another url.urtbk.com etc problem (Resolved)

kevn

I too am experiencing problems with IE and outlook, web pages not loading, others popping up with the above URL or just blank and Outlook either not sending or sendng multiple messages. had the problem for about a week. have run PC tools and Trend to no avail. XP system. i would appreciate some asssance to rectify the poblem.

Katana

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

1. Please Read All Instructions Carefully
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you
4. Failure to reply within 5 days will result in the topic being closed.
5. Please continue to respond until I give you the "All Clear"
   (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

---

Download and Run RSIT

• Please download Random's System Information Tool by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open:
  
  • log.txt will be opened maximized.
  • info.txt will be opened minimized.
• Please post the contents of both log.txt and info.txt.
  ( They can also be found in the C:\RSIT folder )

Please Download GMER to your desktop

Download GMER and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click Yes.
  
• Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
  
• GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

• Click the Scan button and let the program do its work. GMER will produce a log.
• Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

kevn

Katana

as requested Log txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by Kevin at 2009-08-03 22:38:52
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 37 GB (48%) free of 76 GB
Total RAM: 512 MB (32% free)
HijackThis download failed
======Scheduled tasks folder======
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
Yahoo! Companion BHO - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
HP Print Enhancer - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2007-11-06 322880]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
MSNToolBandBHO - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll [2004-08-13 282624]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}]
HP Smart BHO Class - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2007-11-06 542016]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Companion - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll []
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Smapp"=C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [2002-10-11 98304]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"nwiz"=nwiz.exe /install []
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2005-03-04 88209]
"B'sCLiP"=C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe [2003-06-19 1318912]
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe [2004-02-12 188416]
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe [2004-02-12 77824]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe [2005-09-09 57344]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-02-28 63048]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-05-13 177472]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-05-30 292136]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-10-14 49152]
"hpqSRMon"=C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [2007-08-22 80896]
"AirPort Base Station Agent"=C:\Program Files\AirPort\APAgent.exe [2009-05-27 753664]
"UfSeAgnt.exe"=C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [2009-04-01 995528]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2009-07-22 1181064]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Shareaza"=C:\Program Files\MP3Downloading\bindata.exe [2004-10-07 4276224]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"AntiVirusProMFC"=C:\Program Files\Antivirus Pro\Antivirus Pro.exe []
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE [2005-07-04 376912]
"OE"=C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [2008-07-30 497008]
"RegistryMechanic"=C:\Program Files\Registry Mechanic\RegMech.exe [2009-06-30 2836376]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\System32\lfwmf11n32.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\413114f1648]
C:\WINDOWS\System32\lfwmf11n32.dll [2009-07-23 124928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2008-10-18 87352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"Btn_Back"=0
"Btn_Forward"=0
"Btn_Stop"=0
"Btn_Refresh"=0
"Btn_Home"=0
"Btn_Search"=0
"Btn_History"=0
"Btn_Favorites"=0
"Btn_Folders"=0
"Btn_Fullscreen"=0
"Btn_Tools"=0
"Btn_MailNews"=0
"Btn_Size"=0
"Btn_Print"=0
"Btn_Edit"=0
"Btn_Discussions"=0
"Btn_Cut"=0
"Btn_Copy"=0
"Btn_Paste"=0
"Btn_Encoding"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\System32\LEXPPS.EXE"="C:\WINDOWS\System32\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\WINDOWS\System32\ZoneLabs\vsmon.exe"="C:\WINDOWS\System32\ZoneLabs\vsmon.exe:*:Disabled:TrueVector Service"
"C:\WINDOWS\System32\dpvsetup.exe"="C:\WINDOWS\System32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\System32\RUNDLL32.EXE"="C:\WINDOWS\System32\RUNDLL32.EXE:*:Enabled:Run a DLL as an App"
"C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\WINDOWS\System32\java.exe"="C:\WINDOWS\System32\java.exe:*:Disabled:Java(TM) 2 Platform Standard Edition binary"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\My Games\SmallBall Baseball\smallball.exe"="C:\My Games\SmallBall Baseball\smallball.exe:*:Disabled:SmallBall BaseBall"
"C:\Program Files\Messenger\MSMSGS.EXE"="C:\Program Files\Messenger\MSMSGS.EXE:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\Swimming\Meet Manager\SwimMM2.exe"="E:\Swimming\Meet Manager\SwimMM2.exe:*:Enabled:Swim Meet Manager"
"C:\Documents and Settings\All Users\Documents\My Music\LimeWire\LimeWire.exe"="C:\Documents and Settings\All Users\Documents\My Music\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\WINDOWS\System32\ftp.exe"="C:\WINDOWS\System32\ftp.exe:*:Enabled:File Transfer Program"
"C:\Program Files\ClamWin\bin\ClamWin.exe"="C:\Program Files\ClamWin\bin\ClamWin.exe:*:Enabled:Virus Scanner"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:*:Enabled:Connection Manager"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"C:\Program Files\MP3Downloading\bindata.exe"="C:\Program Files\MP3Downloading\bindata.exe:*:Enabled:MP3Downloading Ultimate File Sharing"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"G:\SOF2 MP EXTENDED VERSION 1 - Spread me around!\WINWORD.exe"="G:\SOF2 MP EXTENDED VERSION 1 - Spread me around!\WINWORD.exe:*:Enabled:WINWORD"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Photo Story 3 for Windows\PhotoStory3.exe"="C:\Program Files\Photo Story 3 for Windows\PhotoStory3.exe:*:Enabled:Photo Story 3 for Windows"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\AirPort\APAgent.exe"="C:\Program Files\AirPort\APAgent.exe:*:Enabled:AirPort"
"C:\WINDOWS\EXPLORER.EXE"="C:\WINDOWS\EXPLORER.EXE:*:Enabled:Windows Shell"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{826bd28a-3230-11dd-bc01-000c6edf1785}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2031e1c-4513-11de-be89-000c6edf1785}]
shell\AUToplaY\command - F:\jttia.cmd
shell\AutoRun\command - F:\jttia.cmd
shell\ExpLoRe\command - F:\jttia.cmd
shell\Open\command - F:\jttia.cmd

======List of files/folders created in the last 1 months======
2009-08-03 22:38:52 ----D---- C:\rsit
2009-08-03 22:01:41 ----SHD---- C:\WINDOWS\system32\SystemX86
2009-08-02 18:40:57 ----A---- C:\WINDOWS\system32\KDSInterface.txt
2009-08-02 14:44:26 ----SHD---- C:\FOUND.000
2009-08-02 12:21:30 ----ASH---- C:\WINDOWS\system32\9.tmp
2009-08-01 21:12:28 ----D---- C:\Documents and Settings\Kevin\Application Data\PC Tools
2009-08-01 21:12:28 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-07-30 20:06:44 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-29 23:28:51 ----D---- C:\Program Files\Common Files\PC Tools
2009-07-29 23:28:22 ----D---- C:\Program Files\Spyware Doctor
2009-07-29 23:27:36 ----A---- C:\WINDOWS\system32\STKIT432.DLL
2009-07-29 23:27:28 ----D---- C:\Program Files\Registry Mechanic
2009-07-28 17:51:41 ----D---- C:\Documents and Settings\All Users\Application Data\Trend Micro
2009-07-28 17:49:07 ----D---- C:\Program Files\Trend Micro
2009-07-27 16:02:03 ----ASH---- C:\WINDOWS\system32\43.tmp
2009-07-27 16:02:03 ----ASH---- C:\WINDOWS\system32\1.tmp
2009-07-25 14:19:37 ----A---- C:\WINDOWS\system32\75.tmp
2009-07-25 14:19:12 ----A---- C:\WINDOWS\system32\74.tmp
2009-07-23 17:12:26 ----A---- C:\WINDOWS\GnuHashes.ini
2009-07-23 07:55:26 ----A---- C:\WINDOWS\system32\lfwmf11n32.dll
2009-07-15 19:05:28 ----HD---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 19:05:17 ----HD---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-15 19:00:46 ----HD---- C:\WINDOWS\$NtUninstallKB961371$
======List of files/folders modified in the last 1 months======
2009-08-03 18:03:06 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-01 19:02:10 ----A---- C:\WINDOWS\win.ini
2009-07-19 23:03:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 23:03:00 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-15 19:05:32 ----A---- C:\WINDOWS\imsins.BAK
2009-07-08 00:40:56 ----A---- C:\WINDOWS\system32\MRT.exe
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 cdrbsdrv;cdrbsdrv; C:\WINDOWS\system32\drivers\cdrbsdrv.sys [2004-03-08 13567]
R1 cdrbsvsd;cdrbsvsd; C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-12-03 13566]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 meiudf;meiudf; C:\WINDOWS\System32\Drivers\meiudf.sys [2003-01-31 90416]
R1 pctgntdi;pctgntdi; \??\C:\WINDOWS\system32\drivers\pctgntdi.sys []
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2009-03-04 80400]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
R2 fssfltr;FssFltr; C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys [2009-02-06 55152]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 tmpreflt;tmpreflt; C:\WINDOWS\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
R2 tmxpflt;tmxpflt; C:\WINDOWS\system32\DRIVERS\tmxpflt.sys [2009-05-22 225296]
R2 vsapint;vsapint; C:\WINDOWS\system32\DRIVERS\vsapint.sys [2009-05-22 1220120]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-03-31 4816]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2005-03-04 1066278]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-10-30 49920]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-10-30 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2007-10-30 21568]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-02-28 10144]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 Pcatip;Pcatip; C:\WINDOWS\System32\DRIVERS\Pcatip.sys [2004-11-13 68608]
R3 pctplsg;pctplsg; \??\C:\WINDOWS\system32\drivers\pctplsg.sys []
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2004-08-04 32768]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-12-05 534976]
R3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-14 15104]
R4 BsUDF;B.H.A UDF Filesystem; C:\WINDOWS\system32\drivers\BsUDF.sys [2003-06-19 390016]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S2 tmactmon;tmactmon; \??\C:\WINDOWS\system32\drivers\tmactmon.sys []
S2 tmevtmgr;tmevtmgr; \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 GcKernel;Microsoft SideWinder Value Add - Filter Driver; C:\WINDOWS\System32\DRIVERS\GcKernel.sys [2008-04-14 59136]
S3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver; C:\WINDOWS\System32\DRIVERS\HIDSwvd.sys [2001-08-17 2688]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 MTK;Media Technology Kernel Driver; C:\WINDOWS\System32\Drivers\fide.sys [2008-10-14 15271]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 Pcouffin;Low level access layer for CD devices; C:\WINDOWS\System32\Drivers\Pcouffin.sys []
S3 QCDonner;Labtec WebCam(PID_0840); C:\WINDOWS\System32\DRIVERS\LVCD.sys [2004-01-20 474272]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver; C:\WINDOWS\System32\DRIVERS\SWUSBFLT.sys [2001-08-17 3968]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-05-29 39424]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2005-07-04 104064]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AdobeActiveFileMonitor4.0;Adobe Active File Monitor V4; C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe [2005-09-09 102400]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-05-29 144712]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 DVD-RAM_Service;DVD-RAM_Service; C:\WINDOWS\System32\DVDRAMSV.exe [2003-05-22 106496]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 Iprip;RIP Listener; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-10-18 116032]
R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2008-02-28 63040]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-07-22 1097096]
R2 SimpTcp;Simple TCP/IP Services; C:\WINDOWS\System32\tcpsvcs.exe [2003-03-31 19456]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-05-30 541992]
R3 ThreatFire;ThreatFire; C:\Program Files\Spyware Doctor\TFEngine\TFService.exe [2009-03-31 70944]
S2 SfCtlCom;Trend Micro Central Control Component; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [2009-04-01 711248]
S2 TMBMServer;Trend Micro Unauthorized Change Prevention Service; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [2009-03-03 341256]
S2 TmPfw;Trend Micro Personal Firewall; C:\Program Files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
S2 TmProxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
S2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 fsssvc;Windows Live Family Safety; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

---

EOF

---

kevn

Katana Pt 2

info.txt logfile of random's system information tool 1.06 2009-08-03 22:41:18
======Uninstall list======
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adaptec\Easy CD Creator 4\UNINST.ISU"
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->MsiExec.exe /I{C98E5F1B-5C2B-4FD1-BDF9-F3779DCAAA16}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer-->MsiExec.exe /I{2614F54E-A828-49FA-93BA-45A3F756BFAA}
Adobe Flash Player 10 Plugin-->MsiExec.exe /X{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}
Adobe Help Center 2.0-->MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Photoshop Elements 4.0-->msiexec /I {EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}
Adobe Reader 7.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Agere Systems PCI Soft Modem-->agrsmdel
AirPort-->MsiExec.exe /I{637AF5A9-CFD1-43D7-A622-8F93954E92E3}
Apple Mobile Device Support-->MsiExec.exe /I{659B48CD-0608-4ED5-94C0-0B6C87114F10}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
BHA B's Recorder GOLD 5.32-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87CFE0AD-EAF0-40D1-B5CF-EDC527DAB7D2}\setup.exe" -l0x9
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
B's CLiP-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19C64880-BBCA-11D4-9EEE-0004ACDDDB3B}\setup.exe" -l0x9
Canon Camera Support Core Library-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{B9B9863A-32FD-4133-ADB7-46244ED77694} /l1033
Canon Camera Window for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{F37942A8-B21B-4C5A-A1D2-B676BF55EAE0}
Canon MovieEdit Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{DE286975-ACF1-45B8-9EF7-34E162B2C817}
Canon PhotoRecord-->MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}
Canon RAW Image Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{9518F764-C54D-47B2-9E73-154B21E79FD2}
Canon RemoteCapture Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2C164906-E68F-462A-9010-70DD022223EF}
Canon Utilities PhotoStitch 3.1-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}
Canon Utilities ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
Cashflow Manager-->C:\Program Files\InstallShield Installation Information\{083CBC43-57A9-4DC8-8BE7-AF9CB5899953}\setup.exe -runfromtemp -l0x0009 -removeonly
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Digital Photo Navigator 1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7EF4BD8-CA13-11D5-AE3D-005004B8E30C}\setup.exe"
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
DVD-RAM Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\SETUP.EXE" DVD-RAM Driver
Electronic Arts Game Updater-->C:\WINDOWS\IsUninst.exe -f"c:\Program Files\EACom\Update\Uninst.isu"
FaxTools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HarryPotter_screensaver_pc Screen Saver-->C:\WINDOWS\HarryPotter_screensaver_pc.scr /u
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Customer Participation Program 10.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Deskjet F2200 All-In-One Driver Software 10.0 Rel .3-->C:\Program Files\HP\Digital Imaging\{D77D43B5-ED55-426b-B67B-E21F804F6102}\setup\hpzscr01.exe -datfile hposcr27.dat -onestop
HP Imaging Device Functions 10.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential 2.5-->C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Smart Web Printing-->C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpzscr01.exe -datfile hpqbud15.dat
HP Solution Center 10.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update-->MsiExec.exe /X{FE57DE70-95DE-4B64-9266-84DA811053DB}
iCD CoolBeLa-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BOMA\iCD CoolBeLa\Uninst.isu"
Indeo® Software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu"
iPod for Windows 2006-01-10-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033
iTunes-->MsiExec.exe /I{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
J2SE Runtime Environment 5.0-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Junk Mail filter update-->MsiExec.exe /I{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}
K-Lite Codec Pack-->C:\Program Files\K-Lite Codec Pack\unins000.exe
Labtec WebCam-->MsiExec.exe /I{0463B519-E4C8-4C16-84AA-4743D1ED91B5}
Labtec WebCam-->MsiExec.exe /I{58E653BE-BD68-4D68-BB2E-3AE1B925AAD0}
Labtec® WebCam Driver-->"C:\Program Files\Common Files\Labtec\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
LogMeIn-->MsiExec.exe /I{63A14955-DC18-49CA-9CE6-9229D0C1868D}
Macromedia Shockwave Player-->C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\INSTALL.LOG
MEET MANAGER 2.0 for Swimming-->MsiExec.exe /I{7CE480FF-5B49-490E-BC18-1C663ECC0B61}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft ActiveSync 3.7-->"C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"
Microsoft Classic Board Games-->"C:\Program Files\Microsoft Games\Microsoft Classic Board Games\UNINSTAL.EXE" /runtemp /addremove
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91E30409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MobileMe Control Panel-->MsiExec.exe /I{DDBB28C8-B2AA-45A1-8DCE-059A798509FB}
Mozilla Firefox (3.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
ninemsn Toolbar-->C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\mtbs.exe c
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OGA Notifier 1.7.0105.35.0-->MsiExec.exe /I{B148AB4B-C8FA-474B-B981-F2943C5B5BCD}
Photo Story 3 for Windows-->MsiExec.exe /I{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
Registry Mechanic 8.0-->"C:\Program Files\Registry Mechanic\unins000.exe" /Log
Saddle Club - Willowbrook Stables-->MsiExec.exe /X{280402BB-8957-48DE-8C2A-11F25B5F10C2}
Safari-->MsiExec.exe /I{9C48DCA4-00C2-449C-88D8-B1EE1692B44F}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Shop for HP Supplies-->C:\Program Files\HP\Digital Imaging\HPSSupply\hpzscr01.exe -datfile hpqbud16.dat
Skypeâ„¢ 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spyware Doctor 6.1-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
Sun ODF Plugin for Microsoft Office 1.2-->MsiExec.exe /X{5A29E75C-A8DE-49B4-9AF3-2266CE76C428}
SwannSmart IIx Internal Modem Driver for Win 2000/XP-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\SSI2XXP.INF, DefaultUninstall.ntx86
TEAM MANAGER 5.0 for Swimming-->MsiExec.exe /I{7736FD0A-9BF4-40F3-AF12-2E95D65D964F}
The Sims 2 University-->C:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe
The Sims 2-->C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims Hot Date Object Organizer 1.0-->C:\Program Files\Maxis\Object Organizer\Uninstall.exe "C:\Program Files\Maxis\Object Organizer\install.log"
The Sims Make A Date-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35122751-510B-4B0C-828B-3B037670CE38}\Setup.exe"
The Sims Make-A-Celebrity-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FE3DBADC-7D96-4AA3-B23B-20A381378544}\Setup.exe"
The Sims Makin' Magic-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A00D1BA-D03A-44E5-AF28-86A1F377DF61}\setup.exe" -l0009
Trend Micro Internet Security-->C:\Program Files\Trend Micro\Internet Security\remove.exe
Trend Micro Internet Security-->MsiExec.exe /X{40E12A55-C504-4223-AFAC-7672DBF1ACDE}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Windows Defender Signatures-->MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Family Safety-->MsiExec.exe /X{76CD2979-09C0-493A-84B3-8FD97EF4BCEA}
Windows Live Mail-->MsiExec.exe /I{63C1109E-D977-49ED-BCE3-D00D0BF187D6}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Creativity Fun Packs - Windows Movie Maker 2-->MsiExec.exe /X{DA2D4D11-1811-4A24-B719-BF9F048C6106}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Toolbar-->rundll32.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YCOMP5~1.DLL,DllCommand ui
======Security center information======
AV: Spyware Doctor with AntiVirus
AV: Trend Micro Internet Security (disabled)
FW: Trend Micro Personal Firewall (disabled)
======System event log======
Computer Name: HOME
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Record Number: 102227
Source Name: Tcpip
Time Written: 20090704152824.000000+570
Event Type: warning
User:
Computer Name: HOME
Event Code: 8003
Message: The master browser has received a server announcement from the computer JADE-PC
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{95660D96-2C19-43FA-B.
The master browser is stopping or an election is being forced.
Record Number: 102226
Source Name: MRxSmb
Time Written: 20090704144901.000000+570
Event Type: error
User:
Computer Name: HOME
Event Code: 3
Message: Printer HP DeskJet 810C was deleted.
Record Number: 102225
Source Name: Print
Time Written: 20090704134030.000000+570
Event Type: warning
User: HOME\Kevin
Computer Name: HOME
Event Code: 4
Message: Printer HP DeskJet 810C is pending deletion.
Record Number: 102224
Source Name: Print
Time Written: 20090704134026.000000+570
Event Type: warning
User: HOME\Kevin
Computer Name: HOME
Event Code: 8003
Message: The master browser has received a server announcement from the computer JADE-PC
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{95660D96-2C19-43FA-B.
The master browser is stopping or an election is being forced.
Record Number: 102221
Source Name: MRxSmb
Time Written: 20090704133653.000000+570
Event Type: error
User:
=====Application event log=====
Computer Name: HOME
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Record Number: 19343
Source Name: Userenv
Time Written: 20090303175110.000000+630
Event Type: warning
User: HOME\Kevin
Computer Name: HOME
Event Code: 2570
Message: Adobe Active File Monitor Service has Started.
Record Number: 19338
Source Name: Adobe Active File Monitor 4.0
Time Written: 20090303153451.000000+630
Event Type:
User:
Computer Name: HOME
Event Code: 1517
Message: Windows saved user HOME\Kevin registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
Record Number: 19337
Source Name: Userenv
Time Written: 20090303073658.000000+630
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: HOME
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Record Number: 19336
Source Name: Userenv
Time Written: 20090303073656.000000+630
Event Type: warning
User: HOME\Kevin
Computer Name: HOME
Event Code: 2570
Message: Adobe Active File Monitor Service has Started.
Record Number: 19331
Source Name: Adobe Active File Monitor 4.0
Time Written: 20090303072501.000000+630
Event Type:
User:
=====Security event log=====
Computer Name: HOME
Event Code: 850
Message: A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: Windows Media Format SDK (firefox.exe)
Port number: 3102
Protocol: UDP
State: Enabled
Scope: All subnets
Record Number: 73687
Source Name: Security
Time Written: 20090731071658.000000+570
Event Type: audit success
User: NT AUTHORITY\SYSTEM
Computer Name: HOME
Event Code: 850
Message: A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: Windows Media Format SDK (firefox.exe)
Port number: 3082
Protocol: UDP
State: Enabled
Scope: All subnets
Record Number: 73686
Source Name: Security
Time Written: 20090731071658.000000+570
Event Type: audit success
User: NT AUTHORITY\SYSTEM
Computer Name: HOME
Event Code: 850
Message: A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: Windows Media Format SDK (firefox.exe)
Port number: 3077
Protocol: UDP
State: Enabled
Scope: All subnets
Record Number: 73685
Source Name: Security
Time Written: 20090731071658.000000+570
Event Type: audit success
User: NT AUTHORITY\SYSTEM
Computer Name: HOME
Event Code: 850
Message: A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: Windows Media Format SDK (firefox.exe)
Port number: 3076
Protocol: UDP
State: Enabled
Scope: All subnets
Record Number: 73684
Source Name: Security
Time Written: 20090731071658.000000+570
Event Type: audit success
User: NT AUTHORITY\SYSTEM
Computer Name: HOME
Event Code: 850
Message: A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: Windows Media Format SDK (firefox.exe)
Port number: 3049
Protocol: UDP
State: Enabled
Scope: All subnets
Record Number: 73683
Source Name: Security
Time Written: 20090731071658.000000+570
Event Type: audit success
User: NT AUTHORITY\SYSTEM
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

---

EOF

---

Katana

Information

IMPORTANT
I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Shareaza
LimeWire

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall any P2P programs
Please note: you must NOT use any P2P whilst we are cleaning your machine.


Registry Cleaners

Re. Registry Mechanic 8.0

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.

http://forums.whatthetech.com/Regcleaner_t42862.html

---

Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
• If requested, please reboot
  
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

---

Step 2


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

• You must download it to and run it from your Desktop
  
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  
• Double click combofix.exe & follow the prompts.
  
• When finished, it will produce a log. Please save that log to post in your next reply
  
• Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

---

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

• MalwareBytes Log
• Combofix Log
• How are things running now ?

---

---

Additional Notes



Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

• Please go to this link Adobe Acrobat Reader Download Link
• Click Download
• On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
• Click the Continue button
• Click Run, and click Run again
• Next click the Install Now button and follow the on screen prompts

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download Java SE Runtime Environment (JRE) . ( don't install it yet )

• Scroll down to where it says "Java SE Runtime Environment (JRE)".
• Click the "Download" button to the right.
• • Platform = Windows
  • Language = Multi Language
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Now download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.

Now install the Java SE Runtime Environment (JRE) package you downloaded
(it comes with a toolbar pre-selected, so make sure you uncheck the box)

You can delete JavaRa (zip and exe)

Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs.
If any of the following programs are still listed there, click on the program to highlight it, and click on remove.

• Adobe Reader 7.1.0
  
  J2SE Runtime Environment 5.0 Update 2
  J2SE Runtime Environment 5.0 Update 4
  J2SE Runtime Environment 5.0 Update 6
  J2SE Runtime Environment 5.0 Update 9
  J2SE Runtime Environment 5.0
  Java(TM) 6 Update 13
  Java(TM) 6 Update 3
  Java(TM) 6 Update 5
  Java(TM) 6 Update 7
  Java(TM) SE Runtime Environment 6 Update 1

Now close the Control Panel.

kevn

I had read your advice on p2p prior to the scans and thought i had uninstalled. apology.

Tried to run gner to no avail, nothing really happened. Do you want me to have another try at that prior to the next step?

kevn

Katana

some success pt 1

GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-04 12:46:36
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----
SSDT 82C4AC40 ZwCreateKey
SSDT 82C4A140 ZwCreateProcess
SSDT 82C4A400 ZwCreateProcessEx
SSDT 82C4BAA0 ZwCreateThread
SSDT 82C4B1C0 ZwDeleteKey
SSDT 82C4B480 ZwDeleteValueKey
SSDT 82C4BC40 ZwLoadDriver
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF85203FA]
SSDT 82C4A6C0 ZwOpenProcess
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF8522422]
SSDT 82C4AF00 ZwSetValueKey
SSDT 82C4A980 ZwTerminateProcess
SSDT 82C4B900 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00680001
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[180] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01DF0001
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[232] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00ED0001
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}

kevn

pt 2

.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[328] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[408] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\WINDOWS\AGRSMMSG.exe[408] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[408] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D00001
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[408] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\WINDOWS\AGRSMMSG.exe[408] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[408] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\WINDOWS\AGRSMMSG.exe[408] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\WINDOWS\AGRSMMSG.exe[408] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\WINDOWS\System32\svchost.exe[648] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[648] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\System32\svchost.exe[648] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[648] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00650001
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\svchost.exe[648] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\System32\svchost.exe[648] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\System32\svchost.exe[648] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\System32\svchost.exe[648] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\System32\svchost.exe[648] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[648] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\System32\svchost.exe[648] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\System32\svchost.exe[648] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\System32\svchost.exe[648] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[648] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\svchost.exe[648] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\svchost.exe[648] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[648] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[648] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[648] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\System32\svchost.exe[648] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\System32\svchost.exe[648] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\System32\svchost.exe[648] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\svchost.exe[648] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[648] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\System32\svchost.exe[648] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\svchost.exe[648] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\System32\svchost.exe[648] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\svchost.exe[648] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\Explorer.EXE[668] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[668] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [79, 5F] {JNS 0x61}
.text C:\WINDOWS\Explorer.EXE[668] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[668] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [67, 5F]
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F980F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FA10F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02650001
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 1000E3CD C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 1000E375 C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FAD0F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F860F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9E0F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F950F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F690F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F890F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6C0F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F600F5A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F9B0F5A
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8F0F5A
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F8C0F5A
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F920F5A
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 1000E4B4 C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A5, 5F] {MOVSD ; POP EDI}
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 1000E43F C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 5 Bytes JMP 1000E529 C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F7B0F5A
.text C:\WINDOWS\Explorer.EXE[668] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\Explorer.EXE[668] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6F0F5A
.text C:\WINDOWS\Explorer.EXE[668] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F720F5A
.text C:\WINDOWS\Explorer.EXE[668] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[668] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [AB, 5F] {STOSD ; POP EDI}
.text C:\WINDOWS\Explorer.EXE[668] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\Explorer.EXE[668] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7E0F5A
.text C:\WINDOWS\Explorer.EXE[668] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA70F5A
.text C:\WINDOWS\Explorer.EXE[668] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F750F5A
.text C:\WINDOWS\Explorer.EXE[668] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F630F5A
.text C:\WINDOWS\Explorer.EXE[668] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[668] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [84, 5F]
.text C:\WINDOWS\Explorer.EXE[668] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5D0F5A
.text C:\WINDOWS\Explorer.EXE[668] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F5A0F5A
.text C:\WINDOWS\Explorer.EXE[668] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F540F5A
.text C:\WINDOWS\Explorer.EXE[668] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F570F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D80001
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[784] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01B20001
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\Logitech\Video\LogiTray.exe[796] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\WINDOWS\system32\csrss.exe[840] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01860001
.text C:\WINDOWS\system32\csrss.exe[840] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\csrss.exe[840] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\winlogon.exe[864] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F4A0F5A
.text C:\WINDOWS\system32\winlogon.exe[864] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F530F5A
.text C:\WINDOWS\system32\winlogon.exe[864] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\winlogon.exe[864] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 015B0001
.text C:\WINDOWS\system32\winlogon.exe[864] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5F5F0F5A
.text C:\WINDOWS\system32\winlogon.exe[864] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\winlogon.exe[864] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F500F5A
.text C:\WINDOWS\system32\winlogon.exe[864] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\system32\winlogon.exe[864] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\system32\winlogon.exe[864] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F4D0F5A
.text C:\WINDOWS\system32\winlogon.exe[864] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\system32\winlogon.exe[864] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\system32\winlogon.exe[864] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\system32\winlogon.exe[864] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[864] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [57, 5F] {PUSH EDI; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[864] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\winlogon.exe[864] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[864] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [5D, 5F] {POP EBP; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[864] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\winlogon.exe[864] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5F590F5A
.text C:\WINDOWS\system32\services.exe[912] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[912] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [6B, 5F]
.text C:\WINDOWS\system32\services.exe[912] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[912] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F890F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F920F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FF0001
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5F9E0F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F760F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F8F0F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F860F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F7A0F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F8C0F5A
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F800F5A
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F7D0F5A
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F830F5A
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [96, 5F] {XCHG ESI, EAX; POP EDI}
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\services.exe[912] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\services.exe[912] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\services.exe[912] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F640F5A
.text C:\WINDOWS\system32\services.exe[912] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[912] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [9C, 5F] {PUSHF ; POP EDI}
.text C:\WINDOWS\system32\services.exe[912] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\services.exe[912] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\services.exe[912] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5F980F5A
.text C:\WINDOWS\system32\services.exe[912] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\services.exe[912] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\services.exe[912] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[912] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [74, 5F] {JZ 0x61}
.text C:\WINDOWS\system32\lsass.exe[924] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[924] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\lsass.exe[924] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[924] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01260001
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\lsass.exe[924] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\lsass.exe[924] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\lsass.exe[924] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\lsass.exe[924] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[924] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[924] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\lsass.exe[924] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\lsass.exe[924] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\system32\lsass.exe[924] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\lsass.exe[924] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\lsass.exe[924] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[924] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\system32\lsass.exe[924] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\lsass.exe[924] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\lsass.exe[924] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\lsass.exe[924] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\System32\alg.exe[1024] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1024] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\System32\alg.exe[1024] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1024] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00680001
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\alg.exe[1024] kernel32.dll!

kevn

pt 3

CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\System32\alg.exe[1024] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\alg.exe[1024] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\alg.exe[1024] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\alg.exe[1024] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1024] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\System32\alg.exe[1024] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\alg.exe[1024] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\System32\alg.exe[1024] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\System32\alg.exe[1024] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\System32\alg.exe[1024] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\alg.exe[1024] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1024] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\System32\alg.exe[1024] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\System32\alg.exe[1024] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\System32\alg.exe[1024] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\System32\alg.exe[1024] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1024] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\System32\alg.exe[1024] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\System32\alg.exe[1024] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\System32\alg.exe[1024] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\alg.exe[1024] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\System32\alg.exe[1024] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\alg.exe[1024] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\svchost.exe[1120] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1120] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\svchost.exe[1120] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1120] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EE0001
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\system32\svchost.exe[1120] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\svchost.exe[1120] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\svchost.exe[1120] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\svchost.exe[1120] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F50001
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe[1184] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FB0001
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\system32\svchost.exe[1208] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\svchost.exe[1208] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\svchost.exe[1208] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [6B, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F880F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F910F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D10001
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F760F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F850F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F790F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F520F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F7F0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F820F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F610F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F640F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [9B, 5F] {WAIT ; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F700F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5F970F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F670F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F550F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1252] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [74, 5F] {JZ 0x61}
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A10001
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1260] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01270001
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1264] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [79, 5F] {JNS 0x61}
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F960F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9F0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 05230001
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!

kevn

pt 4

CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FAB0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F840F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9C0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F930F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F870F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F990F5A
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8D0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F8A0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F900F5A
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A3, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F7B0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A9, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7E0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA50F5A
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [82, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\System32\svchost.exe[1344] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\svchost.exe[1344] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [6B, 5F]
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00740001
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F760F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F640F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [9B, 5F] {WAIT ; POP EDI}
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [74, 5F] {JZ 0x61}
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F7F0F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI}
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\System32\DVDRAMSV.exe[1408] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1452] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\System32\svchost.exe[1452] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1452] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C50001
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\System32\svchost.exe[1452] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[1452] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\svchost.exe[1452] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1452] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1452] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\System32\svchost.exe[1452] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\System32\svchost.exe[1452] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\svchost.exe[1452] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1452] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\System32\svchost.exe[1452] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\svchost.exe[1452] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\System32\svchost.exe[1452] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\svchost.exe[1452] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\svchost.exe[1480] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1480] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\svchost.exe[1480] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1480] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F20001
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\system32\svchost.exe[1480] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\svchost.exe[1480] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\svchost.exe[1480] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\svchost.exe[1480] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 013A0001
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] shell32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] shell32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] shell32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[1556] shell32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\WINDOWS\System32\svchost.exe[1588] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1588] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\System32\svchost.exe[1588] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1588] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CB0001
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\System32\svchost.exe[1588] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\svchost.exe[1588] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\System32\svchost.exe[1588] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\svchost.exe[1588] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F70001
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1628] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DC0001
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] USER32.dll!
RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1716] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1732] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\spoolsv.exe[1732] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1732] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F50001
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!

kevn

pt 5

DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1732] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1732] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1732] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1732] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1732] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1732] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\spoolsv.exe[1732] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LVComS.exe[1944] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\WINDOWS\system32\LVComS.exe[1944] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LVComS.exe[1944] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 014E0001
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LVComS.exe[1944] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\WINDOWS\system32\LVComS.exe[1944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\LVComS.exe[1944] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\WINDOWS\system32\LVComS.exe[1944] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\WINDOWS\system32\LVComS.exe[1944] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 013C0001
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe[1952] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 007D0001
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] shell32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] shell32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] shell32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1992] shell32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\System32\svchost.exe[2052] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2052] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\System32\svchost.exe[2052] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2052] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006B0001
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\System32\svchost.exe[2052] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[2052] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\svchost.exe[2052] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2052] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[2052] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\System32\svchost.exe[2052] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\System32\svchost.exe[2052] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\svchost.exe[2052] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2052] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\System32\svchost.exe[2052] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\svchost.exe[2052] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\System32\svchost.exe[2052] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\svchost.exe[2052] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[2080] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [6B, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[2080] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[2080] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01060001
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F760F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F640F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[2080] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [9B, 5F] {WAIT ; POP EDI}
.text C:\WINDOWS\system32\nvsvc32.exe[2080] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[2080] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [74, 5F] {JZ 0x61}
.text C:\WINDOWS\system32\nvsvc32.exe[2080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F7F0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[2080] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI}
.text C:\WINDOWS\system32\nvsvc32.exe[2080] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[2080] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A70001
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}

kevn

pt 6

.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2088] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\WINDOWS\System32\svchost.exe[2128] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2128] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\System32\svchost.exe[2128] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2128] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006B0001
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\System32\svchost.exe[2128] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\System32\svchost.exe[2128] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2128] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\System32\svchost.exe[2128] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\System32\svchost.exe[2128] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[2128] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\svchost.exe[2128] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2128] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[2128] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\System32\svchost.exe[2128] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\System32\svchost.exe[2128] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\svchost.exe[2128] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[2128] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\System32\svchost.exe[2128] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\svchost.exe[2128] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\System32\svchost.exe[2128] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\svchost.exe[2128] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AirPort\APAgent.exe[2140] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\Program Files\AirPort\APAgent.exe[2140] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AirPort\APAgent.exe[2140] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01370001
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AirPort\APAgent.exe[2140] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\Program Files\AirPort\APAgent.exe[2140] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AirPort\APAgent.exe[2140] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\Program Files\AirPort\APAgent.exe[2140] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\AirPort\APAgent.exe[2140] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wuauclt.exe[2236] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\wuauclt.exe[2236] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wuauclt.exe[2236] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00980001
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wuauclt.exe[2236] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\system32\wuauclt.exe[2236] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wuauclt.exe[2236] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\system32\wuauclt.exe[2236] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wuauclt.exe[2236] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\system32\wuauclt.exe[2236] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\wuauclt.exe[2236] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 5F] {POP ESP; POP EDI}
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F790F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F820F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F1D0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CB0001
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F290F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F230F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F260F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F340F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F310F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F670F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F2C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [1B, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F7F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F760F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F430F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F520F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F550F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [8C, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F610F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5F880F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F580F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F460F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [65, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F700F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F730F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [86, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F200F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F400F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F370F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2304] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2372] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[2372] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2372] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E30001
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2372] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[2372] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2372] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[2372] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2372] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[2448] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D20001
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[2448] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[2448] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[2448] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[2468] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01160001
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01620001
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Trend Micro\Internet

kevn

pt 7

Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[2576] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RAMASST.exe[2708] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\WINDOWS\system32\RAMASST.exe[2708] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RAMASST.exe[2708] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C50001
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RAMASST.exe[2708] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\WINDOWS\system32\RAMASST.exe[2708] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RAMASST.exe[2708] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\WINDOWS\system32\RAMASST.exe[2708] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\WINDOWS\system32\RAMASST.exe[2708] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01000001
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[2720] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [78, 5F] {JS 0x61}
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F950F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9E0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00780001
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FAA0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F830F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9B0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F920F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F860F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F980F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8C0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F890F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8F0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A2, 5F]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F7A0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A8, 5F] {TEST AL, 0x5f}
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7D0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA40F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [81, 5F]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2756] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 014A0001
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2776] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [79, 5F] {JNS 0x61}
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [67, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F960F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9F0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DB0001
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 1000E3CD C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 1000E375 C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FAB0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F840F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9C0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F930F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F690F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F870F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6C0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F600F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F990F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8D0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F8A0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F900F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 1000E4B4

kevn

pt 8

C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A3, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 1000E43F C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 5 Bytes JMP 1000E529 C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F7B0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6F0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F720F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A9, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7E0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA50F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F750F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F630F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [82, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5D0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F5A0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F540F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F570F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10011BF3 C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ws2_32.dll!WSASocketW 71AB404E 7 Bytes JMP 10011B1A C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ws2_32.dll!bind 71AB4480 5 Bytes JMP 10011AA4 C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10011B7D C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3016] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 10011BB2 C:\WINDOWS\System32\lfwmf11n32.dll
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BD0001
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\tcpsvcs.exe[3176] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00850001
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[3232] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\System32\svchost.exe[3264] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[3264] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\System32\svchost.exe[3264] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[3264] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [65, 5F]
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F940F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9D0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F70001
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F440F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F3E0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F410F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA90F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F820F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F470F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [36, 5F]
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9A0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F910F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F850F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F970F5A
.text C:\WINDOWS\System32\svchost.exe[3264] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8B0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F880F5A
.text C:\WINDOWS\System32\svchost.exe[3264] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8E0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[3264] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A1, 5F]
.text C:\WINDOWS\System32\svchost.exe[3264] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F3B0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\System32\svchost.exe[3264] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[3264] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\svchost.exe[3264] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[3264] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A7, 5F] {CMPSD ; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[3264] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] USER32.dll!

kevn

final

GetWindowTextA 7E43216B 6 Bytes JMP 5FA30F5A
.text C:\WINDOWS\System32\svchost.exe[3264] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\System32\svchost.exe[3264] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\svchost.exe[3264] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[3264] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [80, 5F]
.text C:\WINDOWS\System32\svchost.exe[3264] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\svchost.exe[3264] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\System32\svchost.exe[3264] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\svchost.exe[3264] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F550F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [50, 5F] {PUSH EAX; POP EDI}
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [3E, 5F]
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F6D0F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F760F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F1D0F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D80001
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F290F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F230F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F260F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F340F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F310F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5F820F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F5B0F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F2C0F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [1B, 5F]
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F730F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F6A0F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F400F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F5E0F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F430F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F370F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F700F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F640F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F610F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F670F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [7A, 5F] {JP 0x61}
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F200F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F520F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F460F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F490F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [80, 5F]
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F550F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5F7C0F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F4C0F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F3A0F5A
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Kevin\Desktop\gmer\gmer.exe[3908] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [78, 5F] {JS 0x61}
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [66, 5F] {POP DI}
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F950F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CE0001
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FAA0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F830F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9B0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F920F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F680F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F860F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F980F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F890F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A2, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F710F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A8, 5F] {TEST AL, 0x5f}
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7D0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA40F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F740F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F620F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4796] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [81, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [78, 5F] {JS 0x61}
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [66, 5F] {POP DI}
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F950F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FAA0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F830F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F9B0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F920F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F680F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F860F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F980F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F710F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A8, 5F] {TEST AL, 0x5f}
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7D0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA40F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F740F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F620F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [81, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F890F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A2, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5FB00F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5FAD0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5FB30F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[5140] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5FB60F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [84, 5F]
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5FA10F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FAA0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F450F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D20001
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F510F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F4B0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F4E0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F590F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB60F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8F0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F540F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [43, 5F] {INC EBX; POP EDI}
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA70F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9E0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F740F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F920F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F770F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA40F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F980F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F950F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F9B0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AE, 5F] {SCASB ; POP EDI}
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F480F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F860F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F3C0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F350F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [3A, 5F]
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7D0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B4, 5F] {MOV AH, 0x5f}
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F890F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FB00F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F800F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F3F0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8D, 5F]
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F680F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F650F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe[5256] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F620F5A
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\Explorer.EXE[668] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!CreateProcessW] 5F510000
IAT C:\WINDOWS\Explorer.EXE[668] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] 5F510000
IAT C:\WINDOWS\Explorer.EXE[668] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] 5F4D0000
IAT C:\WINDOWS\Explorer.EXE[668] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] 5F510000
IAT C:\WINDOWS\Explorer.EXE[668] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] 5F510000
IAT C:\WINDOWS\Explorer.EXE[668] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] 5F4D0000
IAT C:\WINDOWS\Explorer.EXE[668] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] 5F510000
IAT C:\WINDOWS\Explorer.EXE[668] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] 5F510000
IAT C:\WINDOWS\Explorer.EXE[668] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] 5F510000
IAT C:\Program Files\Internet Explorer\iexplore.exe[3016] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] 5F510000
IAT C:\Program Files\Internet Explorer\iexplore.exe[3016] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] 5F4D0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[3016] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] 5F510000
IAT C:\Program Files\Internet Explorer\iexplore.exe[3016] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] 5F4D0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[3016] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] 5F510000
IAT C:\Program Files\Internet Explorer\iexplore.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] 5F510000
IAT C:\Program Files\Internet Explorer\iexplore.exe[3016] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] 5F510000
IAT C:\Program Files\Internet Explorer\iexplore.exe[3016] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] 5F510000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
Device \FileSystem\Udfs \UdfsCdRom BsUDF.SYS (UDF File System Driver (WindowsXP)/B.H.A Co.,Ltd.)
Device \FileSystem\Udfs \UdfsDisk BsUDF.SYS (UDF File System Driver (WindowsXP)/B.H.A Co.,Ltd.)
AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
Device \FileSystem\Cdfs \Cdfs BsUDF.SYS (UDF File System Driver (WindowsXP)/B.H.A Co.,Ltd.)
---- EOF - GMER 1.0.15 ----

kevn

Malwarebytes' Anti-Malware 1.40
Database version: 2555
Windows 5.1.2600 Service Pack 3
4/08/2009 3:03:20 PM
mbam-log-2009-08-04 (15-03-20).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 330052
Time elapsed: 1 hour(s), 5 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 9
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antiviruspromfc (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\AntiVirus Pro (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jades\Application Data\FunWebProducts (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jades\Application Data\FunWebProducts\Data (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jades\Application Data\FunWebProducts\Data\Jades (Adware.MyWay) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86 (Worm.Archive) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\1.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\43.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Local Settings\Temp\2C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebecca\Local Settings\Temp\2A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\AntiVirus Pro\uninstall.exe (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86\1.tmp (Worm.Archive) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Favorites\MP3 downloading.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Antivirus Pro Setup Log.txt (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\Antivirus Pro Uninstall Log.txt (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.

kevn

ComboFix 09-08-03.04 - Kevin 04/08/2009 15:36.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.512.126 [GMT 9.5:30]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\0200000068c583ec648C.manifest
c:\documents and settings\Administrator\Application Data\0200000068c583ec648O.manifest
c:\documents and settings\Administrator\Application Data\0200000068c583ec648P.manifest
c:\documents and settings\Administrator\Application Data\0200000068c583ec648S.manifest
c:\documents and settings\Ellen\Application Data\0200000068c583ec648C.manifest
c:\documents and settings\Ellen\Application Data\0200000068c583ec648O.manifest
c:\documents and settings\Ellen\Application Data\0200000068c583ec648P.manifest
c:\documents and settings\Ellen\Application Data\0200000068c583ec648S.manifest
c:\documents and settings\Ellen\Favorites\Gymnastics SA .url
c:\documents and settings\Jades\Application Data\0200000068c583ec648C.manifest
c:\documents and settings\Jades\Application Data\0200000068c583ec648O.manifest
c:\documents and settings\Jades\Application Data\0200000068c583ec648P.manifest
c:\documents and settings\Jades\Application Data\0200000068c583ec648S.manifest
c:\documents and settings\Jades\Favorites\eBay Australia .url
c:\documents and settings\Jades\Favorites\Gleeson College .url
c:\documents and settings\Jades\Favorites\Piczo .url
c:\documents and settings\Kevin\Application Data\0200000068c583ec648C.manifest
c:\documents and settings\Kevin\Application Data\0200000068c583ec648O.manifest
c:\documents and settings\Kevin\Application Data\0200000068c583ec648P.manifest
c:\documents and settings\Kevin\Application Data\0200000068c583ec648S.manifest
c:\documents and settings\Kevin\Favorites\Adelaide Now .url
c:\documents and settings\Kevin\Favorites\Community CPS Australia .url
c:\documents and settings\Kevin\Favorites\Office for Recreation & Sport SA Grants & Scholarships .url
c:\documents and settings\Rebecca\Application Data\0200000068c583ec648C.manifest
c:\documents and settings\Rebecca\Application Data\0200000068c583ec648O.manifest
c:\documents and settings\Rebecca\Application Data\0200000068c583ec648P.manifest
c:\documents and settings\Rebecca\Application Data\0200000068c583ec648S.manifest
c:\documents and settings\Rebecca\My Documents\Fedde le Grande vs. Ida Corr - Let Me Think About It .mp3
c:\windows\GnuHashes.ini
c:\windows\Installer\625f7c.msp
c:\windows\Installer\625f7d.msp
c:\windows\Installer\e285.msi
c:\windows\system32\GroupPolicy000.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

---

\Legacy_IPRIP

---

\Service_Iprip

((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.
2009-08-04 06:22 . 2009-08-04 06:22

---

d-sh--w- c:\windows\system32\SystemX86
2009-08-04 04:24 . 2009-08-04 04:24

---

d

---

w- c:\documents and settings\Kevin\Application Data\Malwarebytes
2009-08-04 04:24 . 2009-08-03 04:06 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-04 04:24 . 2009-08-04 04:24

---

d

---

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-04 04:24 . 2009-08-03 04:06 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-04 04:24 . 2009-08-04 04:24

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 13:08 . 2009-08-03 13:08

---

d

---

w- C:\rsit
2009-08-02 05:14 . 2009-08-02 05:14

---

d-sh--w- C:\FOUND.000
2009-07-31 21:11 . 2009-07-31 21:11

---

d

---

w- c:\documents and settings\Administrator
2009-07-28 08:56 . 2009-03-05 08:58 574728 ----a-w- c:\documents and settings\All Users\Application Data\Trend Micro\OL\tmaseng.dll
2009-07-28 08:22 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-07-28 08:22 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-07-28 08:22 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-28 08:21 . 2009-07-28 08:21

---

d

---

w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-07-28 08:19 . 2009-07-28 08:19

---

d

---

w- c:\program files\Trend Micro
2009-07-22 22:25 . 2009-07-22 22:25 124928 ----a-w- c:\windows\system32\lfwmf11n32.dll
2009-07-20 21:25 . 2009-07-20 21:25

---

d

---

w- c:\documents and settings\Rebecca\Application Data\HP
2009-07-18 04:07 . 2009-07-18 04:14 116839 ----a-w- c:\windows\hpqins00.dat
2009-07-10 08:40 . 2009-07-10 08:40

---

d

---

w- c:\documents and settings\Ellen\Application Data\HPAppData
2009-07-09 07:27 . 2009-07-09 07:27

---

d

---

w- c:\documents and settings\Rebecca\Local Settings\Application Data\HP
2009-07-06 08:22 . 2009-07-06 08:22

---

d

---

w- c:\documents and settings\Rebecca\Local Settings\Application Data\AVG Security Toolbar
2009-07-05 08:13 . 2009-07-05 08:13

---

d

---

w- c:\documents and settings\Rebecca\Application Data\HPAppData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-04 06:22 . 2009-08-04 06:22 374272 --sha-w- c:\windows\system32\7.tmp
2009-08-01 11:42 . 2009-08-01 11:42

---

d

---

w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-27 12:15 . 2009-07-27 08:22 111 ----a-w- c:\documents and settings\Kevin\udpcrawl.tmp
2009-07-26 04:21 . 2009-07-30 07:47 203938 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2009-07-25 04:49 . 2009-07-25 04:49 0 ----a-w- c:\windows\system32\75.tmp
2009-07-25 04:49 . 2009-07-25 04:49 0 ----a-w- c:\windows\system32\74.tmp
2009-07-02 12:25 . 2009-07-02 12:25

---

d

---

w- c:\documents and settings\Jades\Application Data\HPAppData
2009-07-02 11:51 . 2009-07-02 11:51

---

d

---

w- c:\documents and settings\Kevin\Application Data\HP
2009-07-02 11:50 . 2009-07-02 11:50

---

d

---

w- c:\documents and settings\Kevin\Application Data\HPAppData
2009-07-02 11:45 . 2009-07-02 11:45

---

d

---

w- c:\documents and settings\All Users\Application Data\WEBREG
2009-07-02 11:45 . 2009-07-02 11:21 157428 ----a-w- c:\windows\hpoins27.dat
2009-07-02 11:27 . 2009-07-02 11:27

---

d

---

w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-07-02 11:27 . 2009-07-02 11:27

---

d

---

w- c:\documents and settings\All Users\Application Data\HP
2009-07-02 11:26 . 2009-07-02 11:26

---

d

---

w- c:\program files\Common Files\Hewlett-Packard
2009-07-02 11:26 . 2009-07-02 11:26

---

d

---

w- c:\program files\Common Files\HP
2009-07-02 11:24 . 2009-07-02 11:24

---

d

---

w- c:\program files\HP
2009-07-02 11:21 . 2009-07-02 11:21

---

d

---

w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-06-29 16:12 . 2004-02-06 08:35 827392 ----a-w- c:\windows\system32\WININET.DLL
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-12-05 05:40 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2003-12-05 05:40 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-12-05 05:40 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-10 08:25 . 2009-06-10 08:25 84865 ----a-w- C:\TTG-Results002.ZIP
2009-06-10 08:02 . 2009-06-09 08:21 9662 ----a-r- c:\documents and settings\Kevin\Application Data\Microsoft\Installer\{7736FD0A-9BF4-40F3-AF12-2E95D65D964F}\TM5.exe1_3C92C023A12F446C911461661120BA13_1.exe
2009-06-10 08:02 . 2009-06-09 08:21 9662 ----a-r- c:\documents and settings\Kevin\Application Data\Microsoft\Installer\{7736FD0A-9BF4-40F3-AF12-2E95D65D964F}\ARPPRODUCTICON.exe
2009-06-09 08:20 . 2009-06-09 08:20

---

d

---

w- c:\program files\Common Files\Business Objects
2009-06-03 19:09 . 2004-08-05 05:01 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 11:03 . 2009-06-03 11:03 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-29 04:06 . 2009-03-13 06:10 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-29 04:06 . 2008-10-12 08:11 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-23 09:13 . 2009-04-22 11:03 152576 ----a-w- c:\documents and settings\Kevin\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-22 08:02 . 2008-07-29 16:06 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-07-29 16:06 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-07-29 16:06 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-05-15 13:44 . 2005-12-01 04:21 1056768 ----a-w- c:\windows\system32\Roboex32.dll
2009-05-07 15:32 . 2003-12-05 05:40 345600 ----a-w- c:\windows\system32\localspl.dll
2009-06-21 01:33 . 2009-03-26 20:35 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Shareaza"="c:\program files\MP3Downloading\bindata.exe" [2004-10-07 4276224]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-07-04 376912]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-07-29 497008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2003-06-18 1318912]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-12 188416]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-02-12 77824]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-08 57344]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-07-29 497008]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-12-8 155648]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\413114f1648]
2009-07-22 22:25 124928 ----a-w- c:\windows\system32\lfwmf11n32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-18 11:21 87352 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=&quot;Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe"=
"c:\\WINDOWS\\System32\\java.exe"=
"c:\\My Games\\SmallBall Baseball\\smallball.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Swimming\\Meet Manager\\SwimMM2.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\My Music\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\System32\\ftp.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\MP3Downloading\\bindata.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"3043:UDP"= 3043:UDP:Windows Media Format SDK (firefox.exe)
"3042:UDP"= 3042:UDP:Windows Media Format SDK (firefox.exe)
"3049:UDP"= 3049:UDP:Windows Media Format SDK (firefox.exe)
"3076:UDP"= 3076:UDP:Windows Media Format SDK (firefox.exe)
"3077:UDP"= 3077:UDP:Windows Media Format SDK (firefox.exe)
"3082:UDP"= 3082:UDP:Windows Media Format SDK (firefox.exe)
"3103:UDP"= 3103:UDP:Windows Media Format SDK (firefox.exe)
"3102:UDP"= 3102:UDP:Windows Media Format SDK (firefox.exe)
"3110:UDP"= 3110:UDP:Windows Media Format SDK (firefox.exe)
R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [8/12/2003 9:18 AM 9344]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [27/04/2009 12:16 PM 55152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [28/02/2008 3:31 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/05/2008 12:34 PM 47640]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [28/07/2009 5:52 PM 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [28/07/2009 5:53 PM 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [30/07/2008 1:36 AM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [28/07/2009 5:53 PM 677128]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 7:19 PM 13592]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [30/07/2008 1:36 AM 335376]
R4 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [8/12/2003 9:18 AM 390016]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [6/02/2009 6:08 PM 533360]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\drivers\FIDE.SYS [14/10/2008 7:53 PM 15271]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [31/12/2003 9:58 PM 3968]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-08-04 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2003-12-05 00:12]
2009-08-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 03:04]
2009-08-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 09:50]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.news.com.au/adelaidenow/
uInternet Settings,ProxyServer = proxy.iprimus.com.au:8080
uInternet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} - hxxp://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\8uqh3fqo.Default User\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://foxsports.news.com.au/
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 15:51
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(840)
c:\windows\System32\lfwmf11n32.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(1220)
c:\windows\system32\WININET.dll
c:\windows\System32\lfwmf11n32.dll
c:\windows\system32\7.tmp
c:\windows\system32\ieframe.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

---

Other Running Processes

---

.
c:\program files\TREND MICRO\BM\TMBMSRV.EXE
c:\program files\ADOBE\PHOTOSHOP ELEMENTS 4.0\PHOTOSHOPELEMENTSFILEAGENT.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\windows\SYSTEM32\DVDRAMSV.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\LOGMEIN\X86\RAMAINT.EXE
c:\program files\LOGMEIN\X86\LOGMEIN.EXE
c:\program files\LOGMEIN\X86\LMIGUARDIAN.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\TREND MICRO\INTERNET SECURITY\SFCTLCOM.EXE
c:\windows\System32\tcpsvcs.exe
c:\program files\ANALOG DEVICES\SOUNDMAX\SMAGENT.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\LVComS.exe
c:\program files\LogMeIn\X86\LMIGuardian.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-08-04 15:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-04 06:28
Pre-Run: 38,733,217,792 bytes free
Post-Run: 40,322,760,704 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
307 --- E O F --- 2009-08-01 01:26

kevn

first login to IE

error loading
C:\docume~1\kevin\locals~1\tem\17.tmp

Katana

Step 1

Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

  http://icrontic.com/forum/showthread.php?p=702201#post702201
  Collect::[4]
  c:\windows\system32\SystemX86
  c:\windows\system32\lfwmf11n32.dll
  c:\windows\system32\7.tmp
  c:\documents and settings\Kevin\udpcrawl.tmp
  c:\windows\system32\75.tmp
  c:\windows\system32\74.tmp
  Registry::
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "Shareaza"=-
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\413114f1648]
  ADS::
  

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
• **Note**
  When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  
  
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

---

Step 2

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

---

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

• Combofix Log
• Kaspersky Log
• How are things running now ?

kevn

I gather i have to turn the firewall and virus protection off?

Katana

During the scans, yes

kevn

ComboFix 09-08-03.09 - Kevin 04/08/2009 20:34.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.512.158 [GMT 9.5:30]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kevin\Desktop\cfscript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\lfwmf11n32.dll
.
---- Previous Run

---

.
c:\documents and settings\Kevin\Application Data\0200000068c583ec648C.manifest
c:\documents and settings\Kevin\Application Data\0200000068c583ec648O.manifest
c:\documents and settings\Kevin\Application Data\0200000068c583ec648P.manifest
c:\documents and settings\Kevin\Application Data\0200000068c583ec648S.manifest
c:\documents and settings\Kevin\udpcrawl.tmp
c:\windows\GnuHashes.ini
c:\windows\system32\74.tmp
c:\windows\system32\75.tmp
c:\windows\system32\Drivers\lifeehpw.sys
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\lfwmf11n32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

---

\Service_flwd

((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.
2009-08-04 04:24 . 2009-08-04 04:24

---

d

---

w- c:\documents and settings\Kevin\Application Data\Malwarebytes
2009-08-04 04:24 . 2009-08-04 04:24

---

d

---

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-03 13:08 . 2009-08-03 13:08

---

d

---

w- C:\rsit
2009-08-02 05:14 . 2009-08-02 05:14

---

d-sh--w- C:\FOUND.000
2009-07-31 21:11 . 2009-07-31 21:11

---

d

---

w- c:\documents and settings\Administrator
2009-07-28 08:56 . 2009-03-05 08:58 574728 ----a-w- c:\documents and settings\All Users\Application Data\Trend Micro\OL\tmaseng.dll
2009-07-28 08:22 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-07-28 08:22 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-07-28 08:22 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-28 08:21 . 2009-07-28 08:21

---

d

---

w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-07-28 08:19 . 2009-07-28 08:19

---

d

---

w- c:\program files\Trend Micro
2009-07-20 21:25 . 2009-07-20 21:25

---

d

---

w- c:\documents and settings\Rebecca\Application Data\HP
2009-07-18 04:07 . 2009-07-18 04:14 116839 ----a-w- c:\windows\hpqins00.dat
2009-07-10 08:40 . 2009-07-10 08:40

---

d

---

w- c:\documents and settings\Ellen\Application Data\HPAppData
2009-07-09 07:27 . 2009-07-09 07:27

---

d

---

w- c:\documents and settings\Rebecca\Local Settings\Application Data\HP
2009-07-06 08:22 . 2009-07-06 08:22

---

d

---

w- c:\documents and settings\Rebecca\Local Settings\Application Data\AVG Security Toolbar
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-01 11:42 . 2009-08-01 11:42

---

d

---

w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-26 04:21 . 2009-07-30 07:47 203938 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2009-07-05 08:13 . 2009-07-05 08:13

---

d

---

w- c:\documents and settings\Rebecca\Application Data\HPAppData
2009-07-02 12:25 . 2009-07-02 12:25

---

d

---

w- c:\documents and settings\Jades\Application Data\HPAppData
2009-07-02 11:51 . 2009-07-02 11:51

---

d

---

w- c:\documents and settings\Kevin\Application Data\HP
2009-07-02 11:50 . 2009-07-02 11:50

---

d

---

w- c:\documents and settings\Kevin\Application Data\HPAppData
2009-07-02 11:45 . 2009-07-02 11:45

---

d

---

w- c:\documents and settings\All Users\Application Data\WEBREG
2009-07-02 11:45 . 2009-07-02 11:21 157428 ----a-w- c:\windows\hpoins27.dat
2009-07-02 11:27 . 2009-07-02 11:27

---

d

---

w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-07-02 11:27 . 2009-07-02 11:27

---

d

---

w- c:\documents and settings\All Users\Application Data\HP
2009-07-02 11:26 . 2009-07-02 11:26

---

d

---

w- c:\program files\Common Files\Hewlett-Packard
2009-07-02 11:26 . 2009-07-02 11:26

---

d

---

w- c:\program files\Common Files\HP
2009-07-02 11:24 . 2009-07-02 11:24

---

d

---

w- c:\program files\HP
2009-07-02 11:21 . 2009-07-02 11:21

---

d

---

w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-06-29 16:12 . 2004-02-06 08:35 827392 ----a-w- c:\windows\system32\WININET.DLL
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-12-05 05:40 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2003-12-05 05:40 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-12-05 05:40 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-10 08:25 . 2009-06-10 08:25 84865 ----a-w- C:\TTG-Results002.ZIP
2009-06-10 08:02 . 2009-06-09 08:21 9662 ----a-r- c:\documents and settings\Kevin\Application Data\Microsoft\Installer\{7736FD0A-9BF4-40F3-AF12-2E95D65D964F}\TM5.exe1_3C92C023A12F446C911461661120BA13_1.exe
2009-06-10 08:02 . 2009-06-09 08:21 9662 ----a-r- c:\documents and settings\Kevin\Application Data\Microsoft\Installer\{7736FD0A-9BF4-40F3-AF12-2E95D65D964F}\ARPPRODUCTICON.exe
2009-06-09 08:20 . 2009-06-09 08:20

---

d

---

w- c:\program files\Common Files\Business Objects
2009-06-03 19:09 . 2004-08-05 05:01 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 11:03 . 2009-06-03 11:03 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-29 04:06 . 2009-03-13 06:10 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-29 04:06 . 2008-10-12 08:11 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-23 09:13 . 2009-04-22 11:03 152576 ----a-w- c:\documents and settings\Kevin\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-22 08:02 . 2008-07-29 16:06 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-07-29 16:06 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-07-29 16:06 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-05-15 13:44 . 2005-12-01 04:21 1056768 ----a-w- c:\windows\system32\Roboex32.dll
2009-05-07 15:32 . 2003-12-05 05:40 345600 ----a-w- c:\windows\system32\localspl.dll
2009-06-21 01:33 . 2009-03-26 20:35 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
((((((((((((((((((((((((((((( [EMAIL="SnapShot@2009-08-04_06.24.12"]SnapShot@2009-08-04_06.24.12[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-04 11:15 . 2009-08-04 11:16 16384 c:\windows\Temp\Perflib_Perfdata_314.dat
+ 2009-08-04 07:42 . 2009-08-04 07:42 3938816 c:\windows\Installer\45cab0.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-07-04 376912]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-07-29 497008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2003-06-18 1318912]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-12 188416]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-02-12 77824]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-08 57344]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-07-29 497008]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-12-8 155648]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-18 11:21 87352 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=&quot;Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe"=
"c:\\WINDOWS\\System32\\java.exe"=
"c:\\My Games\\SmallBall Baseball\\smallball.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Swimming\\Meet Manager\\SwimMM2.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\My Music\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\System32\\ftp.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\MP3Downloading\\bindata.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"3043:UDP"= 3043:UDP:Windows Media Format SDK (firefox.exe)
"3042:UDP"= 3042:UDP:Windows Media Format SDK (firefox.exe)
"3049:UDP"= 3049:UDP:Windows Media Format SDK (firefox.exe)
"3076:UDP"= 3076:UDP:Windows Media Format SDK (firefox.exe)
"3077:UDP"= 3077:UDP:Windows Media Format SDK (firefox.exe)
"3082:UDP"= 3082:UDP:Windows Media Format SDK (firefox.exe)
"3103:UDP"= 3103:UDP:Windows Media Format SDK (firefox.exe)
"3102:UDP"= 3102:UDP:Windows Media Format SDK (firefox.exe)
"3110:UDP"= 3110:UDP:Windows Media Format SDK (firefox.exe)
R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [8/12/2003 9:18 AM 9344]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [27/04/2009 12:16 PM 55152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [28/02/2008 3:31 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/05/2008 12:34 PM 47640]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [28/07/2009 5:52 PM 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [28/07/2009 5:53 PM 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [30/07/2008 1:36 AM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [28/07/2009 5:53 PM 677128]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 7:19 PM 13592]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [30/07/2008 1:36 AM 335376]
R4 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [8/12/2003 9:18 AM 390016]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [6/02/2009 6:08 PM 533360]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\drivers\FIDE.SYS [14/10/2008 7:53 PM 15271]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [31/12/2003 9:58 PM 3968]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-08-04 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2003-12-05 00:12]
2009-08-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 03:04]
2009-08-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 09:50]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyServer = proxy.iprimus.com.au:8080
uInternet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} - hxxp://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\8uqh3fqo.Default User\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://foxsports.news.com.au/
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 20:48
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(956)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

---

Other Running Processes

---

.
c:\program files\TREND MICRO\BM\TMBMSRV.EXE
c:\program files\ADOBE\PHOTOSHOP ELEMENTS 4.0\PHOTOSHOPELEMENTSFILEAGENT.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\windows\SYSTEM32\DVDRAMSV.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\LOGMEIN\X86\RAMAINT.EXE
c:\program files\LOGMEIN\X86\LOGMEIN.EXE
c:\program files\LOGMEIN\X86\LMIGUARDIAN.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\TREND MICRO\INTERNET SECURITY\SFCTLCOM.EXE
c:\windows\System32\tcpsvcs.exe
c:\program files\ANALOG DEVICES\SOUNDMAX\SMAGENT.EXE
c:\windows\system32\LVComS.exe
c:\program files\LOGMEIN\X86\LMIGUARDIAN.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-08-04 20:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-04 11:23
ComboFix2.txt 2009-08-04 06:28
Pre-Run: 40,093,155,328 bytes free
Post-Run: 40,063,041,536 bytes free
267 --- E O F --- 2009-08-01 01:26
Upload was successful

kevn

katana

No report was produced for Kaspersky.

No malware has been detected

Speed and connection has improved, my desktop picture is back. i have no idea how long that has been gone for, yesterday, prior to the combo fix scan i did have 2 x url. urtbk screens trigger automatically.

Katana

kevn wrote:

No report was produced for Kaspersky.

That's good

Please post a fresh RSIT log so I can check for leftovers.

kevn

Can do

kevn

Logfile of random's system information tool 1.06 (written by random/random)
Run by Kevin at 2009-08-05 18:59:51
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 38 GB (50%) free of 76 GB
Total RAM: 512 MB (20% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:31 PM, on 5/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\Kevin\Desktop\RSIT.exe
C:\Program Files\trend micro\Kevin.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;<local>;*.local
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Anzwers - {110922B6-C652-4877-A0CA-CDF5619CCCD7} - http://www.anzwers.com.au (file missing) (HKCU)
O9 - Extra button: OzEmail - {8C6B8EC2-CEB9-4E76-8D4D-27E9BA9AEBD4} - http://www.ozemail.com.au (file missing) (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/NPC/MaxisHotDateTeleX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://coolbananas007.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unleashed/LOT/MaxisUnleashedLotTeleX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 13059 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
Yahoo! Companion BHO - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
HP Print Enhancer - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2007-11-06 322880]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2009-03-09 320920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
MSNToolBandBHO - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll [2004-08-13 282624]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}]
HP Smart BHO Class - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2007-11-06 542016]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Companion - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Smapp"=C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [2002-10-11 98304]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"nwiz"=nwiz.exe /install []
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2005-03-04 88209]
"B'sCLiP"=C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe [2003-06-19 1318912]
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe [2004-02-12 188416]
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe [2004-02-12 77824]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe [2005-09-09 57344]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-02-28 63048]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-05-13 177472]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-05-30 292136]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-10-14 49152]
"hpqSRMon"=C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [2007-08-22 80896]
"AirPort Base Station Agent"=C:\Program Files\AirPort\APAgent.exe [2009-05-27 753664]
"UfSeAgnt.exe"=C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [2009-04-01 995528]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE [2005-07-04 376912]
"OE"=C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [2008-07-30 497008]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2008-10-18 87352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"Btn_Back"=0
"Btn_Forward"=0
"Btn_Stop"=0
"Btn_Refresh"=0
"Btn_Home"=0
"Btn_Search"=0
"Btn_History"=0
"Btn_Favorites"=0
"Btn_Folders"=0
"Btn_Fullscreen"=0
"Btn_Tools"=0
"Btn_MailNews"=0
"Btn_Size"=0
"Btn_Print"=0
"Btn_Edit"=0
"Btn_Discussions"=0
"Btn_Cut"=0
"Btn_Copy"=0
"Btn_Paste"=0
"Btn_Encoding"=0
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\System32\dpvsetup.exe"="C:\WINDOWS\System32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\WINDOWS\System32\java.exe"="C:\WINDOWS\System32\java.exe:*:Disabled:Java(TM) 2 Platform Standard Edition binary"
"C:\My Games\SmallBall Baseball\smallball.exe"="C:\My Games\SmallBall Baseball\smallball.exe:*:Disabled:SmallBall BaseBall"
"C:\Program Files\Messenger\MSMSGS.EXE"="C:\Program Files\Messenger\MSMSGS.EXE:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\Swimming\Meet Manager\SwimMM2.exe"="E:\Swimming\Meet Manager\SwimMM2.exe:*:Enabled:Swim Meet Manager"
"C:\Documents and Settings\All Users\Documents\My Music\LimeWire\LimeWire.exe"="C:\Documents and Settings\All Users\Documents\My Music\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\WINDOWS\System32\ftp.exe"="C:\WINDOWS\System32\ftp.exe:*:Enabled:File Transfer Program"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:*:Enabled:Connection Manager"
"C:\Program Files\MP3Downloading\bindata.exe"="C:\Program Files\MP3Downloading\bindata.exe:*:Enabled:MP3Downloading Ultimate File Sharing"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Photo Story 3 for Windows\PhotoStory3.exe"="C:\Program Files\Photo Story 3 for Windows\PhotoStory3.exe:*:Enabled:Photo Story 3 for Windows"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\AirPort\APAgent.exe"="C:\Program Files\AirPort\APAgent.exe:*:Enabled:AirPort"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
======List of files/folders created in the last 1 months======
2009-08-04 20:53:10 ----A---- C:\ComboFix.txt
2009-08-04 20:33:36 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-04 19:07:05 ----A---- C:\uvnwl.txt
2009-08-04 15:34:47 ----A---- C:\Boot.bak
2009-08-04 15:34:41 ----RASHD---- C:\cmdcons
2009-08-04 15:21:15 ----A---- C:\WINDOWS\zip.exe
2009-08-04 15:21:15 ----A---- C:\WINDOWS\SWREG.exe
2009-08-04 15:21:15 ----A---- C:\WINDOWS\PEV.exe
2009-08-04 15:21:15 ----A---- C:\WINDOWS\grep.exe
2009-08-04 15:21:14 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-04 15:21:14 ----A---- C:\WINDOWS\SWSC.exe
2009-08-04 15:21:14 ----A---- C:\WINDOWS\sed.exe
2009-08-04 15:21:01 ----D---- C:\WINDOWS\ERDNT
2009-08-04 15:20:20 ----D---- C:\Qoobox
2009-08-04 13:54:23 ----D---- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2009-08-04 13:54:10 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-03 22:38:52 ----D---- C:\rsit
2009-08-02 18:40:57 ----A---- C:\WINDOWS\system32\KDSInterface.txt
2009-08-02 14:44:26 ----SHD---- C:\FOUND.000
2009-08-01 21:12:28 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-07-30 20:06:44 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-28 17:51:41 ----D---- C:\Documents and Settings\All Users\Application Data\Trend Micro
2009-07-28 17:49:07 ----D---- C:\Program Files\Trend Micro
2009-07-15 19:05:28 ----HD---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 19:05:17 ----HD---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-15 19:00:46 ----HD---- C:\WINDOWS\$NtUninstallKB961371$
======List of files/folders modified in the last 1 months======
2009-08-04 20:49:22 ----A---- C:\WINDOWS\system.ini
2009-08-04 20:33:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-04 15:34:48 ----RASH---- C:\boot.ini
2009-08-01 19:02:10 ----A---- C:\WINDOWS\win.ini
2009-07-19 23:03:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 23:03:00 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-15 19:05:32 ----A---- C:\WINDOWS\imsins.BAK
2009-07-08 00:40:56 ----A---- C:\WINDOWS\system32\MRT.exe
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 cdrbsdrv;cdrbsdrv; C:\WINDOWS\system32\drivers\cdrbsdrv.sys [2004-03-08 13567]
R1 cdrbsvsd;cdrbsvsd; C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-12-03 13566]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 meiudf;meiudf; C:\WINDOWS\System32\Drivers\meiudf.sys [2003-01-31 90416]
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2009-03-04 80400]
R2 fssfltr;FssFltr; C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys [2009-02-06 55152]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 tmactmon;tmactmon; \??\C:\WINDOWS\system32\drivers\tmactmon.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 tmevtmgr;tmevtmgr; \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys []
R2 tmpreflt;tmpreflt; C:\WINDOWS\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
R2 tmxpflt;tmxpflt; C:\WINDOWS\system32\DRIVERS\tmxpflt.sys [2009-05-22 225296]
R2 vsapint;vsapint; C:\WINDOWS\system32\DRIVERS\vsapint.sys [2009-05-22 1220120]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-03-31 4816]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2005-03-04 1066278]
R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-10-30 49920]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-10-30 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2007-10-30 21568]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-02-28 10144]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 Pcatip;Pcatip; C:\WINDOWS\System32\DRIVERS\Pcatip.sys [2004-11-13 68608]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2004-08-04 32768]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-12-05 534976]
R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-14 15104]
R4 BsUDF;B.H.A UDF Filesystem; C:\WINDOWS\system32\drivers\BsUDF.sys [2003-06-19 390016]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 GcKernel;Microsoft SideWinder Value Add - Filter Driver; C:\WINDOWS\System32\DRIVERS\GcKernel.sys [2008-04-14 59136]
S3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver; C:\WINDOWS\System32\DRIVERS\HIDSwvd.sys [2001-08-17 2688]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 MTK;Media Technology Kernel Driver; C:\WINDOWS\System32\Drivers\fide.sys [2008-10-14 15271]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 Pcouffin;Low level access layer for CD devices; C:\WINDOWS\System32\Drivers\Pcouffin.sys []
S3 pctplsg;pctplsg; \??\C:\WINDOWS\system32\drivers\pctplsg.sys []
S3 QCDonner;Labtec WebCam(PID_0840); C:\WINDOWS\System32\DRIVERS\LVCD.sys [2004-01-20 474272]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver; C:\WINDOWS\System32\DRIVERS\SWUSBFLT.sys [2001-08-17 3968]
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-05-29 39424]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2005-07-04 104064]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AdobeActiveFileMonitor4.0;Adobe Active File Monitor V4; C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe [2005-09-09 102400]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-05-29 144712]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 DVD-RAM_Service;DVD-RAM_Service; C:\WINDOWS\System32\DVDRAMSV.exe [2003-05-22 106496]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-10-18 116032]
R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2008-02-28 63040]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 SfCtlCom;Trend Micro Central Control Component; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [2009-04-01 711248]
R2 SimpTcp;Simple TCP/IP Services; C:\WINDOWS\System32\tcpsvcs.exe [2003-03-31 19456]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 TMBMServer;Trend Micro Unauthorized Change Prevention Service; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [2009-03-03 341256]
R2 TmPfw;Trend Micro Personal Firewall; C:\Program Files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 TmProxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-05-30 541992]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 fsssvc;Windows Live Family Safety; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

---

EOF

---

kevn

Katana

i could see lime wire and mp3 downloading had not been taken off as i thought. went to program files and have deleted them.

kevn

Logfile of random's system information tool 1.06 (written by random/random)
Run by Kevin at 2009-08-05 19:13:53
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 38 GB (50%) free of 76 GB
Total RAM: 512 MB (13% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:18 PM, on 5/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\Kevin\Desktop\RSIT.exe
C:\Program Files\trend micro\Kevin.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;<local>;*.local
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Anzwers - {110922B6-C652-4877-A0CA-CDF5619CCCD7} - http://www.anzwers.com.au (file missing) (HKCU)
O9 - Extra button: OzEmail - {8C6B8EC2-CEB9-4E76-8D4D-27E9BA9AEBD4} - http://www.ozemail.com.au (file missing) (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/NPC/MaxisHotDateTeleX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://coolbananas007.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unleashed/LOT/MaxisUnleashedLotTeleX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 13059 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
Yahoo! Companion BHO - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
HP Print Enhancer - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2007-11-06 322880]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2009-03-09 320920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
MSNToolBandBHO - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll [2004-08-13 282624]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}]
HP Smart BHO Class - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2007-11-06 542016]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Companion - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Smapp"=C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [2002-10-11 98304]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"nwiz"=nwiz.exe /install []
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2005-03-04 88209]
"B'sCLiP"=C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe [2003-06-19 1318912]
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe [2004-02-12 188416]
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe [2004-02-12 77824]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe [2005-09-09 57344]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-02-28 63048]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-05-13 177472]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-05-30 292136]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-10-14 49152]
"hpqSRMon"=C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [2007-08-22 80896]
"AirPort Base Station Agent"=C:\Program Files\AirPort\APAgent.exe [2009-05-27 753664]
"UfSeAgnt.exe"=C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [2009-04-01 995528]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE [2005-07-04 376912]
"OE"=C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [2008-07-30 497008]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2008-10-18 87352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"Btn_Back"=0
"Btn_Forward"=0
"Btn_Stop"=0
"Btn_Refresh"=0
"Btn_Home"=0
"Btn_Search"=0
"Btn_History"=0
"Btn_Favorites"=0
"Btn_Folders"=0
"Btn_Fullscreen"=0
"Btn_Tools"=0
"Btn_MailNews"=0
"Btn_Size"=0
"Btn_Print"=0
"Btn_Edit"=0
"Btn_Discussions"=0
"Btn_Cut"=0
"Btn_Copy"=0
"Btn_Paste"=0
"Btn_Encoding"=0
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\System32\dpvsetup.exe"="C:\WINDOWS\System32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\WINDOWS\System32\java.exe"="C:\WINDOWS\System32\java.exe:*:Disabled:Java(TM) 2 Platform Standard Edition binary"
"C:\My Games\SmallBall Baseball\smallball.exe"="C:\My Games\SmallBall Baseball\smallball.exe:*:Disabled:SmallBall BaseBall"
"C:\Program Files\Messenger\MSMSGS.EXE"="C:\Program Files\Messenger\MSMSGS.EXE:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\Swimming\Meet Manager\SwimMM2.exe"="E:\Swimming\Meet Manager\SwimMM2.exe:*:Enabled:Swim Meet Manager"
"C:\Documents and Settings\All Users\Documents\My Music\LimeWire\LimeWire.exe"="C:\Documents and Settings\All Users\Documents\My Music\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\WINDOWS\System32\ftp.exe"="C:\WINDOWS\System32\ftp.exe:*:Enabled:File Transfer Program"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:*:Enabled:Connection Manager"
"C:\Program Files\MP3Downloading\bindata.exe"="C:\Program Files\MP3Downloading\bindata.exe:*:Enabled:MP3Downloading Ultimate File Sharing"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Photo Story 3 for Windows\PhotoStory3.exe"="C:\Program Files\Photo Story 3 for Windows\PhotoStory3.exe:*:Enabled:Photo Story 3 for Windows"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\AirPort\APAgent.exe"="C:\Program Files\AirPort\APAgent.exe:*:Enabled:AirPort"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
======List of files/folders created in the last 1 months======
2009-08-05 19:11:45 ----SHD---- C:\Recycled
2009-08-04 20:53:10 ----A---- C:\ComboFix.txt
2009-08-04 20:33:36 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-04 19:07:05 ----A---- C:\uvnwl.txt
2009-08-04 15:34:47 ----A---- C:\Boot.bak
2009-08-04 15:34:41 ----RASHD---- C:\cmdcons
2009-08-04 15:21:15 ----A---- C:\WINDOWS\zip.exe
2009-08-04 15:21:15 ----A---- C:\WINDOWS\SWREG.exe
2009-08-04 15:21:15 ----A---- C:\WINDOWS\PEV.exe
2009-08-04 15:21:15 ----A---- C:\WINDOWS\grep.exe
2009-08-04 15:21:14 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-04 15:21:14 ----A---- C:\WINDOWS\SWSC.exe
2009-08-04 15:21:14 ----A---- C:\WINDOWS\sed.exe
2009-08-04 15:21:01 ----D---- C:\WINDOWS\ERDNT
2009-08-04 15:20:20 ----D---- C:\Qoobox
2009-08-04 13:54:23 ----D---- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2009-08-04 13:54:10 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-03 22:38:52 ----D---- C:\rsit
2009-08-02 18:40:57 ----A---- C:\WINDOWS\system32\KDSInterface.txt
2009-08-02 14:44:26 ----SHD---- C:\FOUND.000
2009-08-01 21:12:28 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-07-30 20:06:44 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-28 17:51:41 ----D---- C:\Documents and Settings\All Users\Application Data\Trend Micro
2009-07-28 17:49:07 ----D---- C:\Program Files\Trend Micro
2009-07-15 19:05:28 ----HD---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 19:05:17 ----HD---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-15 19:00:46 ----HD---- C:\WINDOWS\$NtUninstallKB961371$
======List of files/folders modified in the last 1 months======
2009-08-04 20:49:22 ----A---- C:\WINDOWS\system.ini
2009-08-04 20:33:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-04 15:34:48 ----RASH---- C:\boot.ini
2009-08-01 19:02:10 ----A---- C:\WINDOWS\win.ini
2009-07-19 23:03:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 23:03:00 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-15 19:05:32 ----A---- C:\WINDOWS\imsins.BAK
2009-07-08 00:40:56 ----A---- C:\WINDOWS\system32\MRT.exe
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 cdrbsdrv;cdrbsdrv; C:\WINDOWS\system32\drivers\cdrbsdrv.sys [2004-03-08 13567]
R1 cdrbsvsd;cdrbsvsd; C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-12-03 13566]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 meiudf;meiudf; C:\WINDOWS\System32\Drivers\meiudf.sys [2003-01-31 90416]
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2009-03-04 80400]
R2 fssfltr;FssFltr; C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys [2009-02-06 55152]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 tmactmon;tmactmon; \??\C:\WINDOWS\system32\drivers\tmactmon.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 tmevtmgr;tmevtmgr; \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys []
R2 tmpreflt;tmpreflt; C:\WINDOWS\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
R2 tmxpflt;tmxpflt; C:\WINDOWS\system32\DRIVERS\tmxpflt.sys [2009-05-22 225296]
R2 vsapint;vsapint; C:\WINDOWS\system32\DRIVERS\vsapint.sys [2009-05-22 1220120]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-03-31 4816]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2005-03-04 1066278]
R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-10-30 49920]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-10-30 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2007-10-30 21568]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-02-28 10144]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 Pcatip;Pcatip; C:\WINDOWS\System32\DRIVERS\Pcatip.sys [2004-11-13 68608]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2004-08-04 32768]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-12-05 534976]
R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-14 15104]
R4 BsUDF;B.H.A UDF Filesystem; C:\WINDOWS\system32\drivers\BsUDF.sys [2003-06-19 390016]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 GcKernel;Microsoft SideWinder Value Add - Filter Driver; C:\WINDOWS\System32\DRIVERS\GcKernel.sys [2008-04-14 59136]
S3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver; C:\WINDOWS\System32\DRIVERS\HIDSwvd.sys [2001-08-17 2688]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 MTK;Media Technology Kernel Driver; C:\WINDOWS\System32\Drivers\fide.sys [2008-10-14 15271]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 Pcouffin;Low level access layer for CD devices; C:\WINDOWS\System32\Drivers\Pcouffin.sys []
S3 pctplsg;pctplsg; \??\C:\WINDOWS\system32\drivers\pctplsg.sys []
S3 QCDonner;Labtec WebCam(PID_0840); C:\WINDOWS\System32\DRIVERS\LVCD.sys [2004-01-20 474272]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver; C:\WINDOWS\System32\DRIVERS\SWUSBFLT.sys [2001-08-17 3968]
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-05-29 39424]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2005-07-04 104064]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AdobeActiveFileMonitor4.0;Adobe Active File Monitor V4; C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe [2005-09-09 102400]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-05-29 144712]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 DVD-RAM_Service;DVD-RAM_Service; C:\WINDOWS\System32\DVDRAMSV.exe [2003-05-22 106496]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-10-18 116032]
R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2008-02-28 63040]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 SfCtlCom;Trend Micro Central Control Component; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [2009-04-01 711248]
R2 SimpTcp;Simple TCP/IP Services; C:\WINDOWS\System32\tcpsvcs.exe [2003-03-31 19456]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 TMBMServer;Trend Micro Unauthorized Change Prevention Service; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [2009-03-03 341256]
R2 TmPfw;Trend Micro Personal Firewall; C:\Program Files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 TmProxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-05-30 541992]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 fsssvc;Windows Live Family Safety; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

---

EOF

---

Katana

Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Anzwers - {110922B6-C652-4877-A0CA-CDF5619CCCD7} - http://www.anzwers.com.au (file missing) (HKCU)
O9 - Extra button: OzEmail - {8C6B8EC2-CEB9-4E76-8D4D-27E9BA9AEBD4} - http://www.ozemail.com.au (file missing) (HKCU)

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

---

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up



Uninstall Combofix

• This will clear your System Volume Information restore points and remove all the infected files that were quarantined
• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  
  • 

OTCleanup
Please download OTCleanup from HERE
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt




You can also delete any logs we have produced, and empty your Recycle bin.

---

---

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is

not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
[*]Spybot - Search & Destroy <<< A must have program

• It includes host protection and registry protection
• A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites

[*] MalwareBytes Anti-malware <<< A New and effective program
[*]a-squared Free <<< A good "realtime" or "on demand" scanner
[*]superantispyware <<< A good "realtime" or "on demand" scanner



Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place. Each does a different job, so you can have more than one
• Winpatrol
  • An excellent startup manager and then some !!
  • Notifies you if programs are added to startup
  • Allows delayed startup
  • A must have addition
• SpywareBlaster 4.0
  • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
• SpywareGuard 2.2
  • SpywareGuard provides real-time protection against spyware.
  • Not required if you have other "realtime" antispyware or Winpatrol
• ZonedOut
  • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
• MVPS HOSTS
  • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
  • For information on how to download and install, please read this tutorial by WinHelp2002.
  • Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys. Using a different web browser can help stop malware getting on your machine.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
     
     • Change the Download signed ActiveX controls to Prompt
     • Change the Download unsigned ActiveX controls to Disable
     • Change the Initialise and script ActiveX controls not marked as safe to Disable
     • Change the Installation of desktop items to Prompt
     • Change the Launching programs and files in an IFRAME to Prompt
     • Change the Navigate sub-frames across different domains to Prompt
     • When all these settings have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.

• FireFox
  • With many addons available that make customization easy this is a very popular choice
  • NoScript and AdBlockPlus addons are essential
• Opera
  • Another popular alternative
• Netscape
  • Another popular alternative
  • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page. Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware. It is a good idea to empty the Temporary Internet Files folder on a regular basis. Tracking Cookies are files that websites use to monitor which sites you visit and how often. A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted. CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords Both of these can be cleaned manually, but a quicker option is to use a program
• ATF Cleaner
  • Free and very simple to use
• CCleaner
  • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

kevn

Which scan was HJT?

Firewall etc off?

Katana

C:\Program Files\trend micro\Kevin.exe
OR
C:\Program Files\trend micro\HiJackThis.exe