Smitfraud-C très récalcitrant

Monsieur Furtif · le 4 octobre 2007

Et j'en ai profité pour installer et scanner avec AntiVir, dont voici le rapport.

AntiVir PersonalEdition Classic
Report file date: jeudi 4 octobre 2007 14:22

Scanning for 863400 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Username: SYSTEM

Computer name: CAMBO-1

Version information:

BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00

AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 07:16:29

AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 06:23:51

LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 09:32:47

LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 06:35:20

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 07:20:07

ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 9/13/2007 07:20:07

ANTIVIR2.VDF : 7.0.0.32 315904 Bytes 9/28/2007 07:20:07

ANTIVIR3.VDF : 7.0.0.47 78336 Bytes 10/4/2007 07:20:07

AVEWIN32.DLL : 7.6.0.18 2810368 Bytes 10/4/2007 07:20:08

AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 04:36:26

AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 01:39:17

AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 07:16:24

AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/3/2007 02:46:00

AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 01:17:06

AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 06:26:33

AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 01:10:18

NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 05:09:42

RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 06:38:13

RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 06:50:37

SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 03:37:21

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: D:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: on

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: jeudi 4 octobre 2007 14:22

Starting search for hidden objects.

'34743' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'Adobelm_Cleanup.0001' - '1' Module(s) have been scanned

Scan process 'Adobelmsvc.exe' - '1' Module(s) have been scanned

Scan process 'InDesign.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'vsserv.exe' - '1' Module(s) have been scanned

Scan process 'kpf4gui.exe' - '1' Module(s) have been scanned

Scan process 'livesrv.exe' - '1' Module(s) have been scanned

Scan process 'bdss.exe' - '1' Module(s) have been scanned

Scan process 'xcommsvr.exe' - '1' Module(s) have been scanned

Scan process 'kpf4ss.exe' - '1' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned

Scan process 'javaw.exe' - '1' Module(s) have been scanned

Scan process 'MDM.EXE' - '1' Module(s) have been scanned

Scan process 'guard.exe' - '0' Module(s) have been scanned

Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'avgas.exe' - '1' Module(s) have been scanned

Scan process 'acrotray.exe' - '1' Module(s) have been scanned

Scan process 'StatusClient.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'aawservice.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

39 processes with 39 modules were scanned

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

Boot sector 'D:\'

[NOTE] No virus was found!

Starting to scan the registry.

The registry was scanned ( '26' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\AutoRun.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4778956d.qua'!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\qoobox.zip.mwt

[0] Archive type: ZIP

--> qoobox/Quarantine/C/AutoRun.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/Documents and Settings/user/Local Settings/services.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/Documents and Settings/user/Local Settings/smss.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/Documents and Settings/user/Local Settings/winlogon.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/Administrator.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/Fonts/font.bat.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/services.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/smss.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/svchost.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/SYSTEM.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/system/regedit.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/system/wininit.com.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/system32/CAMBO-1.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/system32/command.cmd.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/system32/msdp32.dll.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/Temp/Tmp.com.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/user.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/Web/Picture.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/win.pif.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/C/WINDOWS/winlogon.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

--> qoobox/Quarantine/D/AutoRun.exe.vir

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '477395c1.qua'!

C:\Documents and Settings\Administrator\Local Settings\explorer.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '477495fa.qua'!

C:\Documents and Settings\Administrator\Local Settings\services.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '477695e9.qua'!

C:\Documents and Settings\Administrator\Local Settings\smss.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '477795f3.qua'!

C:\Documents and Settings\Administrator\Local Settings\svchost.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '476795fe.qua'!

C:\Documents and Settings\Administrator\Local Settings\winlogon.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '477295f3.qua'!

C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20071004-142226-E3F8B524\AVSCAN-00000010

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '475795ec.qua'!

C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20071004-142226-E3F8B524\AVSCAN-00000013

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '475795f1.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch.zip

[DETECTION] Contains suspicious code HEUR/PwdZIP

[iNFO] The file was moved to '47739627.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch1.zip

[DETECTION] Contains suspicious code HEUR/PwdZIP

[iNFO] The file was moved to '4773962a.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch2.zip

[DETECTION] Contains suspicious code HEUR/PwdZIP

[iNFO] The file was moved to '4773962d.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch3.zip

[DETECTION] Contains suspicious code HEUR/PwdZIP

[iNFO] The file was moved to '47739632.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch4.zip

[DETECTION] Contains suspicious code HEUR/PwdZIP

[iNFO] The file was moved to '47739636.qua'!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch5.zip

[DETECTION] Contains suspicious code HEUR/PwdZIP

[iNFO] The file was moved to '4773963b.qua'!

C:\Documents and Settings\user\Local Settings\explorer.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '47749695.qua'!

C:\Documents and Settings\user\Local Settings\services.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '47769686.qua'!

C:\Documents and Settings\user\Local Settings\smss.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '47779691.qua'!

C:\Documents and Settings\user\Local Settings\svchost.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4767969f.qua'!

C:\Documents and Settings\user\Local Settings\winlogon.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '47729694.qua'!

C:\Documents and Settings\user\Local Settings\Temp\Tmp.com.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '47749775.qua'!

C:\Documents and Settings\user\My Documents\Securite\ComboFix.exe

[0] Archive type: RAR SFX (self extracting)

--> setpath.cfexe

[DETECTION] Contains suspicious code HEUR/Malware

[WARNING] The file was ignored!

C:\qoobox\Quarantine\C\AutoRun.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4778b880.qua'!

C:\qoobox\Quarantine\C\Documents and Settings\user\Local Settings\services.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4776b872.qua'!

C:\qoobox\Quarantine\C\Documents and Settings\user\Local Settings\smss.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4777b87d.qua'!

C:\qoobox\Quarantine\C\Documents and Settings\user\Local Settings\winlogon.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4772b87b.qua'!

C:\qoobox\Quarantine\C\WINDOWS\.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '477cb879.qua'!

C:\qoobox\Quarantine\C\WINDOWS\Administrator.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4771b881.qua'!

C:\qoobox\Quarantine\C\WINDOWS\services.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4776b884.qua'!

C:\qoobox\Quarantine\C\WINDOWS\smss.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4777b88e.qua'!

C:\qoobox\Quarantine\C\WINDOWS\svchost.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4767b899.qua'!

C:\qoobox\Quarantine\C\WINDOWS\SYSTEM.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4757b881.qua'!

C:\qoobox\Quarantine\C\WINDOWS\user.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b89d.qua'!

C:\qoobox\Quarantine\C\WINDOWS\win.pif.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4772b894.qua'!

C:\qoobox\Quarantine\C\WINDOWS\winlogon.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4772b896.qua'!

C:\qoobox\Quarantine\C\WINDOWS\Fonts\font.bat.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4772b89e.qua'!

C:\qoobox\Quarantine\C\WINDOWS\system\regedit.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '476bb896.qua'!

C:\qoobox\Quarantine\C\WINDOWS\system\wininit.com.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4772b8a4.qua'!

C:\qoobox\Quarantine\C\WINDOWS\system32\CAMBO-1.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4751b89e.qua'!

C:\qoobox\Quarantine\C\WINDOWS\system32\command.cmd.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4771b8ce.qua'!

C:\qoobox\Quarantine\C\WINDOWS\system32\msdp32.dll.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4768b8d4.qua'!

C:\qoobox\Quarantine\C\WINDOWS\Temp\Tmp.com.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4774b8d0.qua'!

C:\qoobox\Quarantine\C\WINDOWS\Web\Picture.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4767b8ce.qua'!

C:\qoobox\Quarantine\D\AutoRun.exe.vir.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4778b8de.qua'!

C:\Share\..exe.exe.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b8a7.qua'!

C:\Share\..exe.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b8a9.qua'!

C:\Share\..exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b8ab.qua'!

C:\Share\..exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b8ad.qua'!

C:\Share\..exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b8ae.qua'!

C:\Share\..exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b8b0.qua'!

C:\Share\..exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b8b6.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b8f6.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b8f8.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b8fa.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b8fd.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b8ff.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b900.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b902.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.exe.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b904.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b90a.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b90b.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b90e.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b910.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b912.qua'!

C:\Share\electeur politique.doc.exe.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b913.qua'!

C:\Share\electeur politique.doc.exe.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b915.qua'!

C:\Share\electeur politique.doc.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769b917.qua'!

C:\WINDOWS\.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '477cb9e3.qua'!

C:\WINDOWS\services.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4776ba02.qua'!

C:\WINDOWS\smss.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4777ba0d.qua'!

C:\WINDOWS\svchost.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4767ba19.qua'!

C:\WINDOWS\SYSTEM.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4757b9ff.qua'!

C:\WINDOWS\user.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4769ba1c.qua'!

C:\WINDOWS\winlogon.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4772ba14.qua'!

C:\WINDOWS\system\regedit.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '476bbebe.qua'!

C:\WINDOWS\system\wininit.com.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4772becd.qua'!

C:\WINDOWS\system32\CAMBO-1.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4751bead.qua'!

C:\WINDOWS\system32\command.cmd.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4771bee2.qua'!

C:\WINDOWS\system32\msdp32.dll.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4768bfff.qua'!

C:\WINDOWS\Temp\Tmp.com.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4774c0ba.qua'!

C:\WINDOWS\Web\Picture.exe.mwt

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4767c0b9.qua'!

Begin scan in 'D:\' <HP-DATA>

D:\AutoRun.exe

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4778c0d9.qua'!

D:\System Volume Information\_restore{9AB9C5BD-55D5-4F7B-8C6E-AD3E36441EDA}\RP18\A0005037.exe

[DETECTION] Is the Trojan horse TR/Autorun.LS

[iNFO] The file was moved to '4734cc84.qua'!

End of the scan: jeudi 4 octobre 2007 18:19

Used time: 3:57:22 min

The scan has been done completely.

3763 Scanning directories

281228 Files were scanned

97 viruses and/or unwanted programs were found

7 Files were classified as suspicious:

0 files were deleted

0 files were repaired

82 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

281131 Files not concerned

1196 Archives were scanned

2 Warnings

0 Notes

34743 Objects were scanned with rootkit scan

0 Hidden objects were found

Thanos · le 4 octobre 2007

salut

Tu as bien fait d'utiliser Antivir: étant donnée son efficacité supérieure à BitDefender, je te conseillerait de le conserver et de virer BitDefender! (celui ci n'aura pas servi à grand chose!)

N'oublie pas de configurer Antivir comme il faut: pour cela, suis les informations du Tutoriel de tesgaz

Il est important que le logiciel soit bien configuré afin de faire le meilleur scan possible d'une part, mais aussi afin protéger le pc au mieux.

1) Stp rend toi sur cette page afin de télécharger le fichier fixaut.reg > http://www.sendspace.com/file/j5qexp

pour cela, clique sur le lien en bas de page > Download Link: fixaut.reg

Ne lance pas le fichier maintenant!: laisse le de côté sur le bureau.

2) Configure et met à jour Antivir comme indiqué dans le tutoriel (c'est rapide!).

3) Redémarre le PC, impérativement en mode sans échec.

Au redémarrage de l'ordinateur, une fois le chargement du BIOS terminé, il y a un écran noir qui apparaît rapidement > Tapote par alternance les touches [F8] et [F5] jusqu'à l'affichage du menu des options avancées de Windows.

Sélectionne "Mode sans échec" et appuie sur la touche [Entrée].

Choisis ton compte usuel, et non Administrateur

4) Double clique sur le fichier fixaut.reg > tu reçevras un message te demandant d'accepter la fusion avec le registre, accepte!

5) De la même manière que précédemment, fais un scan complêt de ton disque dur avec Antivir

6) Redémarre le pc et poste stp >

-le rapport d'Antivir

Télécharge SRENG sur ton bureau.

1. Dézippe le fichier sur le bureau et double clique sur le fichier SREng.exe

2. Selectionne 'Smart Scan' .

3. Clique sur le bouton [scan]

4. Lorsque le scan est termliné, clique sur le bouton [save Reports] et sauvegarde le rapport sur ton bureau

5. Poste le rapport : il se nomme SRENG.log

courage

Monsieur Furtif · le 4 octobre 2007

Alors reprenons dans l'ordre :

- je n'ai plus mes messages d'erreur grâce à ton script de remplacement de base de registre

- Antivir n'a rien trouvé de nouveau, il avait déjà dégagé pas mal de choses

- voici le rapport de Sreng

2007-10-05,01:06:53

System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
All Boot Items (Including Registry, Startup Folders, Services and so on)
Browser Add-ons
Runing Processes (Including process model information)
File Associations
Winsock Provider
Autorun.Inf
HOSTS File
Process Privileges Scan


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<StatusClient 2.6><C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto>  [Hewlett-Packard]
<TomcatStartup 2.5><C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe>  [Hewlett-Packard]
<Acrobat Assistant 7.0><"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe">  [Adobe Systems Inc.]
<!AVG Anti-Spyware><"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized>  [(Verified)GRISOFT LTD]
<NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit>  [(Verified)Microsoft Windows Publisher]
<RTHDCPL><RTHDCPL.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<RestartNeroSetup><"C:\Program Files\Common Files\Ahead\Nero Web\SetupX.exe"  MODE="update">  [N/A]
<avgnt><"C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min>  [Avira GmbH]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe>  [(Verified)GRISOFT LTD]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{57B86673-276A-48B2-BAE7-C6DBB3020EB8}><C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll>  [(Verified)GRISOFT LTD]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
<IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<Address Book 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<Acrobat Assistant 7.0><; "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe">  [Adobe Systems Inc.]
<Alcmtr><; ALCMTR.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<BDAgent><; "C:\Program Files\Softwin\BitDefender10\bdagent.exe">  [SOFTWIN S.R.L.]
<BDMCon><; "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg>  [SOFTWIN S.R.L.]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}><; "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe">  [N/A]
<ctfmon.exe><; C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Publisher]
<KBD><; C:\HP\KBD\KBD.EXE>  [Hewlett-Packard Company]
<NeroFilterCheck><; C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe>  [N/A]
<NvCplDaemon><; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>  [(Verified)Microsoft Windows Publisher]
<NvMediaCenter><; RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<nwiz><; nwiz.exe /install>  []
<PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [N/A]
<PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [N/A]
<RTHDCPL><; RTHDCPL.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<SkyTel><; SkyTel.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]

==================================
Startup Folders
[Adobe Acrobat Speed Launcher]
 <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk --> C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [N/A]><N>
[Adobe Gamma Loader]
 <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk --> C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [Adobe Systems, Inc.]><N>

==================================
Services
[Ad-Aware 2007 Service / aawservice][Running/Auto Start]
 <"C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"><Lavasoft AB>
[Adobe LM Service / Adobe LM Service][Stopped/Manual Start]
 <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[AntiVir PersonalEdition Classic Scheduler / AntiVirScheduler][Running/Auto Start]
 <"C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"><Avira GmbH>
[AntiVir PersonalEdition Classic Guard / AntiVirService][Running/Auto Start]
 <"C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"><Avira GmbH>
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard][Running/Auto Start]
 <C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe><GRISOFT s.r.o.>
[BitDefender Scan Server / BDSS][Stopped/Auto Start]
 <"C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service><N/A>
[Dmmcectidrn / Dmmcectidrn][Stopped/Manual Start]
 <><N/A>
[BitDefender Desktop Update Service / LIVESRV][Running/Auto Start]
 <"C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service><SOFTWIN S.R.L.>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
 <C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[Password / Password][Stopped/Auto Start]
 <C:\WINDOWS\System32\PwdServ.exe><N/A>
[Pml Driver HPZ12 / Pml Driver HPZ12][Stopped/Auto Start]
 <C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe><HP>
[Sunbelt Personal Firewall 4 / SPF4][Running/Auto Start]
 <"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe"><Sunbelt Software>
[BitDefender Virus Shield / vsserv][Stopped/Auto Start]
 <"C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service><SOFTWIN S.R.L.>
[Windows Media Player Network Sharing Service / WMPNetworkSvc][Stopped/Manual Start]
 <"C:\Program Files\Windows Media Player\WMPNetwk.exe"><Microsoft Corporation>
[BitDefender Communicator / XCOMM][Running/Auto Start]
 <"C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service><SOFTWIN S.R.L>

==================================
Drivers
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver][Running/System Start]
 <\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG Anti-Spyware Clean Driver / AvgAsCln][Running/System Start]
 <System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[avgio / avgio][Running/System Start]
 <\??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys><Avira GmbH>
[avgntflt / avgntflt][Running/Manual Start]
 <\??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys><Avira GmbH>
[avipbb / avipbb][Running/System Start]
 <system32\DRIVERS\avipbb.sys><AVIRA GmbH>
[bdfdll / bdfdll][Stopped/Manual Start]
 <\??\C:\Program Files\Softwin\BitDefender10\bdfdll.sys><N/A>
[BDFSDRV / BDFSDRV][Stopped/Manual Start]
 <\??\C:\Program Files\Softwin\BitDefender10\bdfsdrv.sys><N/A>
[BDRSDRV / BDRSDRV][Running/Auto Start]
 <\??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys><N/A>
[catchme / catchme][Stopped/Manual Start]
 <\??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys><N/A>
[Intel(R) PRO Network Connection Driver / E100B][Running/Manual Start]
 <system32\DRIVERS\e100b325.sys><Intel Corporation>
[Firewall Driver / fwdrv][Running/System Start]
 <\SystemRoot\system32\drivers\fwdrv.sys><Sunbelt Software>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
 <system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[HSXHWBS2 / HSXHWBS2][Running/Manual Start]
 <system32\DRIVERS\HSXHWBS2.sys><Conexant Systems, Inc.>
[HSX_DP / HSX_DP][Running/Manual Start]
 <system32\DRIVERS\HSX_DP.sys><Conexant Systems, Inc.>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
 <system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[Kerio HIPS Driver / khips][Running/System Start]
 <\SystemRoot\system32\drivers\khips.sys><Sunbelt Software>
[mdmxsdk / mdmxsdk][Running/Auto Start]
 <system32\DRIVERS\mdmxsdk.sys><Conexant>
[nv / nv][Running/Manual Start]
 <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Padus ASPI Shell / pfc][Stopped/Manual Start]
 <system32\drivers\pfc.sys><Padus, Inc.>
[Profos / Profos][Stopped/Manual Start]
 <\??\C:\Program Files\Softwin\BitDefender10\profos.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
 <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
 <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[Secdrv / Secdrv][Stopped/Manual Start]
 <system32\DRIVERS\secdrv.sys><N/A>
[ssmdrv / ssmdrv][Running/System Start]
 <system32\DRIVERS\ssmdrv.sys><Avira GmbH>
[Trufos / Trufos][Stopped/Manual Start]
 <\??\C:\Program Files\Softwin\BitDefender10\trufos.sys><N/A>
[winachsx / winachsx][Running/Manual Start]
 <system32\DRIVERS\HSX_CNXT.sys><Conexant Systems, Inc.>

==================================
Browser Add-ons
[Adobe PDF Reader Link Helper]
 {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Spybot-S&D IE Protection]
 {53707962-6F74-2D53-2644-206D7942484F} <C:\PROGRA~1\Spybot\SDHelper.dll, Safer Networking Limited>
[SSVHelper Class]
 {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll, Sun Microsystems, Inc.>
[Windows Live Sign-in Helper]
 {9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[Adobe PDF Conversion Toolbar Helper]
 {AE7CD045-E861-484f-8273-0445EE161910} <C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll, Adobe Systems Incorporated>
[Java Plug-in 1.6.0_02]
 {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll, Sun Microsystems, Inc.>
[&Research]
 {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, Microsoft Corporation>
[Spybot-S&D IE Protection]
 {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} <C:\PROGRA~1\Spybot\SDHelper.dll, Safer Networking Limited>
[Messenger]
 {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[Adobe PDF]
 {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll, Adobe Systems Incorporated>
[WUWebControl Class]
 {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[Java Plug-in 1.6.0_02]
 {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.6.0_02]
 {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.6.0_02]
 {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll, Sun Microsystems, Inc.>
[Shockwave Flash Object]
 {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx, Adobe Systems, Inc.>
[Adobe PDF Reader Link Helper]
 {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Windows Genuine Advantage Validation Tool]
 {17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\legitcheckcontrol.dll, Microsoft Corporation>
[InformationCardSigninHelper Class]
 {19916E01-B44E-4E31-94A4-4696DF46157B} <C:\WINDOWS\system32\icardie.dll, Microsoft Corporation>
[HTML Document]
 {25336920-03F9-11CF-8FD0-00AA00686F13} <C:\WINDOWS\system32\mshtml.dll, Microsoft Corporation>
[XML DOM Document]
 {2933BF90-7B36-11D2-B20E-00C04F983E60} <%SystemRoot%\system32\msxml3.dll, N/A>
[HtmlDlgSafeHelper Class]
 {3050F819-98B5-11CF-BB82-00AA00BDCE0B} <C:\WINDOWS\system32\mshtmled.dll, Microsoft Corporation>
[Adobe PDF]
 {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll, Adobe Systems Incorporated>
[Spybot-S&D IE Protection]
 {53707962-6F74-2D53-2644-206D7942484F} <C:\PROGRA~1\Spybot\SDHelper.dll, Safer Networking Limited>
[WUWebControl Class]
 {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[Windows Media Player]
 {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[SSVHelper Class]
 {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll, Sun Microsystems, Inc.>
[Microsoft Web Browser]
 {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\ieframe.dll, Microsoft Corporation>
[Windows Live Sign-in Helper]
 {9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[Adobe PDF Conversion Toolbar Helper]
 {AE7CD045-E861-484F-8273-0445EE161910} <C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll, Adobe Systems Incorporated>
[Windows Live Sign-in Control]
 {D2517915-48CE-4286-970F-921E881B8C5C} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[Shockwave Flash Object]
 {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx, Adobe Systems, Inc.>
[]
 {E1771B7F-98BE-407F-BA67-AA16ADA5D0C5} <C:\PROGRA~1\MSNMES~1\MSGSC8~1.DLL, Microsoft Corporation>
[XML HTTP Request]
 {ED8C108E-4349-11D2-91A4-00C04F7969E8} <%SystemRoot%\system32\msxml3.dll, N/A>
[XML DOM Document 3.0]
 {F5078F32-C551-11D3-89B9-0000F81FE221} <%SystemRoot%\system32\msxml3.dll, N/A>
[XML HTTP 3.0]
 {F5078F35-C551-11D3-89B9-0000F81FE221} <%SystemRoot%\system32\msxml3.dll, N/A>
[XML HTTP]
 {F6D90F16-9C73-11D3-B32E-00C04F990BB4} <%SystemRoot%\system32\msxml3.dll, N/A>
[Convert link target to Adobe PDF]
 <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html, N/A>
[Convert link target to existing PDF]
 <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html, N/A>
[Convert selected links to Adobe PDF]
 <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html, N/A>
[Convert selected links to existing PDF]
 <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html, N/A>
[Convert selection to Adobe PDF]
 <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html, N/A>
[Convert selection to existing PDF]
 <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html, N/A>
[Convert to Adobe PDF]
 <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html, N/A>
[Convert to existing PDF]
 <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html, N/A>
[E&xport to Microsoft Excel]
 <res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>

==================================
Running Processes
[PID: 712 / SYSTEM][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 784 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 812 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 856 / SYSTEM][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 868 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1032 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1100 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1140 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Normaliz.dll]  [Microsoft Corporation, 6.0.5441.0 (winmain(wmbla).060628-1735)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16512 (vista_gdr.070625-1522)]
[C:\WINDOWS\system32\wups2.dll]  [Microsoft Corporation, 7.0.6000.381 (winmain(wmbla).070730-1740)]
[PID: 1252 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1340 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Normaliz.dll]  [Microsoft Corporation, 6.0.5441.0 (winmain(wmbla).060628-1735)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16512 (vista_gdr.070625-1522)]
[PID: 1432 / SYSTEM][C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe]  [Lavasoft AB, 7, 0, 2, 2]
[C:\Program Files\Lavasoft\Ad-Aware 2007\CEAPI.dll]  [Lavasoft AB, 7, 0, 2, 1]
[C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive84cb.dll]  [PKWARE, Inc., 8.4.219.0]
[C:\WINDOWS\system32\Normaliz.dll]  [Microsoft Corporation, 6.0.5441.0 (winmain(wmbla).060628-1735)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16512 (vista_gdr.070625-1522)]
[C:\Program Files\Lavasoft\Ad-Aware 2007\Update.dll]  [, 7, 0, 1, 3]
[PID: 1588 / user][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Normaliz.dll]  [Microsoft Corporation, 6.0.5441.0 (winmain(wmbla).060628-1735)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16512 (vista_gdr.070625-1522)]
[C:\WINDOWS\system32\ieframe.dll]  [Microsoft Corporation, 7.00.6000.16512 (vista_gdr.070625-1522)]
[C:\WINDOWS\system32\WPDShServiceObj.dll]  [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\PortableDeviceTypes.dll]  [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\PortableDeviceApi.dll]  [Microsoft Corporation, 5.2.5721.5145 (WMP_11.061018-2006)]
[C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll]  [GRISOFT s.r.o., 7, 5, 1, 36]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 7.0.9.2006121800]
[C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[C:\PROGRA~1\Spybot\SDHelper.dll]  [Safer Networking Limited, 1, 5, 0, 8]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
[C:\Program Files\Microsoft Office\OFFICE11\msohev.dll]  [Microsoft Corporation, 11.0.5510]
[PID: 1716 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\AdobePDF.dll]  [Adobe Systems Incorporated., 7.0.0.00]
[C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Adobe\Acrobat 7.0\Distillr\adistres.dll]  [Adobe Systems Incorporated., 7.0.7.2006011200]
[C:\WINDOWS\system32\mdimon.dll]  [Microsoft Corporation, 11.3.1897.0]
[C:\WINDOWS\System32\spool\PRTPROCS\W32X86\hpzpp2mq.dll]  [Hewlett-Packard Corporation, 60.034.153.31]
[C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.dll]  [Microsoft Corporation, 11.3.1897.0]
[PID: 1764 / SYSTEM][C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe]  [Avira GmbH, 7.00.00.81]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.dll]  [Avira GmbH, 7.00.00.01]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\avevtlog.dll]  [Avira GmbH, 7.00.00.20]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\guardmsg.dll]  [Avira GmbH, 7.00.11.00]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\sqlite3.dll]  [, 3, 3, 17, 1]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\AVPREF.DLL]  [Avira GmbH, 7.00.02.02]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\SMTPLIB.DLL]  [Avira GmbH, 1.02.00.17]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\AVPACK32.DLL]  [Avira GmbH, 7.03.00.15]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\unacev2.dll]  [N/A, ]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\AVEWIN32.DLL]  [Avira GmbH, 7.6.0.18]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\avipc.dll]  [Avira GmbH, 1.00.00.04]
[PID: 1852 / user][C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe]  [Hewlett-Packard, 00 .00 .15]
[C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\hpptui0.dll]  [Hewlett-Packard, 01.00.60]
[PID: 1868 / user][C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe]  [Adobe Systems Inc., 7.0.7.2006011200]
[PID: 1876 / user][C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe]  [GRISOFT s.r.o., 7, 5, 1, 43]
[C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll]  [GRISOFT s.r.o., 4, 2, 0, 19]
[C:\WINDOWS\system32\ieframe.dll]  [Microsoft Corporation, 7.00.6000.16512 (vista_gdr.070625-1522)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16512 (vista_gdr.070625-1522)]
[PID: 1884 / user][C:\WINDOWS\system32\RUNDLL32.EXE]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\NvMcTray.dll]  [NVIDIA Corporation, 6.14.10.9371]
[C:\WINDOWS\system32\nvapi.dll]  [N/A, ]
[PID: 1892 / user][C:\WINDOWS\RTHDCPL.EXE]  [Realtek Semiconductor Corp., 2.0.8.0]
[C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1928 / user][C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe]  [Avira GmbH, 7.02.00.13]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\MFC71U.DLL]  [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\cclib.dll]  [Avira GmbH, 7.02.00.03]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MFC71ENU.DLL]  [Microsoft Corporation, 7.10.3077.0]
[c:\program files\avira\antivir personaledition classic\ccgen.dll]  [Avira GmbH, 7.02.00.10]
[c:\program files\avira\antivir personaledition classic\ccgenrc.dll]  [Avira GmbH, 7.02.04.02]
[c:\program files\avira\antivir personaledition classic\ccguard.dll]  [Avira GmbH, 7.00.01.34]
[c:\program files\avira\antivir personaledition classic\ccgrdrc.dll]  [Avira GmbH, 7.00.06.00]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\avipc.dll]  [Avira GmbH, 1.00.00.04]
[c:\program files\avira\antivir personaledition classic\ccupdate.dll]  [Avira GmbH, 7.02.00.04]
[c:\program files\avira\antivir personaledition classic\ccupdrc.dll]  [Avira GmbH, 7.02.01.00]
[c:\program files\avira\antivir personaledition classic\cclic.dll]  [Avira GmbH, 7.02.00.04]
[c:\program files\avira\antivir personaledition classic\cclicrc.dll]  [Avira GmbH, 7.02.01.00]
[c:\program files\avira\antivir personaledition classic\ccmsg.dll]  [Avira GmbH, 7.00.00.00]
[PID: 1936 / user][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1952 / user][C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe]  [Adobe Systems Incorporated, 7.0.5.2005092300]
[C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[PID: 464 / SYSTEM][C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe]  [Avira GmbH, 7.00.00.62]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\schedr.dll]  [Avira GmbH, 7.00.24.00]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\avevtlog.dll]  [Avira GmbH, 7.00.00.20]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\sqlite3.dll]  [, 3, 3, 17, 1]
[C:\Program Files\Avira\AntiVir PersonalEdition Classic\avipc.dll]  [Avira GmbH, 1.00.00.04]
[PID: 532 / SYSTEM][C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE]  [Microsoft Corporation, 7.00.9466]
[PID: 580 / SYSTEM][C:\WINDOWS\system32\nvsvc32.exe]  [NVIDIA Corporation, 6.14.10.9371]
[C:\WINDOWS\system32\nvapi.dll]  [N/A, ]
[PID: 700 / SYSTEM][C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe]  [Sunbelt Software, 4.5.916.0]
[C:\Program Files\Sunbelt Software\Personal Firewall\PocoFoundation.dll]  [N/A, ]
[C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Sunbelt Software\Personal Firewall\PocoXML.dll]  [N/A, ]
[C:\Program Files\Sunbelt Software\Personal Firewall\PocoExt.dll]  [N/A, ]
[C:\Program Files\Sunbelt Software\Personal Firewall\kfe.dll]  [Sunbelt Software, 4.3.182.0]
[C:\Program Files\Sunbelt Software\Personal Firewall\LIBEAY32.dll]  [N/A, ]
[C:\Program Files\Sunbelt Software\Personal Firewall\SSLEAY32.dll]  [N/A, ]
[C:\Program Files\Sunbelt Software\Personal Firewall\curllib.dll]  [The cURL library, http://curl.haxx.se/, 7.15.2]
[C:\Program Files\Sunbelt Software\Personal Firewall\kwsapi.dll]  [Sunbelt Software, 4.3.182.0]
[C:\WINDOWS\system32\Normaliz.dll]  [Microsoft Corporation, 6.0.5441.0 (winmain(wmbla).060628-1735)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16512 (vista_gdr.070625-1522)]
[PID: 120 / SYSTEM][C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe]  [SOFTWIN S.R.L, 1, 8, 11, 0]
[PID: 1172 / user][C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe]  [N/A, ]
[C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\hotspot\jvm.dll]  [N/A, ]
[C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\hpi.dll]  [N/A, ]
[C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\verify.dll]  [N/A, ]
[C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\java.dll]  [N/A, ]
[C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\zip.dll]  [N/A, ]
[C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\net.dll]  [N/A, ]
[C:\WINDOWS\system32\jst.dll]  [N/A, ]
[C:\WINDOWS\system32\d4channel.dll]  [Hewlett-Packard, 02.07.50]
[C:\WINDOWS\system32\PMLJNI.dll]  [N/A, ]
[c:\windows\system32\hppapml0.dll]  [HP, 7, 0, 5, 0]
[C:\WINDOWS\system32\HPZipr12.dll]  [HP, 7, 0, 5, 0]
[PID: 1384 / SYSTEM][C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe]  [Sunbelt Software, 4.5.916.0]
[C:\Program Files\Sunbelt Software\Personal Firewall\LIBEAY32.dll]  [N/A, ]
[C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Sunbelt Software\Personal Firewall\SSLEAY32.dll]  [N/A, ]
[C:\Program Files\Sunbelt Software\Personal Firewall\PocoFoundation.dll]  [N/A, ]
[C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\Sunbelt Software\Personal Firewall\PocoXML.dll]  [N/A, ]
[C:\Program Files\Sunbelt Software\Personal Firewall\PocoExt.dll]  [N/A, ]
[C:\WINDOWS\system32\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MFC71ENU.DLL]  [Microsoft Corporation, 7.10.3077.0]
[PID: 2772 / SYSTEM][C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe]  [SOFTWIN S.R.L., 10, 2, 0, 18]
[C:\WINDOWS\system32\XCOMM.dll]  [Softwin, 1, 8, 12, 0]
[C:\Program Files\Common Files\Softwin\BitDefender Update Service\HTTPGETF.dll]  [N/A, ]
[C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Common Files\Softwin\BitDefender Update Service\zlib.dll]  [, 1.1.3]
[C:\Program Files\Common Files\Softwin\BitDefender Update Service\bdch.dll]  [SOFTWIN, 1, 1, 300]
[C:\Program Files\Common Files\Softwin\BitDefender Update Service\bdsubmit.dll]  [SOFTWIN, 1,2,0, 200]
[C:\WINDOWS\system32\Normaliz.dll]  [Microsoft Corporation, 6.0.5441.0 (winmain(wmbla).060628-1735)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16512 (vista_gdr.070625-1522)]
[C:\WINDOWS\system32\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MFC71ENU.DLL]  [Microsoft Corporation, 7.10.3077.0]
[PID: 3092 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3296 / user][C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe]  [Sunbelt Software, 4.5.916.0]
[C:\Program Files\Sunbelt Software\Personal Firewall\LIBEAY32.dll]  [N/A, ]
[C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Sunbelt Software\Personal Firewall\SSLEAY32.dll]  [N/A, ]
[C:\Program Files\Sunbelt Software\Personal Firewall\PocoFoundation.dll]  [N/A, ]
[C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\Sunbelt Software\Personal Firewall\PocoXML.dll]  [N/A, ]
[C:\Program Files\Sunbelt Software\Personal Firewall\PocoExt.dll]  [N/A, ]
[C:\WINDOWS\system32\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MFC71ENU.DLL]  [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\Sunbelt Software\Personal Firewall\gkh.dll]  [Sunbelt Software, 4.5.916.0]
[PID: 3356 / SYSTEM][C:\WINDOWS\system32\wuauclt.exe]  [Microsoft Corporation, 7.0.6000.381 (winmain(wmbla).070730-1740)]
[C:\WINDOWS\system32\wups2.dll]  [Microsoft Corporation, 7.0.6000.381 (winmain(wmbla).070730-1740)]
[PID: 2844 / user][C:\WINDOWS\system32\wuauclt.exe]  [Microsoft Corporation, 7.0.6000.381 (winmain(wmbla).070730-1740)]
[C:\WINDOWS\system32\wups2.dll]  [Microsoft Corporation, 7.0.6000.381 (winmain(wmbla).070730-1740)]
[PID: 3848 / user][C:\Program Files\Mozilla Firefox\firefox.exe]  [Mozilla Corporation, 1.8.1.7: 2007091417]
[C:\Program Files\Mozilla Firefox\js3250.dll]  [Netscape Communications Corporation, 4.0]
[C:\Program Files\Mozilla Firefox\nspr4.dll]  [Netscape Communications Corporation, 4.6.7]
[C:\Program Files\Mozilla Firefox\xpcom_core.dll]  [Mozilla Foundation, 1.8.1.7: 2007091417]
[C:\Program Files\Mozilla Firefox\plc4.dll]  [Netscape Communications Corporation, 4.6.7]
[C:\Program Files\Mozilla Firefox\plds4.dll]  [Netscape Communications Corporation, 4.6.7]
[C:\Program Files\Mozilla Firefox\smime3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
[C:\Program Files\Mozilla Firefox\nss3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
[C:\Program Files\Mozilla Firefox\softokn3.dll]  [Mozilla Foundation, 3.11.4 Basic ECC]
[C:\Program Files\Mozilla Firefox\ssl3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
[C:\Program Files\Mozilla Firefox\xpcom_compat.dll]  [Mozilla Foundation, 1.8.1.7: 2007091417]
[C:\Program Files\Mozilla Firefox\components\myspell.dll]  [Mozilla Foundation, 1.8.1.7: 2007091417]
[C:\Program Files\Mozilla Firefox\components\jar50.dll]  [Mozilla Foundation, 1.8.1.7: 2007091417]
[C:\Program Files\Mozilla Firefox\freebl3.dll]  [Mozilla Foundation, 3.11.4 Basic ECC]
[C:\Program Files\Mozilla Firefox\nssckbi.dll]  [Mozilla Foundation, 1.64]
[C:\Program Files\Mozilla Firefox\components\spellchk.dll]  [Mozilla Foundation, 1.8.1.7: 2007091417]
[C:\Program Files\Mozilla Firefox\plugins\npnul32.dll]  [mozilla.org, 1, 0, 0, 15]
[C:\WINDOWS\system32\Normaliz.dll]  [Microsoft Corporation, 6.0.5441.0 (winmain(wmbla).060628-1735)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16512 (vista_gdr.070625-1522)]
[C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll]  [GRISOFT s.r.o., 7, 5, 1, 36]
[C:\WINDOWS\system32\ieframe.dll]  [Microsoft Corporation, 7.00.6000.16512 (vista_gdr.070625-1522)]
[PID: 3308 / user][C:\Documents and Settings\user\Desktop\sreng2\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
[C:\WINDOWS\system32\Normaliz.dll]  [Microsoft Corporation, 6.0.5441.0 (winmain(wmbla).060628-1735)]
[C:\WINDOWS\system32\iertutil.dll]  [Microsoft Corporation, 7.00.6000.16512 (vista_gdr.070625-1522)]
[C:\Documents and Settings\user\Desktop\sreng2\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
[C:\]
[AutoRun]
open=AutoRun.exe
shellexecute=AutoRun.exe
shell\Auto\command=AutoRun.exe
shell=Open
[D:\]
[AutoRun]
open=AutoRun.exe
shellexecute=AutoRun.exe
shell\Auto\command=AutoRun.exe
shell=Open

==================================
HOSTS File
127.0.0.1	   localhost

==================================
Process Privileges Scan
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1764, C:\PROGRAM FILES\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\AVGUARD.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1852, C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX\STATUSCLIENT\STATUSCLIENT.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1868, C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\DISTILLR\ACROTRAY.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1928, C:\PROGRAM FILES\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\AVGNT.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1952, C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\ACROBAT\ACROBAT_SL.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1172, C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX\JRE\BIN\JAVAW.EXE]

==================================
API HOOK
Entrypoint Error: CreateProcessA (Dangerous Level: High,  Hooked by Module: 0x00130239)
Entrypoint Error: CreateProcessW (Dangerous Level: High,  Hooked by Module: 0x001302C5)
Entrypoint Error: CreateRemoteThread (Dangerous Level: High,  Hooked by Module: 0x001304F5)
Entrypoint Error: CreateThread (Dangerous Level: High,  Hooked by Module: 0x00130581)
Entrypoint Error: WriteProcessMemory (Dangerous Level: High,  Hooked by Module: 0x00130699)
Entrypoint Error: SetWindowsHookExA (Dangerous Level: High,  Hooked by Module: 0x00130725)
Entrypoint Error: SetWindowsHookExW (Dangerous Level: High,  Hooked by Module: 0x001307B1)

==================================
Hidden Process
N/A

==================================

Thanos · le 4 octobre 2007

salut

Ca m'a l'air pas mal tout ca

Il y a deux fichiers nommés autorun.inf qui se trouvent à la racine des lecteurs C:\ et D:\ > élimine les!

- Antivir n'a rien trouvé de nouveau

Donc aucun fichier infectieux trouvé par Antivir ? (je ne parle pas de points de restauration infectés).

Une petite recherche encore car je vois un service "douteux", je ne pense pas que ca te dira quelque chose > Dmmcectidrn

Fais juste la recherche sur cet élément avec Regsearch puis poste le résultat.

Le service en question est arrêté (pas de souci).

Autre chose: Peux tu faire la recherche sur ce fichier ? (possible qu'il n'existe plus!) > C:\WINDOWS\System32\PwdServ.exe

Rend toi à cette adresse => http://www.virustotal.com/

Tu as une case nommée "Parcourir": tu cliques dessus et une fenêtre s'ouvre=> parcours ton disque dur , et recherche le fichier PwdServ.exe que tu trouveras en allant dans le dossier C:\WINDOWS\System32

Tu cliques une fois sur le fichier PwdServ.exe (il prend une couleur bleue!) puis tu cliques sur "ouvrir" en bas de la fenêtre puis sur "Envoyer le fichier". Le scan de ce fichier va débuter. Tu n'as plus qu'à sélectionner puis copier /coller l'analyse .

Note: les fichiers uploadés sont mis en attente, car le virusscan est sollicité! patiente (un message t'indique le temps que ce prendra pour faire analyser)

Il est possible que ce fichier soit caché et que tu ne le vois pas : si c'est le cas, fais ceci au préalable >

Démarrer, Poste de travail ou autre dossier, Menu Outils, Option des dossiers, onglet Affichage :
Cocher la case : Afficher les fichiers et dossiers cachés

Décocher la case : Masquer les extensions des fichiers dont le type est connu

Décocher la case : Masquer les fichiers protégés du système d'exploitation

cliquer sur "Appliquer"

cliquer sur le bouton "Appliquer à tous les dossiers" / OK

Est ce que tu connais ce service > Password ? un logiciel que tu aurais installé ? Est ce que tu as eu recours à un utilitaire pour récupérer un mot de passe perdu ? (Bart's PE Builder par ex ?)

Un dernier scan par précaution stp (c'est rapide!) >

Télécharge GMER

Déconnecte toi d'internet si possible et ferme tous les programmes.

Décompresse le fichier zip et double-clic sur gmer.exe

Clic sur l'onglet "rootkit" et clic sur Scan

Lorsque le scan est terminé, clic sur "copy"

Ouvre le bloc-note et clic sur le Menu Edition / Coller

Le rapport doit alors apparaître.

Enregistre le fichier sur ton bureau et copie/colle le contenu ici.

Tu as à présent deux antivirus + un parefeu. Je te conseille chaudement d'oublier BitDefender10 et de conserver Antivir (oui je me répète!). Tu auras pû constater l'efficacité d'Antivir Par ailleurs, je te conseille de lire ce comparatif très intéressant de Malekal Morte t'en convaincre > http://forum.malekal.com/ftopic3528.php

@+

Modifié le 4 octobre 2007 par charles ingals

Monsieur Furtif · le 5 octobre 2007

Alors, voici le premier rapport :

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005

; Version: 2.0.5.0

; Results at 05/10/2007 23:00:32 for strings:

; 'dmmcectidrn'

; Strings excluded from search:

; (None)

; Search in:

; Registry Keys Registry Values Registry Data

; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dmmcectidrn]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dmmcectidrn\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Dmmcectidrn]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Dmmcectidrn\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dmmcectidrn]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dmmcectidrn\Security]

; End Of The Log...

Et la recherche de rootkit :

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-10-05 23:26:10

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.13 ----

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwClose

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateFile

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateKey

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcess

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcessEx

SSDT BAF7E874 ZwCreateThread

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteFile

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteKey

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteValueKey

SSDT \SystemRoot\system32\drivers\khips.sys ZwLoadDriver

SSDT \SystemRoot\system32\drivers\khips.sys ZwMapViewOfSection

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenFile

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenKey

SSDT BAF7E860 ZwOpenProcess

SSDT BAF7E865 ZwOpenThread

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwResumeThread

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetInformationFile

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetValueKey

SSDT BAF7E86F ZwTerminateProcess

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwWriteFile

SSDT BAF7E86A ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.13 ----

PAGENDSM NDIS.sys!NdisMIndicateStatus BA623A5F 6 Bytes JMP B732CC5E \SystemRoot\system32\drivers\fwdrv.sys

---- User code sections - GMER 1.0.13 ----

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[120] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950

.text C:\WINDOWS\system32\ctfmon.exe[184] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\ctfmon.exe[184] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\ctfmon.exe[184] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\ctfmon.exe[184] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\ctfmon.exe[184] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\ctfmon.exe[184] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\ctfmon.exe[184] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\ctfmon.exe[184] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\ctfmon.exe[184] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\ctfmon.exe[184] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\ctfmon.exe[184] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\ctfmon.exe[184] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\ctfmon.exe[184] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\ctfmon.exe[184] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\ctfmon.exe[184] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC

.text C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe[464] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00070004

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0007011C

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000704F0

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0007057C

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000703D8

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0007034C

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00070464

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00070608

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000707AC

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00070720

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000708C4

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00070838

.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[656] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00070950

.text C:\WINDOWS\system32\csrss.exe[780] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001607AC

.text C:\WINDOWS\system32\csrss.exe[780] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00160720

.text C:\WINDOWS\system32\csrss.exe[780] KERNEL32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001601A8

.text C:\WINDOWS\system32\csrss.exe[780] KERNEL32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00160090

.text C:\WINDOWS\system32\csrss.exe[780] KERNEL32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00160694

.text C:\WINDOWS\system32\csrss.exe[780] KERNEL32.dll!CreateProcessW 7C802332 5 Bytes JMP 001602C0

.text C:\WINDOWS\system32\csrss.exe[780] KERNEL32.dll!CreateProcessA 7C802367 5 Bytes JMP 00160234

.text C:\WINDOWS\system32\csrss.exe[780] KERNEL32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00160004

.text C:\WINDOWS\system32\csrss.exe[780] KERNEL32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0016011C

.text C:\WINDOWS\system32\csrss.exe[780] KERNEL32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001604F0

.text C:\WINDOWS\system32\csrss.exe[780] KERNEL32.dll!CreateThread 7C81082F 5 Bytes JMP 0016057C

.text C:\WINDOWS\system32\csrss.exe[780] KERNEL32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001603D8

.text C:\WINDOWS\system32\csrss.exe[780] KERNEL32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0016034C

.text C:\WINDOWS\system32\csrss.exe[780] KERNEL32.dll!WinExec 7C86114D 5 Bytes JMP 00160464

.text C:\WINDOWS\system32\csrss.exe[780] KERNEL32.dll!SetThreadContext 7C862849 5 Bytes JMP 00160608

.text C:\WINDOWS\system32\winlogon.exe[804] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8

.text C:\WINDOWS\system32\winlogon.exe[804] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090

.text C:\WINDOWS\system32\winlogon.exe[804] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694

.text C:\WINDOWS\system32\winlogon.exe[804] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0

.text C:\WINDOWS\system32\winlogon.exe[804] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234

.text C:\WINDOWS\system32\winlogon.exe[804] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00070004

.text C:\WINDOWS\system32\winlogon.exe[804] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0007011C

.text C:\WINDOWS\system32\winlogon.exe[804] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000704F0

.text C:\WINDOWS\system32\winlogon.exe[804] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0007057C

.text C:\WINDOWS\system32\winlogon.exe[804] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000703D8

.text C:\WINDOWS\system32\winlogon.exe[804] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0007034C

.text C:\WINDOWS\system32\winlogon.exe[804] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00070464

.text C:\WINDOWS\system32\winlogon.exe[804] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00070608

.text C:\WINDOWS\system32\winlogon.exe[804] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000707AC

.text C:\WINDOWS\system32\winlogon.exe[804] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00070720

.text C:\WINDOWS\system32\winlogon.exe[804] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000708C4

.text C:\WINDOWS\system32\winlogon.exe[804] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00070838

.text C:\WINDOWS\system32\winlogon.exe[804] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00070950

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\services.exe[852] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\services.exe[852] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720

.text C:\WINDOWS\system32\services.exe[852] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4

.text C:\WINDOWS\system32\services.exe[852] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838

.text C:\WINDOWS\system32\services.exe[852] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950

.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\lsass.exe[864] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\lsass.exe[864] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720

.text C:\WINDOWS\system32\lsass.exe[864] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4

.text C:\WINDOWS\system32\lsass.exe[864] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838

.text C:\WINDOWS\system32\lsass.exe[864] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950

.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720

.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4

.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838

.text C:\WINDOWS\system32\svchost.exe[1036] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\svchost.exe[1104] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\svchost.exe[1104] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720

.text C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4

.text C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838

.text C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608

.text C:\WINDOWS\System32\svchost.exe[1200] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC

.text C:\WINDOWS\System32\svchost.exe[1200] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720

.text C:\WINDOWS\System32\svchost.exe[1200] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4

.text C:\WINDOWS\System32\svchost.exe[1200] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838

.text C:\WINDOWS\System32\svchost.exe[1200] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950

.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetConnectA 771C1C6A 5 Bytes JMP 00080F54

.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetConnectW 771C2B63 5 Bytes JMP 00080FE0

.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00080D24

.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00080DB0

.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00080E3C

.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00080EC8

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1244] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838

.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1256] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720

.text C:\WINDOWS\system32\svchost.exe[1344] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4

.text C:\WINDOWS\system32\svchost.exe[1344] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838

.text C:\WINDOWS\system32\svchost.exe[1344] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950

.text C:\WINDOWS\system32\nvsvc32.exe[1372] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8

.text C:\WINDOWS\system32\nvsvc32.exe[1372] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090

.text C:\WINDOWS\system32\nvsvc32.exe[1372] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694

.text C:\WINDOWS\system32\nvsvc32.exe[1372] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0

.text C:\WINDOWS\system32\nvsvc32.exe[1372] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234

.text C:\WINDOWS\system32\nvsvc32.exe[1372] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004

.text C:\WINDOWS\system32\nvsvc32.exe[1372] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C

.text C:\WINDOWS\system32\nvsvc32.exe[1372] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0

.text C:\WINDOWS\system32\nvsvc32.exe[1372] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C

.text C:\WINDOWS\system32\nvsvc32.exe[1372] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8

.text C:\WINDOWS\system32\nvsvc32.exe[1372] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C

.text C:\WINDOWS\system32\nvsvc32.exe[1372] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464

.text C:\WINDOWS\system32\nvsvc32.exe[1372] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608

.text C:\WINDOWS\system32\nvsvc32.exe[1372] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC

.text C:\WINDOWS\system32\nvsvc32.exe[1372] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

.text C:\WINDOWS\system32\nvsvc32.exe[1372] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4

.text C:\WINDOWS\system32\nvsvc32.exe[1372] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838

.text C:\WINDOWS\system32\nvsvc32.exe[1372] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950

.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\svchost.exe[1396] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\svchost.exe[1396] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720

.text C:\WINDOWS\system32\svchost.exe[1396] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4

.text C:\WINDOWS\system32\svchost.exe[1396] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838

.text C:\WINDOWS\system32\svchost.exe[1396] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950

.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetConnectA 771C1C6A 5 Bytes JMP 00080F54

.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetConnectW 771C2B63 5 Bytes JMP 00080FE0

.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00080D24

.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00080DB0

.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00080E3C

.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00080EC8

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] WININET.dll!InternetConnectA 771C1C6A 5 Bytes JMP 00130F54

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] WININET.dll!InternetConnectW 771C2B63 5 Bytes JMP 00130FE0

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00130D24

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00130DB0

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00130E3C

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00130EC8

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838

.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1456] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000301A8

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00030090

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00030694

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000302C0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00030234

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00030004

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0003011C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000304F0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0003057C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000303D8

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0003034C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00030464

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00030608

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000307AC

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00030720

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000308C4

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00030838

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00030950

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] WININET.dll!InternetConnectA 771C1C6A 5 Bytes JMP 00030F54

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] WININET.dll!InternetConnectW 771C2B63 5 Bytes JMP 00030FE0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00030D24

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00030DB0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00030E3C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[1616] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00030EC8

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1652] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950

.text C:\WINDOWS\Explorer.EXE[1748] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8

.text C:\WINDOWS\Explorer.EXE[1748] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090

.text C:\WINDOWS\Explorer.EXE[1748] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694

.text C:\WINDOWS\Explorer.EXE[1748] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0

.text C:\WINDOWS\Explorer.EXE[1748] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234

.text C:\WINDOWS\Explorer.EXE[1748] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004

.text C:\WINDOWS\Explorer.EXE[1748] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C

.text C:\WINDOWS\Explorer.EXE[1748] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0

.text C:\WINDOWS\Explorer.EXE[1748] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C

.text C:\WINDOWS\Explorer.EXE[1748] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8

.text C:\WINDOWS\Explorer.EXE[1748] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C

.text C:\WINDOWS\Explorer.EXE[1748] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464

.text C:\WINDOWS\Explorer.EXE[1748] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608

.text C:\WINDOWS\Explorer.EXE[1748] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC

.text C:\WINDOWS\Explorer.EXE[1748] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720

.text C:\WINDOWS\Explorer.EXE[1748] WININET.dll!InternetConnectA 771C1C6A 5 Bytes JMP 00080F54

.text C:\WINDOWS\Explorer.EXE[1748] WININET.dll!InternetConnectW 771C2B63 5 Bytes JMP 00080FE0

.text C:\WINDOWS\Explorer.EXE[1748] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00080D24

.text C:\WINDOWS\Explorer.EXE[1748] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00080DB0

.text C:\WINDOWS\Explorer.EXE[1748] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00080E3C

.text C:\WINDOWS\Explorer.EXE[1748] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00080EC8

.text C:\WINDOWS\Explorer.EXE[1748] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4

.text C:\WINDOWS\Explorer.EXE[1748] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838

.text C:\WINDOWS\Explorer.EXE[1748] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950

.text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\spoolsv.exe[1908] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\spoolsv.exe[1908] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\spoolsv.exe[1908] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720

.text C:\WINDOWS\system32\spoolsv.exe[1908] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4

.text C:\WINDOWS\system32\spoolsv.exe[1908] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838

.text C:\WINDOWS\system32\spoolsv.exe[1908] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838

.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1956] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC

.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[2024] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] WININET.dll!InternetConnectA 771C1C6A 5 Bytes JMP 00130F54

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] WININET.dll!InternetConnectW 771C2B63 5 Bytes JMP 00130FE0

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00130D24

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00130DB0

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00130E3C

.text C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe[2692] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00130EC8

.text C:\WINDOWS\System32\alg.exe[3148] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8

.text C:\WINDOWS\System32\alg.exe[3148] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090

.text C:\WINDOWS\System32\alg.exe[3148] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694

.text C:\WINDOWS\System32\alg.exe[3148] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0

.text C:\WINDOWS\System32\alg.exe[3148] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234

.text C:\WINDOWS\System32\alg.exe[3148] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004

.text C:\WINDOWS\System32\alg.exe[3148] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C

.text C:\WINDOWS\System32\alg.exe[3148] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0

.text C:\WINDOWS\System32\alg.exe[3148] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C

.text C:\WINDOWS\System32\alg.exe[3148] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8

.text C:\WINDOWS\System32\alg.exe[3148] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C

.text C:\WINDOWS\System32\alg.exe[3148] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464

.text C:\WINDOWS\System32\alg.exe[3148] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608

.text C:\WINDOWS\System32\alg.exe[3148] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC

.text C:\WINDOWS\System32\alg.exe[3148] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720

.text C:\WINDOWS\System32\alg.exe[3148] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4

.text C:\WINDOWS\System32\alg.exe[3148] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838

.text C:\WINDOWS\System32\alg.exe[3148] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950

.text C:\WINDOWS\system32\wuauclt.exe[3428] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\wuauclt.exe[3428] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\wuauclt.exe[3428] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\wuauclt.exe[3428] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\wuauclt.exe[3428] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\wuauclt.exe[3428] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\wuauclt.exe[3428] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\wuauclt.exe[3428] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\wuauclt.exe[3428] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\wuauclt.exe[3428] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\wuauclt.exe[3428] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\wuauclt.exe[3428] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\wuauclt.exe[3428] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\wuauclt.exe[3428] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\wuauclt.exe[3428] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3564] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00070004

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0007011C

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000704F0

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0007057C

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000703D8

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0007034C

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00070464

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00070608

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000707AC

.text C:\Program Files\MSN Messenger\usnsvc.exe[6576] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00070720

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC

.text C:\Documents and Settings\user\My Documents\Securite\gmer\gmer.exe[15524] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [b732CB06] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [b732CB60] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [b732CB26] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [b732CB86] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [b732CB60] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [b732CB26] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [b732CB06] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisClCloseCall] [b732D5D8] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisClMakeCall] [b732D540] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCoDeleteVc] [b732D49E] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCoCreateVc] [b732D3BA] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [b732CB06] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [b732CB26] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisClOpenAddressFamily] [b732DB14] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisClCloseAddressFamily] [b732DD3C] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCoSendPackets] [b732D286] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [b732CB86] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [b732CB60] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [b732CB60] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [b732CB86] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [b732CB06] \SystemRoot\system32\drivers\fwdrv.sys

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [b732CB26] \SystemRoot\system32\drivers\fwdrv.sys

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [bA6FBF70] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [bA6FBF70] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [bA6FC160] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [bA6FBF70] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [bA6EFF08] fltMgr.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [b7320B30] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [b7320B30] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [b7320B30] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [b7320B30] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [b7320974] fwdrv.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [b7320974] fwdrv.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [bA6FBF70] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [bA6FBF70] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [bA6FC160] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [bA6FBF70] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [bA6EFF08] fltMgr.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [bA6EFF08] fltMgr.sys

---- EOF - GMER 1.0.13 ----

Pour le fichier PwdServ, j'avoue que je n'en sais rien. C'est un ordi pro que j'ai pris en marche et dont je connais pas tout l'historique des installations-désinstallations.

J'ai deux petites questions annexes suite à mon infection :

- y a-t-il un moyen d'empêcher l'autorun des clés USB pour effectuer une analyse antivirus avant n'importe quelle interaction avec la clé ?

- suite au rétablissement de l'OS et des comptes, les mises à jour de Windows se sont remises à zéro, et sont au nombre de 77. Sauf que lorsque je dis que je veux les installer, elles échouent.

Je suppose que c'est parce que le notifieur est revenu à zéro mais les précédentes mises à jour sont toujours sur le disque. Ou l'inverse. Comment le savoir et régler ça ?

Merci encore de ton aide. Vraiment.

Thanos · le 6 octobre 2007

salut

Pour le fichier PwdServ, j'avoue que je n'en sais rien. C'est un ordi pro que j'ai pris en marche et dont je connais pas tout l'historique des installations-désinstallations.

Est ce que tu as quand même pû le trouver ?

Quoiqu'il en soit, on va le désactiver comme ceci >

-vas dans le menu Démarrer/Executer et tu tapes : services.msc

Cherche le service suivant:Password

Double clique dessus:

-dans le champs"Status du service" sélectionne "arrêté"

-dans le champs"Type de démarrage" sélectionne"désactivé" puis "Appliquer" puis"ok"

Quitte les services.

On va éliminer le service dmmcectidrn avec ce script >

Stp rend toi sur cette page afin de télécharger le fichier delserv.reg > http://www.sendspace.com/file/t82c06

pour cela, clique sur le lien en bas de page > Download Link: delserv.reg

Double clique sur le fichier et accepte la fusion avec le registre: élimine le fichier ensuite.

- y a-t-il un moyen d'empêcher l'autorun des clés USB pour effectuer une analyse antivirus avant n'importe quelle interaction avec la clé ?

Je te renvoie à un article très intéressant de Malekal qui décrit en détail ce qui se passe lors d'une infection qui s'attaque aux supports amovibles > http://forum.malekal.com/ftopic3350.php

suite au rétablissement de l'OS et des comptes, les mises à jour de Windows se sont remises à zéro, et sont au nombre de 77. Sauf que lorsque je dis que je veux les installer, elles échouent.

Est ce que tu reçois un mesage d'erreur ? la barre de progression reste bloquée ?

Il y a un utilitaire qui peut rêgler le problème, mais j'aimerai que tu m'en dise plus stp

Pour ce qui est du scan en ligne Kaspersky, essaie ceci et retente le scan >

Lance Internet Explorer.

Dans le menu Outils, clique sur Options Internet.

Clique sur l'onglet Programmes > sur Rétablir les paramètres Web > puis sur Oui dans la boîte de dialogue Rétablir les paramètres Web. Clique enfin sur Appliquer > puis sur OK.

@+

Monsieur Furtif · le 9 octobre 2007

Merci beaucoup pour la précision sur les infections par support amovible. Y a-t-il moyen de lancer un routine de scan à chaque insertion de clé USB par exemple ? Je n'ai pas vu ça dans les options d'Antivir par exemple.

- Le fichier Pwdserv n'existait pas. Mais c'est sans doute dû à un fix que j'avais fait au tout début de mon infection, via Hijackthis puisque le fichier me semblait déjà très suspect.

- Concernant les mises à jour de Windows, les correctifs ont été téléchargés (il me propose de les installer, que ce soit dans le system tray ou à la fermture). Il y en a 70 mais la première échoue, immédiatement suivie par la totalité des suivantes.

Je suppose que ça vient d'un conflit entre les précédentes installations d'update (dont les logs doivent trainer quelque part), et celles qui tentent de se remettre comme si de rien n'était.

Erwann Penet · le 30 octobre 2007

Spybot retrouve de manière récurrente KillSec, Smitfraud-C., CoolWWWSearch.SmartSearch et CoolWWWSearch.Leftovers

Bonjour,

J'ai eu le même problème et je pense avoir réussi à le supprimer, mais j'ai un problème résiduel avec Office 2007.

Tous les fichiers que j'ai ouvert avec Word et Excel 2007 pendant la durée de l'infection sont verrouillés avec un mot de passe, et je n'ai aucune idée du mot de passe.

Avez-vous eu le même problème? S'agit-il d'un mot de passe fixe? ou aléatoire?

Connexion

Pas encore inscrit ?

Smitfraud-C très récalcitrant

Messages recommandés

Monsieur Furtif

Thanos

Monsieur Furtif

Thanos

Monsieur Furtif

Thanos

Monsieur Furtif

Erwann Penet

Rejoindre la conversation

En ligne récemment 0 membre est en ligne

Zebulon

Outils en ligne

Naviguer