08:04:10 ----RSD---- C:\WINDOWS\Fonts
2008-09-20 08:03:27 ----D---- C:\WINDOWS\security
2008-09-20 02:58:53 ----D---- C:\WINDOWS\system32\CatRoot
2008-09-20 02:55:09 ----D---- C:\Program Files\Messenger
2008-09-20 02:49:53 ----D---- C:\WINDOWS\WinSxS
2008-09-20 02:49:39 ----D---- C:\WINDOWS\network diagnostic
2008-09-20 02:49:38 ----D---- C:\WINDOWS\ime
2008-09-20 02:49:38 ----D---- C:\WINDOWS\Help
2008-09-20 02:49:12 ----D---- C:\WINDOWS\system32\usmt
2008-09-20 02:49:12 ----D---- C:\WINDOWS\system32\en-US
2008-09-20 02:49:06 ----D---- C:\WINDOWS\PeerNet
2008-09-20 02:49:06 ----D---- C:\Program Files\Movie Maker
2008-09-20 02:44:52 ----D---- C:\WINDOWS\system32\Restore
2008-09-20 02:44:52 ----D---- C:\WINDOWS\system32\npp
2008-09-20 02:44:49 ----D---- C:\WINDOWS\msagent
2008-09-20 02:44:47 ----D---- C:\WINDOWS\srchasst
2008-09-20 02:44:46 ----D---- C:\Program Files\NetMeeting
2008-09-20 02:44:44 ----D---- C:\WINDOWS\system32\Com
2008-09-20 02:44:40 ----D---- C:\Program Files\Windows NT
2008-09-20 02:44:40 ----D---- C:\Program Files\Windows Media Player
2008-09-20 02:44:39 ----D---- C:\Program Files\Outlook Express
2008-09-20 02:44:35 ----D---- C:\Program Files\Common Files\System
2008-09-20 02:44:07 ----D---- C:\WINDOWS\system32\oobe
2008-09-20 02:44:05 ----D---- C:\WINDOWS\system
2008-09-20 02:39:49 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-09-14 20:34:08 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-07 10:55:47 ----D---- C:\Program Files\TruePoker

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [2008-10-30 99856]
R1 cmdHlp;COMODO Firewall Pro Helper Driver; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [2008-10-30 31504]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 AVFilter;AVFilter; C:\WINDOWS\system32\drivers\AVFilter.sys [2008-02-12 21904]
R3 AVHook;AVHook; C:\WINDOWS\system32\drivers\AVHook.sys [2007-12-06 28568]
R3 AVRec;AVRec; C:\WINDOWS\system32\drivers\AVRec.sys [2007-12-06 21912]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys [2005-01-10 138752]
R3 GcKernel;Microsoft SideWinder Value Add - Filter Driver; C:\WINDOWS\system32\DRIVERS\GcKernel.sys [2008-04-13 59136]
R3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver; C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys [2001-08-17 2688]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-12-05 7435392]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\DRIVERS\ctoss2k.sys [2005-01-10 106496]
R3 P17;SB Live! 24-bit; C:\WINDOWS\system32\drivers\P17.sys [2007-06-15 1127936]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 scrcap;scrcap; C:\WINDOWS\system32\DRIVERS\scrcap.sys [2006-09-27 9006]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\sisnic.sys [2004-08-03 32768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-04 85969]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS []
S3 vgadrv;vgadrv; C:\WINDOWS\system32\DRIVERS\vgadrv.sys [2006-06-10 8078]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-10-19 611664]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 cmdAgent;COMODO Firewall Pro Helper Service; C:\Program Files\COMODO\Firewall\cmdagent.exe [2008-10-30 614136]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.exe [1999-12-12 44032]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-12-05 155716]
R2 PCTAVSvc;PC Tools AntiVirus Engine; C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe [2008-09-23 995520]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [2000-06-26 53520]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]

-----------------EOF-----------------
Last edited by cindyp; 11-04-2008 at 09:17 PM.
cindyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-08-2008, 12:47 PM   #5 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,241
OS: XP SP3


Re: HJT log
Hello cindyp. Sorry for the late reply but I somehow didn't get a notification of your reply. Apologies.

Nothing is showing in your logs. We will run an online scan to look for remnants shortly.

------------------------------------------------------

First, I need to see the info.txt log.

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\rsit\info.txt

A text file should open. Please post the contents of that file in your next reply.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-08-2008, 03:44 PM   #6 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 11
OS: xp


Re: HJT log
Here ya go

info.txt logfile of random's system information tool 1.04 2008-11-05 00:22:52

======Uninstall list======

-->C:\Program Files\PC Tools AntiVirus\unins000.exe /LOG
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9194237B-7B58-40B4-A739-184AD59531A2}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C64409FA-42A7-49C6-837A-D2E5D813BD57}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.57-->"D:\wargame1\newwar\empty\warcon\crap4\warrior\warriordat\dat1\crap\7-Zip\Uninstall.exe"
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AGEIA PhysX v2.4.4-->"C:\Program Files\AGEIA Technologies\uninstall.exe"
AIM 6-->C:\Program Files\AIM6\uninst.exe
ALSee-->"C:\Program Files\ESTsoft\ALSee\unins000.exe"
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Avira AntiVir Personal – Free Antivirus-->C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Bodog Poker Version 2.16.1.52-->"C:\Program Files\Bodog Poker\unins000.exe"
Bonjour-->MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
BSPlayer-->"C:\Program Files\Webteh\BSplayer\uninstall.exe"
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
COMODO Firewall Pro-->C:\Program Files\COMODO\Firewall\cfpconfg.exe -u
Creative EAX Settings-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C64409FA-42A7-49C6-837A-D2E5D813BD57}\setup.exe" -l0x9 /remove
Creative Speaker Settings-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9 /remove
Device Control-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9194237B-7B58-40B4-A739-184AD59531A2}\setup.exe" -l0x9 /remove
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Doyles Room Poker-->C:\MICROG~1\Poker\DOYLES~1\DOYLES~1\UNWISE.EXE C:\MICROG~1\Poker\DOYLES~1\DOYLES~1\INSTALL.LOG
Fraps-->"C:\Fraps\uninstall.exe"
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
ieSpell-->"C:\Program Files\ieSpell\uninst.exe"
Kaspersky Online Scanner-->C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LearnPoker version 1.01-->"C:\Program Files\LearnPoker\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
mIRC-->C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mount&Blade-->C:\Program Files\Mount&Blade\uninstall.exe
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Panda ActiveScan-->C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PC Tools AntiVirus 5.0-->"C:\Program Files\PC Tools AntiVirus\unins000.exe"
PlayGATE Setup-->C:\PROGRA~1\Playnet\Playgate\UNWISE.EXE C:\PROGRA~1\Playnet\Playgate\INSTALL.LOG
PokerTime-->C:\MICROG~1\Poker\POKERT~1\POKERT~1\UNWISE.EXE C:\MICROG~1\Poker\POKERT~1\POKERT~1\INSTALL.LOG
PurePlay Poker-->MsiExec.exe /X{19E16A54-962C-45D6-BDDE-FD01EBB1A086}
QuickTime-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SideWinder Precision 2-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft Hardware\Game Controllers\Precision 2\Uninst.isu" -c"C:\Program Files\Microsoft Hardware\Game Controllers\Precision 2\Uninstall.dll"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
TruePoker (High Res)-->C:\PROGRA~1\TRUEPO~1\UNWISE.EXE C:\PROGRA~1\TRUEPO~1\INSTALL.LOG
TruePoker-->C:\PROGRA~1\TRUEPO~1\UNWISE.EXE C:\PROGRA~1\TRUEPO~1\INSTALL.LOG
Ultima Online: Mondain's Legacy-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF7B213D-2065-41ED-BB51-7A3EED31EA7B}\setup.exe" -l0x9 -removeonly
UO Auto-Map-->c:\Program Files\UOAM\uoam.exe -uninstall
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Virtools 3D Life Player-->C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Wisdom-soft ScreenHunter 4.0 Free-->C:\PROGRA~1\WISDOM~1\UNWISE.EXE C:\PROGRA~1\WISDOM~1\INSTALL.LOG
ZD Soft Screen Recorder-->"C:\Program Files\ZD Soft\Screen Recorder\Uninstall.exe"
ZD Soft Screen Video Decoder-->rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\scrvid.inf

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: PC Tools AntiVirus 5.0.0.22

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=0801
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------
cindyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-08-2008, 05:35 PM   #7 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,241
OS: XP SP3


Re: HJT log
Hello again, cindyp. Are you experiencing any problems with your computer?

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

It appears that you have two antivirus programs installed, PC Tools and Avira. Even though Avira is not running, they can actually conflict with one another and cause system instability or even system hangs. Please choose one to keep and uninstall the other via Add or Remove Programs in your Control Panel.

------------------------------------------------------

We need to install Java on your machine in order to run an online scan with Kaspersky.
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 10 and Save it to your Desktop.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 10 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 License Agreement.
  • Click Continue
  • Click on the link to download Windows Offline Installation and Save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
  • After the install is complete, go back to your Control Panel and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
    • Delete jre-6u10-windows-i586-p.exe from your desktop.
------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
new HijackThis log
report on system behavior
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-09-2008, 07:33 AM   #8 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 11
OS: xp


Re: HJT log
chemist, I downloaded and installed the java with no problems and used the atf-cleaner just as you said but the Kaspersky updater is giving me an error, it downloads the update but then says- Update failed program failed to start [0x80004005] I'm gonna reboot and try it again.
cindyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-09-2008, 10:07 AM   #9 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 11
OS: xp


Re: HJT log
Ok rebooting did the trick.
I am not having any problems that I can tell with my pc other then ad-aware keeps detecting hits after I remove them, even if I do not go to any web pages.
I uninstalled Avira many months ago, not sure why it was showing up. It was found under ad/remove programs but said it had been uninstalled just asked me if I wanted to remove it from this list.

here's the scans you asked for-

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 9, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 09, 2008 10:09:15
Records in database: 1376472
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 76640
Threat name: 4
Infected objects: 3
Suspicious objects: 4
Duration of the scan: 01:35:44


File name / Threat name / Threats count
C:\Documents and Settings\mike\Local Settings\Application Data\Identities\{58658AE9-8C60-4E5B-B4AA-A5E979D10D44}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 4
C:\Documents and Settings\mike\Local Settings\Application Data\Identities\{58658AE9-8C60-4E5B-B4AA-A5E979D10D44}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Downloader.HTML.Agent.km 1
C:\mirc\mirc617.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1

The selected area was scanned.

---------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:10 PM, on 11/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Microgaming\Poker\pokertimeMPP\MPPoker.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\mike\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144112257468
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...CX/flashax.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O24 - Desktop Component 0: (no name) - http://www.uogamers.com/forum/images...artakus_bg.gif

--
End of file - 9155 bytes
cindyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-09-2008, 12:16 PM   #10 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,241
OS: XP SP3


Re: HJT log
Hello again, cindyp. What exactly is Ad-Aware detecting? ATF-Cleaner should have taken care of all your cookies.

Kaspersky flags mIRC due to potential--it is a false positive.

Kaspersky has detected infected emails in the following Folder:

C:\Documents and Settings\mike\Local Settings\Application Data\Identities\{58658AE9-8C60-4E5B-B4AA-A5E979D10D44}\Microsoft\Outlook Express\Deleted Items.dbx

Please empty that folder. Let me know that it is empty.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist: (Make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab

Please remember to close all other windows, including browsers then click Fix checked.

If Spybot asks whether to accept or deny, please accept it.

Click Scan then Save log and post a fresh HijackThis log.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-09-2008, 02:15 PM   #11 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 11
OS: xp


Re: HJT log
Ad-aware has been detecting mostly privacy hits, nothing critical, the last time I ran it it only found one hit, nothing major, it was finding 50-70 hits before we got started.

this folder has been emptied-

C:\Documents and Settings\mike\Local Settings\Application Data\Identities\{58658AE9-8C60-4E5B-B4AA-A5E979D10D44}\Microsoft\Outlook Express\Deleted Items.dbx


Here is the latest HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:11 PM, on 11/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Microgaming\Poker\pokertimeMPP\MPPoker.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\mike\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144112257468
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...CX/flashax.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O24 - Desktop Component 0: (no name) - http://www.uogamers.com/forum/images...artakus_bg.gif

--
End of file - 8926 bytes
cindyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-09-2008, 02:24 PM   #12 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,241
OS: XP SP3


Re: HJT log
Your logs are clean. If there's nothing else, you should be good to go.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-09-2008, 03:53 PM   #13 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 11
OS: xp


Re: HJT log
Great! thanks very much
cindyp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-09-2008, 04:03 PM   #14 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,241
OS: XP SP3


Re: HJT log
You're very welcome!

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

C:\WINDOWS\gmer_uninstall.cmd

Press any key to continue once you see that message.

------------------------------------------------------

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  • IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  • Spybot - Search & Destroy is an excellent spyware remover and also offers real-time protection against critical registry changes. Don't use the Immunize feature in Spybot if you use SpywareBlaster. See tutorial here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 04:56 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85