Infections détectée par ZHPDIAG

pldta · le 2 mai 2010

Voici le rapport combofix :

ComboFix 10-04-27.02 - Pascal Admin 02/05/2010 13:19:27.4.1 - x86

Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.511.156 [GMT 2:00]

Lancé depuis: c:\documents and settings\Pascal Admin\Bureau\bitruc.exe

Commutateurs utilisés :: c:\documents and settings\Pascal Admin\Bureau\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Sunbelt Kerio Personal Firewall *disabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}

FILE ::

"c:\documents and settings\All Users\Menu Démarrer\Programmes\Gravure\Alcohol 120%\Online manual.lnk"

"c:\documents and settings\All Users\Menu Démarrer\Programmes\Gravure\Alcohol 120%\Uninstall Alcohol 120%.lnk"

"c:\program files\Alcohol Soft\Alcohol 120\Alcohol.exe"

"c:\program files\Alcohol Soft\Alcohol 120\AXShlEx.dll"

"c:\program files\Alcohol Soft\Alcohol 120\DevSupp.dll"

"c:\program files\Alcohol Soft\Alcohol 120\Help\ax_enu.chm"

"c:\program files\Alcohol Soft\Alcohol 120\Plugins\Images\ccdmount.dll"

"c:\program files\PixVue\bin\Daemon.exe"

"c:\windows\daemon.dll"

"c:\windows\Downloaded Installations\DAEMON Tools 3.47\daemon.msi"

"c:\windows\Prefetch\DAEMON.EXE-338AFD1E.pf"

"d:\documents de pascal\Provi\daemon4304-lite.exe"

"d:\utiltaires présents\Alcohol120_trial_1_4_6_711.exe"

"d:\utiltaires présents\daemon-tools_daemon_tools_4.0.3_anglais_10729.exe"

"d:\utiltaires présents\Daemon_Tools_L_v4.30.1.exe"

"d:\utiltaires présents\daemon347.exe"

"d:\utiltaires présents\daemon408-139-x86.exe"

"e:\outils photo\PixVue.exe"

"e:\u_w95-3\War FTP Daemon 1.66 - Jgaa(98)us.exe"

"e:\u_w95-3\War Ftp Daemon Server 2 - Jgaa(97)us.exe"

"e:\utiltaires présents\daemon-tools_daemon_tools_4.0.3_anglais_10729.exe"

"e:\utiltaires présents\daemon347.exe"

"e:\utiltaires présents\daemon408-139-x86.exe"

"f:\outils photo\PixVue.exe"

"f:\utiltaires présents\Alcohol120_trial_1_4_6_711.exe"

"f:\utiltaires présents\daemon-tools_daemon_tools_4.0.3_anglais_10729.exe"

"f:\utiltaires présents\daemon347.exe"

"f:\utiltaires présents\daemon408-139-x86.exe"

.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Menu Démarrer\Programmes\Gravure\Alcohol 120%

c:\documents and settings\All Users\Menu Démarrer\Programmes\Gravure\Alcohol 120%\Alcohol 120%.lnk

c:\documents and settings\All Users\Menu Démarrer\Programmes\Gravure\Alcohol 120%\Alcohol Command Launcher.lnk

c:\documents and settings\All Users\Menu Démarrer\Programmes\Gravure\Alcohol 120%\Online manual.lnk

c:\documents and settings\All Users\Menu Démarrer\Programmes\Gravure\Alcohol 120%\Uninstall Alcohol 120%.lnk

c:\documents and settings\All Users\Menu Démarrer\Programmes\Gravure\DAEMON Tools

c:\documents and settings\All Users\Menu Démarrer\Programmes\Gravure\DAEMON Tools\DAEMON Tools.lnk

c:\documents and settings\All Users\Menu Démarrer\Programmes\Gravure\DAEMON Tools\Uninstall.lnk

c:\documents and settings\Pascal Admin\Application Data\DAEMON Tools Lite

c:\documents and settings\Pascal Admin\Application Data\DAEMON Tools Lite\ImageCatalog.xml

c:\documents and settings\Pascal Admin\Application Data\DAEMON Tools

c:\documents and settings\Pascal Admin\Application Data\DAEMON Tools\daemontools.ini

c:\documents and settings\Pascal Admin\Application Data\PixVue

c:\documents and settings\Pascal Admin\Application Data\PixVue\Mes galeries\Gallery14.GDB

c:\documents and settings\Pascal Admin\Application Data\PixVue\Mes galeries\Gallery14.NDX

c:\documents and settings\Pascal Admin\Application Data\PixVue\Mes galeries\Thumbnails14.GDB

c:\documents and settings\Pascal Admin\Application Data\PixVue\Mes galeries\Thumbnails14.NDX

c:\windows\Downloaded Installations\DAEMON Tools 3.47

c:\windows\Downloaded Installations\DAEMON Tools 3.47\daemon.msi

c:\windows\Prefetch\DAEMON.EXE-338AFD1E.pf

e:\outils photo\PixVue.exe

e:\u_w95-3\War FTP Daemon 1.66 - Jgaa(98)us.exe

e:\u_w95-3\War Ftp Daemon Server 2 - Jgaa(97)us.exe

f:\outils photo\PixVue.exe

Une copie infectée de c:\windows\system32\Drivers\atapi.sys a été trouvée et désinfectée

Copie restaurée à partir de - c:\windows\ServicePackFiles\i386\atapi.sys

.

((((((((((((((((((((((((((((( Fichiers créés du 2010-04-02 au 2010-05-02 ))))))))))))))))))))))))))))))))))))

.

2010-05-02 10:13 . 2010-04-12 15:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-28 19:32 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-04-28 14:55 . 2010-05-01 15:53 -------- d-----w- c:\program files\SEAF

2010-04-28 08:09 . 2010-04-28 08:09 -------- d-----w- c:\documents and settings\Pascal Admin\Application Data\Foxit Software

2010-04-27 10:03 . 2010-04-27 11:25 -------- d-----w- C:\Ad-Remover

2010-04-26 17:31 . 2010-04-27 08:12 -------- d-----w- C:\ToolBar SD

2010-04-04 09:37 . 2010-04-04 09:37 46 ----a-w- c:\windows\system32\DonationCoder_urlsnooper_InstallInfo.dat

2010-04-04 09:37 . 2010-04-04 09:37 -------- d-----w- c:\documents and settings\Pascal Admin\Application Data\DonationCoder

2010-04-04 09:36 . 2010-04-04 09:36 -------- d-----w- c:\program files\WinPcap

2010-04-04 09:35 . 2010-04-21 05:48 -------- d-----w- c:\program files\URLSnooper2

2010-04-04 09:35 . 2010-04-04 09:35 -------- d-----w- c:\documents and settings\All Users\Application Data\DonationCoder

2010-04-04 09:21 . 2010-04-04 09:21 -------- d-----w- c:\program files\Xi

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-02 10:13 . 2009-12-20 14:11 -------- d-----w- c:\program files\Java

2010-05-02 09:15 . 2008-05-24 19:58 -------- d-----w- c:\program files\ZebHelpProcess 2

2010-05-01 14:42 . 2009-11-29 17:46 -------- d-----w- c:\program files\ZHPDiag

2010-04-30 16:57 . 2005-11-06 11:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-27 06:59 . 2006-08-08 20:23 1735460 ----a-w- c:\windows\system32\drivers\fwdrv.err

2010-04-26 17:46 . 2008-01-19 10:01 -------- d-----w- c:\documents and settings\Pascal Admin\Application Data\uTorrent

2010-04-26 10:21 . 2008-12-26 17:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-26 10:14 . 2009-01-10 19:45 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-26 08:40 . 2007-10-20 09:05 -------- d-----w- c:\program files\CCleaner

2010-04-25 00:29 . 2010-04-25 00:29 664 ----a-w- c:\documents and settings\Dominique\Local Settings\Application Data\d3d9caps.tmp

2010-04-17 11:50 . 2008-12-19 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-04-09 10:05 . 2004-11-04 18:05 -------- d-----w- c:\program files\Fichiers communs\Adobe

2010-04-07 05:43 . 2006-04-15 10:06 -------- d-----w- c:\program files\Radio Fr Solo

2010-04-05 10:24 . 2008-11-24 19:11 -------- d-----w- c:\documents and settings\Pascal Admin\Application Data\Vso

2010-04-04 14:41 . 2008-11-30 21:38 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-03 17:29 . 2010-04-03 17:29 503808 ----a-w- c:\documents and settings\Dominique\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6f6d9473-n\msvcp71.dll

2010-04-03 17:29 . 2010-04-03 17:29 499712 ----a-w- c:\documents and settings\Dominique\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6f6d9473-n\jmc.dll

2010-04-03 17:29 . 2010-04-03 17:29 12800 ----a-w- c:\documents and settings\Dominique\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2524fe97-n\decora-d3d.dll

2010-04-03 17:29 . 2010-04-03 17:29 348160 ----a-w- c:\documents and settings\Dominique\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6f6d9473-n\msvcr71.dll

2010-04-03 17:29 . 2010-04-03 17:29 61440 ----a-w- c:\documents and settings\Dominique\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2524fe97-n\decora-sse.dll

2010-04-03 10:07 . 2005-10-07 15:49 -------- d-----w- c:\program files\Fichiers communs\Java

2010-04-03 10:07 . 2010-04-03 10:07 503808 ----a-w- c:\documents and settings\Pascal Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5ae4574e-n\msvcp71.dll

2010-04-03 10:07 . 2010-04-03 10:07 61440 ----a-w- c:\documents and settings\Pascal Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-65ae946b-n\decora-sse.dll

2010-04-03 10:07 . 2010-04-03 10:07 499712 ----a-w- c:\documents and settings\Pascal Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5ae4574e-n\jmc.dll

2010-04-03 10:07 . 2010-04-03 10:07 348160 ----a-w- c:\documents and settings\Pascal Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5ae4574e-n\msvcr71.dll

2010-04-03 10:07 . 2010-04-03 10:07 12800 ----a-w- c:\documents and settings\Pascal Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-65ae946b-n\decora-d3d.dll

2010-04-03 10:05 . 2001-08-28 12:00 615420 ----a-w- c:\windows\system32\perfh00C.dat

2010-04-03 10:05 . 2001-08-28 12:00 123638 ----a-w- c:\windows\system32\perfc00C.dat

2010-03-29 22:46 . 2008-12-26 17:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 22:45 . 2008-12-26 17:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-28 12:37 . 2010-03-06 16:20 -------- d-----w- c:\program files\USB-set

2010-03-27 12:32 . 2008-03-16 14:51 -------- d-----w- c:\documents and settings\Dominique\Application Data\Smart Panel

2010-03-26 11:17 . 2004-10-10 15:53 -------- d-----w- c:\program files\eMule

2010-03-24 13:09 . 2005-02-14 21:38 117824 ----a-w- c:\documents and settings\Olivier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-24 13:05 . 2010-03-24 13:05 130 ----a-w- c:\documents and settings\Olivier\Local Settings\Application Data\fusioncache.dat

2010-03-20 13:00 . 2008-05-24 11:41 -------- d-----w- c:\documents and settings\All Users\Application Data\BSD

2010-03-13 17:28 . 2010-03-13 17:28 2734 ----a-r- c:\documents and settings\Pascal Admin\Application Data\Microsoft\Installer\{C9CE8735-F02F-4DE4-B979-04D30DFFE7C3}\_2cd672ae.exe

2010-03-13 17:28 . 2010-03-13 17:28 2734 ----a-r- c:\documents and settings\Pascal Admin\Application Data\Microsoft\Installer\{C9CE8735-F02F-4DE4-B979-04D30DFFE7C3}\_294823.exe

2010-03-13 17:28 . 2010-03-13 17:28 2734 ----a-r- c:\documents and settings\Pascal Admin\Application Data\Microsoft\Installer\{C9CE8735-F02F-4DE4-B979-04D30DFFE7C3}\_18be6784.exe

2010-03-13 17:28 . 2010-03-13 17:28 12390 ----a-r- c:\documents and settings\Pascal Admin\Application Data\Microsoft\Installer\{C9CE8735-F02F-4DE4-B979-04D30DFFE7C3}\_4ae13d6c.exe

2010-03-13 17:28 . 2010-03-13 17:28 -------- d-----w- c:\program files\Ujihara

2010-03-10 06:16 . 2002-08-29 09:45 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-07 19:00 . 2005-05-15 08:35 -------- d-----w- c:\documents and settings\Pascal Admin\Application Data\ArcSoft

2010-02-25 06:17 . 2002-08-29 09:45 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2005-02-12 12:06 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-24 08:16 . 2009-10-23 08:40 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr

2010-02-17 12:07 . 2002-08-29 09:42 2192000 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 19:07 . 2002-08-29 11:42 2068864 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:34 . 2002-08-29 09:44 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2002-08-28 23:37 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

1999-12-02 12:54 . 2007-10-27 08:36 91648 ------w- c:\program files\xcacls.exe

2008-09-10 11:49 . 2008-09-10 11:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

2005-05-30 19:37 . 2005-05-30 19:37 8192 --sha-w- c:\windows\o2cLicStore.bin

2005-05-05 15:01 . 2005-05-05 15:01 8 --sh--r- c:\windows\system32\0AA48D50C7.sys

2006-07-11 06:15 . 2006-07-11 06:15 5 --sha-w- c:\windows\system32\aebdd_s.dll

2008-04-14 02:33 . 2001-08-28 12:00 65024 --sha-w- c:\windows\system32\asycfilt.dll

2005-05-05 15:15 . 2005-05-05 15:01 1056 --sha-w- c:\windows\system32\KGyGaAvL.sys

2001-08-28 12:00 . 2001-08-28 12:00 57344 --sha-w- c:\windows\system32\mfc42loc.dll

2001-08-28 12:00 . 2001-08-28 12:00 253952 --sha-w- c:\windows\system32\msvcrt20.dll

2008-04-14 02:33 . 2002-08-29 09:44 551936 --sha-w- c:\windows\system32\oleaut32.dll

2008-04-14 02:33 . 2001-08-28 12:00 84992 --sha-w- c:\windows\system32\olepro32.dll

2008-04-14 02:33 . 2001-08-28 12:00 30749 --sha-w- c:\windows\system32\vbajet32.dll

.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"PSDrvCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-08-28 396800]

"CloneCDElbyCDFL"="c:\program files\SlySoft\CloneCD\ElbyCheck.exe" [2002-11-02 45056]

"LogitechCommunicationsManager"="c:\program files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-07 488984]

"LVCOMSX"="c:\program files\Fichiers communs\Logitech\LComMgr\LVComSX.exe" [2007-02-06 252704]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Pascal Admin\Menu D‚marrer\Programmes\D‚marrage\

HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-1-14 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 10:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Nikon Monitor.lnk]

path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Nikon Monitor.lnk

backup=c:\windows\pss\Nikon Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pascal Admin^Menu Démarrer^Programmes^Démarrage^Adobe Gamma.lnk]

path=c:\documents and settings\Pascal Admin\Menu Démarrer\Programmes\Démarrage\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Pascal Admin^Menu Démarrer^Programmes^Démarrage^Outil de notification Live Search.lnk]

backup=c:\windows\pss\Outil de notification Live Search.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2007-02-07 23:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [02/07/2003 18:41 5248]

R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [02/07/2003 17:49 124160]

R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [28/11/2002 12:43 22016]

R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [04/11/2004 11:55 23003]

R0 PrecSim;PrecSim;c:\windows\system32\drivers\precsim.sys [22/05/2002 01:00 69600]

R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [18/07/2006 12:02 284184]

R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [18/07/2006 12:02 91672]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [29/02/2008 16:03 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [29/02/2008 16:03 51440]

R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [03/10/2009 12:04 108289]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 20:19 50704]

R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [27/04/2007 15:19 2368]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [05/10/2006 23:11 13592]

R3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\drivers\chdrvr01.sys [06/01/2008 18:37 215104]

R3 chdrvr02;CH Control Manager Driver 2;c:\windows\system32\drivers\chdrvr02.sys [06/01/2008 18:37 3744]

R3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\drivers\chdrvr03.sys [06/01/2008 18:37 9024]

R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);c:\windows\system32\drivers\e10kx2k.sys [01/04/2006 14:19 1757928]

S3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\drivers\modrc.sys [28/04/2008 18:54 13824]

S3 PctvVirtualNdis;Pinnacle Virtual Miniport;c:\windows\system32\drivers\PctvVirtualNdis.sys [28/04/2008 19:14 13696]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 16:51 4096]

.

Contenu du dossier 'Tâches planifiées'

2010-05-02 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-10-05 21:11]

.

------- Examen supplémentaire -------

.

mWindow Title =

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Télécharger avec NetTransport - c:\program files\Xi\NetTransport 2\NTAddLink.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Tout t&élécharger avec NetTransport - c:\program files\Xi\NetTransport 2\NTAddList.html

Trusted Zone: ahnlab.com\global

Trusted Zone: cltnet.de\www

Trusted Zone: gdfsuez.com\webmailfr

TCP: {9548D205-C2A3-4969-BEF2-92CBB72FF227} = 192.168.0.1

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

DPF: teleir_cert - hxxps://static.ir.dgi.minefi.gouv.fr/secure/connexion/archives/ie4n4/teleir_cert.cab

DPF: {0D9392CD-A784-4FCA-9342-0F75F7D7C8CB} - hxxp://www.cltnet.de/login/dplaunch.cab

DPF: {88764F69-3831-4EC1-B40B-FF21D8381345} - hxxps://static.impots.gouv.fr/tdir/static/adpform/AdSignerADP-2.0.cab

FF - ProfilePath - c:\documents and settings\Pascal Admin\Application Data\Mozilla\Firefox\Profiles\ksf78zvj.default\

FF - prefs.js: browser.search.selectedEngine - Live Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr

FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?mkt=fr-FR&FORM=MIMWA5&q=

FF - component: c:\documents and settings\Pascal Admin\Application Data\Mozilla\Firefox\Profiles\ksf78zvj.default\extensions\isadmin@vdtsoftware.ffext\components\isadmin.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- PARAMETRES FIREFOX ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHELINS SUPPRIMES - - - -

WebBrowser-{200B4767-4E46-4A4F-B2A0-D23A0E30B592} - (no file)

ShellIconOverlayIdentifiers-{3E57A8B6-849B-476E-A3E9-CFCE49E3662A} - (no file)

ShellIconOverlayIdentifiers-{E3F36090-0540-418f-8136-074D5B255B59} - (no file)

ShellIconOverlayIdentifiers-{E1C1BE26-35A8-4999-A3A6-235CB7BD558B} - (no file)

ShellIconOverlayIdentifiers-{2E9BD3CA-A57F-450b-B1BA-A6A58C0C1D51} - (no file)

ShellIconOverlayIdentifiers-{BCA5FB3A-9FC1-4465-ACE3-8C2072449164} - (no file)

ShellIconOverlayIdentifiers-{F0C13C81-FB8D-464e-873F-F8FF999E3EEC} - (no file)

ShellIconOverlayIdentifiers-{0117FFFB-91FD-414E-AC34-A00531032006} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-02 13:34

Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès

Fichiers cachés: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82F73CC0]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf86daf28

\Driver\ACPI -> ACPI.sys @ 0xf862ccb8

\Driver\atapi -> 0x82f73cc0

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615

ParseProcedure -> 0x827841b0

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615

ParseProcedure -> 0x827841b0

Warning: possible MBR rootkit infection !

user & kernel MBR OK

**************************************************************************

.

--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1993962763-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(688)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(7100)

c:\program files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Autres processus actifs ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe

c:\program files\Sandboxie\SbieSvc.exe

c:\windows\System32\MsPMSPSv.exe

c:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe

c:\windows\System32\wbem\wmiapsrv.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Heure de fin: 2010-05-02 13:50:08 - La machine a redémarré

ComboFix-quarantined-files.txt 2010-05-02 11:49

ComboFix2.txt 2010-04-28 19:19

ComboFix3.txt 2010-04-28 12:08

ComboFix4.txt 2010-04-27 19:24

Avant-CF: 15 283 658 752 octets libres

Après-CF: 15 211 896 832 octets libres

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 29719E2E198F562DB03CF8E29C042DF5

pear · le 2 mai 2010

Bonsoir,

en lisant ceci:

"Une copie infectée de c:\windows\system32\Drivers\atapi.sys a été trouvée et désinfectée

Copie restaurée à partir de - c:\windows\ServicePackFiles\i386\atapi.sys"

j'avais cru que c'était bon.

Déception!

pldta · le 2 mai 2010

Merci pour votre patience; ça n'est effectivement pas simple!

pear · le 3 mai 2010

Bonjour,

Refaites ceci, svp:

Le dropper du MBR Rootkit est détecté en PSW-Sinowal, Backdoor.MaosBoot ou Trojan.Mebroot

Téléchargez sur le bureau

MBR Rootkit Detector 0.2.4 by gmer

Désactiver provisoirement les programmes de protection (antivirus, firewall,anti-spyware...)

Vous les réactiverez après la désinfection terminée.

Clic sur l'onglet "rootkit"

Clic sur Scan

- Un rapport sera généré -> mbr.log.

En Copier/coller le résultat dans la réponse .

En cas d'infection,vous devriez voir un rapport de ce genre:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\ACPI -> 0x858e41c0

\Driver\atapi -> 0x89bf0410

NDIS: GlobeTrotter HSxPA - Network Interface #2 -> SendCompleteHandler -> 0x8591de70

Warning: possible MBR rootkit infection !

copy of MBR has been found in sector 0x01749DDC1

malicious code @ sector 0x01749DDC4 !

PE file found in sector at 0x01749DDDA !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Dans Démarrer-> Exécuter

Copiez/Collez :

"%userprofile%\Bureau\mbr" -f

Dans le mbr.log cette ligne apparaitra "original MBR restored successfully !"

Si vous Relancez mbr.exe ou si votre machine est saine,

Mbr.log vous dit:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

En cas de nouvel échec:

Télécharger gmer

- Cliquer sur le bouton "Download EXE"

- Sauvegardez sur le Bureau.

- Collez et sauvegardez ces instructions dans un fichier texte ou imprimez-les, car il faudra fermer le navigateur.

Avant toute utilisation de GMER, veuillez désactiver votre antivirus, antispyware sous peine de crash.

- Fermez les fenêtres de navigateur ouvertes.

- Lancez le fichier téléchargé par double clic(le nom comporte 8 chiffres/lettres aléatoires) ;

- Si l'outil lance un warning d'activité de rootkit et demande de faire un scan ; cliquez "NO"

- Dans la section de droite de la fenêtre de l'outil, Vérifiez que soient décochées les options suivantes :

Show All

- Cliquez sur le bouton "Scan" et patientez (cela peut prendre 10 minutes ou +)

Il peut arriver que GMER plante sans raison apparente.

Vous pouvez essayer ceci : décocher "Devices" dans un premier temps et repasser l'outil ;

si ça coince toujours, décocher en plus "Files" et ré-essayez un scan.

Lorsque les informations sur le scan s'affichent , les éléments détectés comme rootkit apparaissent en rouge dans chaque section.

Le bouton Copy permet de récupérer le résultat pour effectuer un copier/coller.

Le bouton Save permet l'enregistrement du rapport sur votre disque au format texte.

pldta · le 4 mai 2010

Je n'arrive pas à passer GMER en entier même en décochant les options devices et files J'ai un message d'erreurs "dwwin.exe. L'application n'a pas réussi à s'initialiser correctement (0xc0000005)"

Je n'ai donc qu'un résultat partiel en faisant un save au moment où il s'arrête:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-04 22:30:55

Windows 5.1.2600 Service Pack 3

Running: 7c1ephfw.exe; Driver: C:\DOCUME~1\PASCAL~1\LOCALS~1\Temp\fxliapoc.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwClose [0xF3371110]

SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwCreateFile [0xF3370920]

SSDT F8C4276E ZwCreateKey

SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwCreateProcess [0xF336FF20]

SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwCreateProcessEx [0xF336FD90]

SSDT F8C42764 ZwCreateThread

SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwDeleteFile [0xF3371190]

SSDT F8C42773 ZwDeleteKey

SSDT F8C4277D ZwDeleteValueKey

SSDT \SystemRoot\system32\drivers\khips.sys (Sunbelt Kerio Host Intrusion Prevention Driver/Sunbelt Software) ZwLoadDriver [0xF31259A0]

SSDT F8C42782 ZwLoadKey

SSDT \SystemRoot\system32\drivers\khips.sys (Sunbelt Kerio Host Intrusion Prevention Driver/Sunbelt Software) ZwMapViewOfSection [0xF3125B30]

SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwOpenFile [0xF3370BF0]

SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwOpenKey [0xF336D140]

SSDT F8C42750 ZwOpenProcess

SSDT F8C42755 ZwOpenThread

SSDT F8C4278C ZwReplaceKey

SSDT F8C42787 ZwRestoreKey

SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwResumeThread [0xF3370510]

SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwSetInformationFile [0xF3370F00]

SSDT F8C42778 ZwSetValueKey

SSDT F8C4275F ZwTerminateProcess

SSDT \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software) ZwWriteFile [0xF3370E50]

---- Kernel code sections - GMER 1.0.15 ----

.text win32k.sys!EngAcquireSemaphore + 20E2 BF8082E1 5 Bytes JMP 827794D0

.text win32k.sys!EngFreeUserMem + 5BD2 BF80EE68 5 Bytes JMP 82779430

.text win32k.sys!EngCreateBitmap + DDB2 BF845CCB 5 Bytes JMP 82779610

.text win32k.sys!EngMultiByteToWideChar + 2F32 BF852C47 5 Bytes JMP 82779750

.text win32k.sys!XLATEOBJ_iXlate + 3A50 BF86368D 5 Bytes JMP 82779570

.text win32k.sys!FONTOBJ_pxoGetXform + CC3E BF8C31D6 5 Bytes JMP 827796B0

.text win32k.sys!PATHOBJ_vGetBounds + 74EE BF8F00FB 5 Bytes JMP 827797F0

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] WS2_32.dll!socket 719F4211 5 Bytes JMP 001308C4

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] WS2_32.dll!bind 719F4480 5 Bytes JMP 00130838

.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[220] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00130950

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe[252] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\Fichiers communs\Logitech\LComMgr\LVComSX.exe[264] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] KERNEL32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] KERNEL32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] KERNEL32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] KERNEL32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] KERNEL32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] KERNEL32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] KERNEL32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] KERNEL32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] KERNEL32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] KERNEL32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] KERNEL32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] ws2_32.dll!socket 719F4211 5 Bytes JMP 001308C4

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] ws2_32.dll!bind 719F4480 5 Bytes JMP 00130838

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] ws2_32.dll!connect 719F4A07 5 Bytes JMP 00130950

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] WININET.dll!InternetConnectA 404BDEAE 5 Bytes JMP 00130F54

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] WININET.dll!InternetConnectW 404BF862 5 Bytes JMP 00130FE0

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] WININET.dll!InternetOpenA 404CD690 5 Bytes JMP 00130D24

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] WININET.dll!InternetOpenW 404CDB09 5 Bytes JMP 00130DB0

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] WININET.dll!InternetOpenUrlA 404CF3A4 5 Bytes JMP 00130E3C

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[272] WININET.dll!InternetOpenUrlW 40516DDF 5 Bytes JMP 00130EC8

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[284] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] WININET.dll!InternetConnectA 404BDEAE 5 Bytes JMP 00130F54

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] WININET.dll!InternetConnectW 404BF862 5 Bytes JMP 00130FE0

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] WININET.dll!InternetOpenA 404CD690 5 Bytes JMP 00130D24

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] WININET.dll!InternetOpenW 404CDB09 5 Bytes JMP 00130DB0

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] WININET.dll!InternetOpenUrlA 404CF3A4 5 Bytes JMP 00130E3C

.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[296] WININET.dll!InternetOpenUrlW 40516DDF 5 Bytes JMP 00130EC8

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] WS2_32.dll!socket 719F4211 5 Bytes JMP 001308C4

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] WS2_32.dll!bind 719F4480 5 Bytes JMP 00130838

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00130950

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\Java\jre6\bin\jqs.exe[340] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000301A8

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00030090

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00030694

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000302C0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00030234

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00030004

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0003011C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000304F0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0003057C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000303D8

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0003034C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00030464

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00030608

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000307AC

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00030720

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] WS2_32.dll!socket 719F4211 5 Bytes JMP 000308C4

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] WS2_32.dll!bind 719F4480 5 Bytes JMP 00030838

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00030950

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] WININET.dll!InternetConnectA 404BDEAE 5 Bytes JMP 00030F54

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] WININET.dll!InternetConnectW 404BF862 5 Bytes JMP 00030FE0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] WININET.dll!InternetOpenA 404CD690 5 Bytes JMP 00030D24

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] WININET.dll!InternetOpenW 404CDB09 5 Bytes JMP 00030DB0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] WININET.dll!InternetOpenUrlA 404CF3A4 5 Bytes JMP 00030E3C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[548] WININET.dll!InternetOpenUrlW 40516DDF 5 Bytes JMP 00030EC8

.text C:\WINDOWS\system32\ctfmon.exe[556] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\ctfmon.exe[556] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\ctfmon.exe[556] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\ctfmon.exe[556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\ctfmon.exe[556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\ctfmon.exe[556] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\ctfmon.exe[556] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\ctfmon.exe[556] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\ctfmon.exe[556] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\ctfmon.exe[556] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\ctfmon.exe[556] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\ctfmon.exe[556] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\ctfmon.exe[556] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\ctfmon.exe[556] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\ctfmon.exe[556] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\Program Files\Messenger\msmsgs.exe[608] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000701A8

.text C:\Program Files\Messenger\msmsgs.exe[608] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070090

.text C:\Program Files\Messenger\msmsgs.exe[608] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00070694

.text C:\Program Files\Messenger\msmsgs.exe[608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000702C0

.text C:\Program Files\Messenger\msmsgs.exe[608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070234

.text C:\Program Files\Messenger\msmsgs.exe[608] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00070004

.text C:\Program Files\Messenger\msmsgs.exe[608] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0007011C

.text C:\Program Files\Messenger\msmsgs.exe[608] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000704F0

.text C:\Program Files\Messenger\msmsgs.exe[608] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0007057C

.text C:\Program Files\Messenger\msmsgs.exe[608] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000703D8

.text C:\Program Files\Messenger\msmsgs.exe[608] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0007034C

.text C:\Program Files\Messenger\msmsgs.exe[608] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070464

.text C:\Program Files\Messenger\msmsgs.exe[608] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00070608

.text C:\Program Files\Messenger\msmsgs.exe[608] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000707AC

.text C:\Program Files\Messenger\msmsgs.exe[608] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00070720

.text C:\Program Files\Messenger\msmsgs.exe[608] WS2_32.dll!socket 719F4211 5 Bytes JMP 000708C4

.text C:\Program Files\Messenger\msmsgs.exe[608] WS2_32.dll!bind 719F4480 5 Bytes JMP 00070838

.text C:\Program Files\Messenger\msmsgs.exe[608] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00070950

.text C:\Program Files\Messenger\msmsgs.exe[608] WININET.dll!InternetConnectA 404BDEAE 5 Bytes JMP 00070F54

.text C:\Program Files\Messenger\msmsgs.exe[608] WININET.dll!InternetConnectW 404BF862 5 Bytes JMP 00070FE0

.text C:\Program Files\Messenger\msmsgs.exe[608] WININET.dll!InternetOpenA 404CD690 5 Bytes JMP 00070D24

.text C:\Program Files\Messenger\msmsgs.exe[608] WININET.dll!InternetOpenW 404CDB09 5 Bytes JMP 00070DB0

.text C:\Program Files\Messenger\msmsgs.exe[608] WININET.dll!InternetOpenUrlA 404CF3A4 5 Bytes JMP 00070E3C

.text C:\Program Files\Messenger\msmsgs.exe[608] WININET.dll!InternetOpenUrlW 40516DDF 5 Bytes JMP 00070EC8

.text C:\WINDOWS\system32\wscntfy.exe[636] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000701A8

.text C:\WINDOWS\system32\wscntfy.exe[636] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070090

.text C:\WINDOWS\system32\wscntfy.exe[636] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00070694

.text C:\WINDOWS\system32\wscntfy.exe[636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000702C0

.text C:\WINDOWS\system32\wscntfy.exe[636] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070234

.text C:\WINDOWS\system32\wscntfy.exe[636] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00070004

.text C:\WINDOWS\system32\wscntfy.exe[636] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0007011C

.text C:\WINDOWS\system32\wscntfy.exe[636] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000704F0

.text C:\WINDOWS\system32\wscntfy.exe[636] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0007057C

.text C:\WINDOWS\system32\wscntfy.exe[636] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000703D8

.text C:\WINDOWS\system32\wscntfy.exe[636] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0007034C

.text C:\WINDOWS\system32\wscntfy.exe[636] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070464

.text C:\WINDOWS\system32\wscntfy.exe[636] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00070608

.text C:\WINDOWS\system32\wscntfy.exe[636] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000707AC

.text C:\WINDOWS\system32\wscntfy.exe[636] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00070720

.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001601A8

.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00160090

.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00160694

.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 001602C0

.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00160234

.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00160004

.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0016011C

.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001604F0

.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!CreateThread 7C8106D7 5 Bytes JMP 0016057C

.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001603D8

.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0016034C

.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!WinExec 7C86250D 5 Bytes JMP 00160464

.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00160608

.text C:\WINDOWS\system32\csrss.exe[648] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001607AC

.text C:\WINDOWS\system32\csrss.exe[648] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00160720

.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000701A8

.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070090

.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00070694

.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000702C0

.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070234

.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00070004

.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0007011C

.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000704F0

.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0007057C

.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000703D8

.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0007034C

.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070464

.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00070608

.text C:\WINDOWS\system32\winlogon.exe[676] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000707AC

.text C:\WINDOWS\system32\winlogon.exe[676] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00070720

.text C:\WINDOWS\system32\winlogon.exe[676] WS2_32.dll!socket 719F4211 5 Bytes JMP 000708C4

.text C:\WINDOWS\system32\winlogon.exe[676] WS2_32.dll!bind 719F4480 5 Bytes JMP 00070838

.text C:\WINDOWS\system32\winlogon.exe[676] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00070950

.text C:\WINDOWS\system32\winlogon.exe[676] WININET.dll!InternetConnectA 404BDEAE 5 Bytes JMP 00070F54

.text C:\WINDOWS\system32\winlogon.exe[676] WININET.dll!InternetConnectW 404BF862 5 Bytes JMP 00070FE0

.text C:\WINDOWS\system32\winlogon.exe[676] WININET.dll!InternetOpenA 404CD690 5 Bytes JMP 00070D24

.text C:\WINDOWS\system32\winlogon.exe[676] WININET.dll!InternetOpenW 404CDB09 5 Bytes JMP 00070DB0

.text C:\WINDOWS\system32\winlogon.exe[676] WININET.dll!InternetOpenUrlA 404CF3A4 5 Bytes JMP 00070E3C

.text C:\WINDOWS\system32\winlogon.exe[676] WININET.dll!InternetOpenUrlW 40516DDF 5 Bytes JMP 00070EC8

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\services.exe[720] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\services.exe[720] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\WINDOWS\system32\services.exe[720] WS2_32.dll!socket 719F4211 5 Bytes JMP 001308C4

.text C:\WINDOWS\system32\services.exe[720] WS2_32.dll!bind 719F4480 5 Bytes JMP 00130838

.text C:\WINDOWS\system32\services.exe[720] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00130950

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\lsass.exe[732] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\lsass.exe[732] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\WINDOWS\system32\lsass.exe[732] WS2_32.dll!socket 719F4211 5 Bytes JMP 000808C4

.text C:\WINDOWS\system32\lsass.exe[732] WS2_32.dll!bind 719F4480 5 Bytes JMP 00080838

.text C:\WINDOWS\system32\lsass.exe[732] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00080950

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\WinZip\WZQKPICK.EXE[856] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\WINDOWS\system32\Ati2evxx.exe[912] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\WINDOWS\system32\Ati2evxx.exe[912] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\WINDOWS\system32\Ati2evxx.exe[912] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\WINDOWS\system32\Ati2evxx.exe[912] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\WINDOWS\system32\Ati2evxx.exe[912] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\WINDOWS\system32\Ati2evxx.exe[912] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\WINDOWS\system32\Ati2evxx.exe[912] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\WINDOWS\system32\Ati2evxx.exe[912] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\WINDOWS\system32\Ati2evxx.exe[912] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\WINDOWS\system32\Ati2evxx.exe[912] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\WINDOWS\system32\Ati2evxx.exe[912] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\WINDOWS\system32\Ati2evxx.exe[912] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\WINDOWS\system32\Ati2evxx.exe[912] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\WINDOWS\system32\Ati2evxx.exe[912] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\WINDOWS\system32\Ati2evxx.exe[912] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\svchost.exe[928] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\svchost.exe[928] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\WINDOWS\system32\svchost.exe[928] WS2_32.dll!socket 719F4211 5 Bytes JMP 000808C4

.text C:\WINDOWS\system32\svchost.exe[928] WS2_32.dll!bind 719F4480 5 Bytes JMP 00080838

.text C:\WINDOWS\system32\svchost.exe[928] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00080950

.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!socket 719F4211 5 Bytes JMP 000808C4

.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!bind 719F4480 5 Bytes JMP 00080838

.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00080950

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000701A8

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070090

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00070694

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000702C0

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070234

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00070004

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0007011C

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000704F0

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0007057C

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000703D8

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0007034C

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070464

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00070608

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000707AC

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00070720

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] wininet.dll!InternetConnectA 404BDEAE 5 Bytes JMP 00070F54

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] wininet.dll!InternetConnectW 404BF862 5 Bytes JMP 00070FE0

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] wininet.dll!InternetOpenA 404CD690 5 Bytes JMP 00070D24

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] wininet.dll!InternetOpenW 404CDB09 5 Bytes JMP 00070DB0

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] wininet.dll!InternetOpenUrlA 404CF3A4 5 Bytes JMP 00070E3C

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] wininet.dll!InternetOpenUrlW 40516DDF 5 Bytes JMP 00070EC8

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] WS2_32.dll!socket 719F4211 5 Bytes JMP 000708C4

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] WS2_32.dll!bind 719F4480 5 Bytes JMP 00070838

.text C:\Program Files\Windows Defender\MsMpEng.exe[1048] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00070950

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\System32\svchost.exe[1092] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\System32\svchost.exe[1092] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\WINDOWS\System32\svchost.exe[1092] WS2_32.dll!socket 719F4211 5 Bytes JMP 000808C4

.text C:\WINDOWS\System32\svchost.exe[1092] WS2_32.dll!bind 719F4480 5 Bytes JMP 00080838

.text C:\WINDOWS\System32\svchost.exe[1092] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00080950

.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetConnectA 404BDEAE 5 Bytes JMP 00080F54

.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetConnectW 404BF862 5 Bytes JMP 00080FE0

.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenA 404CD690 5 Bytes JMP 00080D24

.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenW 404CDB09 5 Bytes JMP 00080DB0

.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenUrlA 404CF3A4 5 Bytes JMP 00080E3C

.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenUrlW 40516DDF 5 Bytes JMP 00080EC8

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\WINDOWS\System32\svchost.exe[1152] WS2_32.dll!socket 719F4211 5 Bytes JMP 000808C4

.text C:\WINDOWS\System32\svchost.exe[1152] WS2_32.dll!bind 719F4480 5 Bytes JMP 00080838

.text C:\WINDOWS\System32\svchost.exe[1152] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00080950

.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\svchost.exe[1316] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\svchost.exe[1316] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\WINDOWS\system32\svchost.exe[1316] WS2_32.dll!socket 719F4211 5 Bytes JMP 000808C4

.text C:\WINDOWS\system32\svchost.exe[1316] WS2_32.dll!bind 719F4480 5 Bytes JMP 00080838

.text C:\WINDOWS\system32\svchost.exe[1316] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00080950

.text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\system32\spoolsv.exe[1408] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\system32\spoolsv.exe[1408] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\WINDOWS\system32\spoolsv.exe[1408] WS2_32.dll!socket 719F4211 5 Bytes JMP 000808C4

.text C:\WINDOWS\system32\spoolsv.exe[1408] WS2_32.dll!bind 719F4480 5 Bytes JMP 00080838

.text C:\WINDOWS\system32\spoolsv.exe[1408] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00080950

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000701A8

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070090

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00070694

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000702C0

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070234

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00070004

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0007011C

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000704F0

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0007057C

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000703D8

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0007034C

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070464

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00070608

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000707AC

.text C:\Program Files\Sandboxie\SbieSvc.exe[1448] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00070720

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text c:\program files\fichiers communs\logishrd\lvmvfm\LVPrcSrv.exe[1452] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] WS2_32.dll!socket 719F4211 5 Bytes JMP 001308C4

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] WS2_32.dll!bind 719F4480 5 Bytes JMP 00130838

.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1472] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00130950

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\WINDOWS\system32\Ati2evxx.exe[1600] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\System32\svchost.exe[1684] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\System32\svchost.exe[1684] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\WINDOWS\Explorer.EXE[1736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\Explorer.EXE[1736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\Explorer.EXE[1736] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\Explorer.EXE[1736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\Explorer.EXE[1736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\Explorer.EXE[1736] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\Explorer.EXE[1736] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\Explorer.EXE[1736] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\Explorer.EXE[1736] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\Explorer.EXE[1736] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\Explorer.EXE[1736] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\Explorer.EXE[1736] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\Explorer.EXE[1736] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\Explorer.EXE[1736] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\Explorer.EXE[1736] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\WINDOWS\Explorer.EXE[1736] WININET.dll!InternetConnectA 404BDEAE 5 Bytes JMP 00080F54

.text C:\WINDOWS\Explorer.EXE[1736] WININET.dll!InternetConnectW 404BF862 5 Bytes JMP 00080FE0

.text C:\WINDOWS\Explorer.EXE[1736] WININET.dll!InternetOpenA 404CD690 5 Bytes JMP 00080D24

.text C:\WINDOWS\Explorer.EXE[1736] WININET.dll!InternetOpenW 404CDB09 5 Bytes JMP 00080DB0

.text C:\WINDOWS\Explorer.EXE[1736] WININET.dll!InternetOpenUrlA 404CF3A4 5 Bytes JMP 00080E3C

.text C:\WINDOWS\Explorer.EXE[1736] WININET.dll!InternetOpenUrlW 40516DDF 5 Bytes JMP 00080EC8

.text C:\WINDOWS\Explorer.EXE[1736] WS2_32.dll!socket 719F4211 5 Bytes JMP 000808C4

.text C:\WINDOWS\Explorer.EXE[1736] WS2_32.dll!bind 719F4480 5 Bytes JMP 00080838

.text C:\WINDOWS\Explorer.EXE[1736] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00080950

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] WS2_32.dll!socket 719F4211 5 Bytes JMP 001308C4

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] WS2_32.dll!bind 719F4480 5 Bytes JMP 00130838

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[1764] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00130950

.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\System32\svchost.exe[1848] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\System32\svchost.exe[1848] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\WINDOWS\System32\svchost.exe[1848] WININET.dll!InternetConnectA 404BDEAE 5 Bytes JMP 00080F54

.text C:\WINDOWS\System32\svchost.exe[1848] WININET.dll!InternetConnectW 404BF862 5 Bytes JMP 00080FE0

.text C:\WINDOWS\System32\svchost.exe[1848] WININET.dll!InternetOpenA 404CD690 5 Bytes JMP 00080D24

.text C:\WINDOWS\System32\svchost.exe[1848] WININET.dll!InternetOpenW 404CDB09 5 Bytes JMP 00080DB0

.text C:\WINDOWS\System32\svchost.exe[1848] WININET.dll!InternetOpenUrlA 404CF3A4 5 Bytes JMP 00080E3C

.text C:\WINDOWS\System32\svchost.exe[1848] WININET.dll!InternetOpenUrlW 40516DDF 5 Bytes JMP 00080EC8

.text C:\WINDOWS\System32\svchost.exe[1848] WS2_32.dll!socket 719F4211 5 Bytes JMP 000808C4

.text C:\WINDOWS\System32\svchost.exe[1848] WS2_32.dll!bind 719F4480 5 Bytes JMP 00080838

.text C:\WINDOWS\System32\svchost.exe[1848] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00080950

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\WINDOWS\System32\MsPMSPSv.exe[1896] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] WS2_32.dll!socket 719F4211 5 Bytes JMP 001308C4

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] WS2_32.dll!bind 719F4480 5 Bytes JMP 00130838

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00130950

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe[2016] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] WS2_32.dll!socket 719F4211 5 Bytes JMP 000808C4

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] WS2_32.dll!bind 719F4480 5 Bytes JMP 00080838

.text C:\WINDOWS\System32\wbem\wmiapsrv.exe[3264] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00080950

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] WS2_32.dll!socket 719F4211 5 Bytes JMP 001308C4

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] WS2_32.dll!bind 719F4480 5 Bytes JMP 00130838

.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00130950

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] KERNEL32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] KERNEL32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] KERNEL32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] KERNEL32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] KERNEL32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] KERNEL32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] KERNEL32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] KERNEL32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] KERNEL32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] KERNEL32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] KERNEL32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] ws2_32.dll!socket 719F4211 5 Bytes JMP 001308C4

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] ws2_32.dll!bind 719F4480 5 Bytes JMP 00130838

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] ws2_32.dll!connect 719F4A07 5 Bytes JMP 00130950

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] KERNEL32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] KERNEL32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] KERNEL32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] KERNEL32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00130004

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] KERNEL32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0013011C

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] KERNEL32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 001304F0

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] KERNEL32.dll!CreateThread 7C8106D7 5 Bytes JMP 0013057C

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] KERNEL32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001303D8

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] KERNEL32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0013034C

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] KERNEL32.dll!WinExec 7C86250D 5 Bytes JMP 00130464

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] KERNEL32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00130608

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 001307AC

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00130720

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] ws2_32.dll!socket 719F4211 5 Bytes JMP 001308C4

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] ws2_32.dll!bind 719F4480 5 Bytes JMP 00130838

.text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] ws2_32.dll!connect 719F4A07 5 Bytes JMP 00130950

.text C:\WINDOWS\System32\alg.exe[3916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8

.text C:\WINDOWS\System32\alg.exe[3916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090

.text C:\WINDOWS\System32\alg.exe[3916] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694

.text C:\WINDOWS\System32\alg.exe[3916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0

.text C:\WINDOWS\System32\alg.exe[3916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234

.text C:\WINDOWS\System32\alg.exe[3916] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00080004

.text C:\WINDOWS\System32\alg.exe[3916] kernel32.dll!VirtualAllocEx 7C809B12 5 Bytes JMP 0008011C

.text C:\WINDOWS\System32\alg.exe[3916] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 000804F0

.text C:\WINDOWS\System32\alg.exe[3916] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 0008057C

.text C:\WINDOWS\System32\alg.exe[3916] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 000803D8

.text C:\WINDOWS\System32\alg.exe[3916] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0008034C

.text C:\WINDOWS\System32\alg.exe[3916] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00080464

.text C:\WINDOWS\System32\alg.exe[3916] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 00080608

.text C:\WINDOWS\System32\alg.exe[3916] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 000807AC

.text C:\WINDOWS\System32\alg.exe[3916] USER32.dll!SetWindowsHookExA 7E3B1211 5 Bytes JMP 00080720

.text C:\WINDOWS\System32\alg.exe[3916] WS2_32.dll!socket 719F4211 5 Bytes JMP 000808C4

.text C:\WINDOWS\System32\alg.exe[3916] WS2_32.dll!bind 719F4480 5 Bytes JMP 00080838

.text C:\WINDOWS\System32\alg.exe[3916] WS2_32.dll!connect 719F4A07 5 Bytes JMP 00080950

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F3364CE0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F3364D00] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F3364D90] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F3364DC0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F3364D90] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F3364D00] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F3364CE0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F3364D90] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F3364DC0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F3364CE0] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F3364D00] \SystemRoot\system32\drivers\fwdrv.sys (Sunbelt Kerio Firewall FWDRV/Sunbelt Software)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Messenger\msmsgs.exe[608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00FE2EC0] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Messenger\msmsgs.exe[608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00FE2C30] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Messenger\msmsgs.exe[608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00FE2C90] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Messenger\msmsgs.exe[608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00FE2C60] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\system32\wscntfy.exe[636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [008F2EC0] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\system32\wscntfy.exe[636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [008F2C30] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\system32\wscntfy.exe[636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [008F2C90] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\system32\wscntfy.exe[636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [008F2C60] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\Explorer.EXE[1736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01A12EC0] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\Explorer.EXE[1736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01A12C30] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\Explorer.EXE[1736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01A12C90] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\Explorer.EXE[1736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01A12C60] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802EC0] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802C30] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802C90] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Documents and Settings\Pascal Admin\Bureau\7c1ephfw.exe[2508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802C60] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00D42EC0] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00D42C30] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00D42C90] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3684] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00D42C60] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtCreateFile] [00802EC0] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDeviceIoControlFile] [00802C30] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtClose] [00802C90] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3768] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDuplicateObject] [00802C60] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtCreateFile] [00802EC0] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDeviceIoControlFile] [00802C30] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtClose] [00802C90] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[3864] @ C:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDuplicateObject] [00802C60] C:\Program Files\Fichiers communs\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7E 0x80 0x7A 0xCB ...

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xF8 0x31 0x0F 0xA9 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- EOF - GMER 1.0.15 ----

pear · le 5 mai 2010

Bonjour,

Pour vous rassurer, les helpers discutent de ce problème qui s'est présenté aussi ailleurs.

J'ai bon espoir d'une conclusion positive.

Pour l'instant, il semblerait que le rapport de Gmer-Rootkit Detector ne fasse pas la différence entre un "hook" légitime d'atapi.sys et celui d'un malware.

Ce serait alors un faux positif.

Mais faute d'en être certain, les recherches se poursuivent.

Rien de pertinent dans ce rapport Gmer.

Essayons ceci:

Recherche de rootkit

Téléchargez RootRepeal

Désactiver les modules résidents:l'antivirus,antispyware ,Parefeu

Vous devez avoir les droits Administrateur

Installez RootRepeal , cliquez sur *Settings->Options*

Onglet "Général Cochez->Only suspicious ..

. [Driver scan] ... [Files scan] ... [Processes scan] ... [sSDT scan] (v. 1.1.0)

aucune raison de changer les paramètres standards.

Dans le [ File Scan ] l'option [X] [ Check for file size differences ] est celle qui permet la détection des fichiers dont la taille a été modifiée comme le fait par exemple le rootkit "Rustock.C". Il est donc fortement conseillé de ne pas la désactiver.

Dans le [ SSDT scan ], l'option [X] [ Check for hooked SYSENTER/INT 2E ] permet le scan des appels au système par SYSENTER ou INT 2E.

Choix des scans (boutons de sélection en bas, à gauche).

Chaque option comporte deux boutons [ Scan ] pour lancer l'analyse et [ Save Report ]qui permet d'enregistrer le rapport au format « .txt » dans le répertoire choisi (éventuellement dans le répertoire de démarrage de RootRepeal).

[ Report ]permet d'enchaîner plusieurs ou toutes les fonctions précédentes.

Cliquez [select scan]

Dans la fenêtre qui s'ouvre, sélectionner les options à exécuter(Cochez tout).

Un choix des partitions du disque est possible dans la fenêtre [select drives].

Cliquez sur Save Report

Lancez le scan,

Si RootRepeal ne trouve rien , il affichera ceci:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/04 18:47

Program Version: Version 1.3.2.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEB27E000 Size: 49152 File Visible: No Signed: -

Status: -

==EOF==

Modifié le 5 mai 2010 par pear

pear · le 5 mai 2010

Bonsoir,

On m'a fait remarquer que les fichiers pilotes suivants sont aussi d'alcohol120% et qu'ils n'ont pas été désactivés par nos essais:

R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [02/07/2003 18:41 5248]
R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [02/07/2003 17:49 124160]

Télécharger The Avenger par Swandog46 sur le Bureau.

Cliquez Enregistrer

Cliquer sur Bureau

Fermer la fenêtre:

Dézipper:par clic droit->Extraire ici:

Fermez toutes les fenêtres et toutes les applications en cours,

puis double-cliquez sur l'icône placée sur votre bureau(L'Epée):

Vérifiez que la case "Scan for rootkits" est bien décochée.( Elle est cochée par défaut).

***Copier tout le texte ci-dessous : mettre en surbrillance et appuyer sur les touches(Ctrl+C):

Begin copying here:

drivers:

axwhisky

axwskbus

Drivers to disable:

axwhisky

axwskbus

drivers to delete:

axwhisky

axwskbus

Files to Delete:

c:\windows\system32\drivers\axwhisky.sys

c:\windows\system32\drivers\axwskbus.sys

Le code ci-dessus a été intentionnellement rédigé pour CET utilisateur.

si vous n'êtes pas CET utilisateur, NE PAS appliquer ces directives : elles pourraient endommager votre système.

* Dans cette fenêtre "Input Script here" , coller le texte précédemment copié sur le bureau par les touches (Ctrl+V).

* CliquerExecute

* le système va redémarrer. (Si le script contient un/des "Drivers to Unload", The Avenger redémarrera une seconde fois.)

* Pendant le re-démarrage, une fenêtre de commande de windows noire apparaitra brièvement sur votre bureau, c'est NORMAL.

* Après le redémarrage, un fichier log s'ouvrira que vous retrouverez ici : C:\avenger.txt

* Tout ce que vous aurez demandé de supprimer sera sauvegardé , compacté(zipped) et l'archive zip tranférée ici : C:\avenger\backup.zip.

Modifié le 5 mai 2010 par pear

pldta · le 5 mai 2010

Le rapport d'Avenger qui a nettoyé les drivers résiduels :

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Driver "axwhisky" disabled successfully.

Driver "axwskbus" disabled successfully.

Driver "axwhisky" deleted successfully.

Driver "axwskbus" deleted successfully.

File "c:\windows\system32\drivers\axwhisky.sys" deleted successfully.

File "c:\windows\system32\drivers\axwskbus.sys" deleted successfully.

Completed script processing.

et celui de Rootrepeal

==================================================

Scan Start Time: 2010/05/05 21:01

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF3208000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF8BE6000 Size: 8192 File Visible: No Signed: -

Status: -

Name: giveio.sys

Image Path: giveio.sys

Address: 0xF8C3F000 Size: 1664 File Visible: No Signed: -

Status: -

Name: gjaeoivi.sys

Image Path: gjaeoivi.sys

Address: 0xF8676000 Size: 61440 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF03AB000 Size: 49152 File Visible: No Signed: -

Status: -

Name: speedfan.sys

Image Path: speedfan.sys

Address: 0xF8C3E000 Size: 4096 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

SSDT

-------------------

#: 025 Function Name: NtClose

Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf3438110

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf3437920

#: 041 Function Name: NtCreateKey

Status: Hooked by "<unknown>" at address 0xf8c63eee

#: 047 Function Name: NtCreateProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf3436f20

#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf3436d90

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xf8c63ee4

#: 062 Function Name: NtDeleteFile

Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf3438190

#: 063 Function Name: NtDeleteKey

Status: Hooked by "<unknown>" at address 0xf8c63ef3

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "<unknown>" at address 0xf8c63efd

#: 097 Function Name: NtLoadDriver

Status: Hooked by "C:\WINDOWS\system32\drivers\khips.sys" at address 0xf323e9a0

#: 098 Function Name: NtLoadKey

Status: Hooked by "<unknown>" at address 0xf8c63f02

#: 108 Function Name: NtMapViewOfSection

Status: Hooked by "C:\WINDOWS\system32\drivers\khips.sys" at address 0xf323eb30

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf3437bf0

#: 119 Function Name: NtOpenKey

Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf3434140

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0xf8c63ed0

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0xf8c63ed5

#: 193 Function Name: NtReplaceKey

Status: Hooked by "<unknown>" at address 0xf8c63f0c

#: 204 Function Name: NtRestoreKey

Status: Hooked by "<unknown>" at address 0xf8c63f07

#: 206 Function Name: NtResumeThread

Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf3437510

#: 224 Function Name: NtSetInformationFile

Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf3437f00

#: 247 Function Name: NtSetValueKey

Status: Hooked by "<unknown>" at address 0xf8c63ef8

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0xf8c63edf

#: 274 Function Name: NtWriteFile

Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf3437e50

Stealth Objects

-------------------

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8333f01c Size: 4068

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0x8333d96e Size: 177

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8333d975 Size: 170

Object: Hidden Code [Driver: PrecSim, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8333f00c Size: 4084

==EOF==

pear · le 6 mai 2010

Chou blanc!

On vérifie si la suppression des drivers a changé quelque chose:

Téléchargez sur le bureau

MBR Rootkit Detector 0.2.4 by gmer

Désactiver provisoirement les programmes de protection (antivirus, firewall,anti-spyware...)

Vous les réactiverez après la désinfection terminée.

Clic sur l'onglet "rootkit"

Clic sur Scan

- Un rapport sera généré -> mbr.log.

En Copier/coller le résultat dans la réponse .

En cas d'infection,vous devriez voir un rapport de ce genre:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\ACPI -> 0x858e41c0

\Driver\atapi -> 0x89bf0410

NDIS: GlobeTrotter HSxPA - Network Interface #2 -> SendCompleteHandler -> 0x8591de70

Warning: possible MBR rootkit infection !

copy of MBR has been found in sector 0x01749DDC1

malicious code @ sector 0x01749DDC4 !

PE file found in sector at 0x01749DDDA !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Dans Démarrer-> Exécuter

Copiez/Collez :

"%userprofile%\Bureau\mbr" -f

Guillemets indispensables

Dans le mbr.log cette ligne apparaitra "original MBR restored successfully !"

Si vous Relancez mbr.exe ou si votre machine est saine,

Mbr.log vous dit:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

Sinon on insiste:

Recherche de Rootkit

Télécharger SysProtsur le bureau

Installez le et double cliquez sur "SysProt.exe"

Cliquez sur l'onglet "log" ;

Cochez toutes les cases présentes dans la fenêtre "Write to log" ;

Cochez Hidden Objects Only (au bas, à gauche)

Les "Objets cachés (Hidden)" sont en Rouge dans tous les modules

Cliquez sur Create log (au bas, à droite)

Une nouvelle fenêtre apparaîtra : cochez Scan root drive et cliquez sur Start ;

Un rapport sera sauvegardé dans le dossier SysProt.

Copiez/collez en le contenu dans votre réponse.

Nettoyage de Rootkit

Relancer Sysprot

Rechercher:

Hooked Module: \SystemRoot\System32\Drivers\ay8n0i2h.SYS

Pour tuer un processus(Onglet Processes) clic droit->puis clic sur Kill ou Disable(Kernel Modules), ou Fix Hook(SSDT) ou Delete(Files Système)

Attention Des drivers commeDump_atapi.sys,dump_wmilib.sys,dump_iaStor.sys sont légitimes.Ils sont en rouge parce que, absents du disque , ils apparaissent en mémoire

[/color]

Modifié le 6 mai 2010 par pear

pldta · le 7 mai 2010

mbr donne toujours la même chose :

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\atapi -> 0x8333d01c

IoDeviceObjectType -> ParseProcedure -> 0x82e731b0

\Device\Harddisk0\DR0 -> ParseProcedure -> 0x82e731b0

Warning: possible MBR rootkit infection !

user & kernel MBR OK

Voici la log de Sysprot

SysProt AntiRootkit v1.0.1.0

by swatkat

********************************************************************************

**********

********************************************************************************

**********

No Hidden Processes found

********************************************************************************

**********

********************************************************************************

**********

Kernel Modules:

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys

Service Name: ---

Module Base: F3266000

Module End: F327E000

Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS

Service Name: ---

Module Base: F8C2E000

Module End: F8C30000

Hidden: Yes

Module Name: \??\C:\DOCUME~1\PASCAL~1\LOCALS~1\Temp\mbr.sys

Service Name: mbr

Module Base: F89C6000

Module End: F89CC000

Hidden: Yes

********************************************************************************

**********

********************************************************************************

**********

SSDT:

Function Name: ZwClose

Address: F3496110

Driver Base: F346E000

Driver End: F354D000

Driver Name: \SystemRoot\system32\drivers\fwdrv.sys

Function Name: ZwCreateFile

Address: F3495920

Driver Base: F346E000

Driver End: F354D000

Driver Name: \SystemRoot\system32\drivers\fwdrv.sys

Function Name: ZwCreateKey

Address: F8D13966

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwCreateProcess

Address: F3494F20

Driver Base: F346E000

Driver End: F354D000

Driver Name: \SystemRoot\system32\drivers\fwdrv.sys

Function Name: ZwCreateProcessEx

Address: F3494D90

Driver Base: F346E000

Driver End: F354D000

Driver Name: \SystemRoot\system32\drivers\fwdrv.sys

Function Name: ZwCreateThread

Address: F8D1395C

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwDeleteFile

Address: F3496190

Driver Base: F346E000

Driver End: F354D000

Driver Name: \SystemRoot\system32\drivers\fwdrv.sys

Function Name: ZwDeleteKey

Address: F8D1396B

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwDeleteValueKey

Address: F8D13975

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwLoadDriver

Address: F32C49A0

Driver Base: F32C2000

Driver End: F32D7000

Driver Name: \SystemRoot\system32\drivers\khips.sys

Function Name: ZwLoadKey

Address: F8D1397A

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwMapViewOfSection

Address: F32C4B30

Driver Base: F32C2000

Driver End: F32D7000

Driver Name: \SystemRoot\system32\drivers\khips.sys

Function Name: ZwOpenFile

Address: F3495BF0

Driver Base: F346E000

Driver End: F354D000

Driver Name: \SystemRoot\system32\drivers\fwdrv.sys

Function Name: ZwOpenKey

Address: F3492140

Driver Base: F346E000

Driver End: F354D000

Driver Name: \SystemRoot\system32\drivers\fwdrv.sys

Function Name: ZwOpenProcess

Address: F8D13948

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwOpenThread

Address: F8D1394D

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwReplaceKey

Address: F8D13984

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwRestoreKey

Address: F8D1397F

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwResumeThread

Address: F3495510

Driver Base: F346E000

Driver End: F354D000

Driver Name: \SystemRoot\system32\drivers\fwdrv.sys

Function Name: ZwSetInformationFile

Address: F3495F00

Driver Base: F346E000

Driver End: F354D000

Driver Name: \SystemRoot\system32\drivers\fwdrv.sys

Function Name: ZwSetValueKey

Address: F8D13970

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwTerminateProcess

Address: F8D13957

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwWriteFile

Address: F3495E50

Driver Base: F346E000

Driver End: F354D000

Driver Name: \SystemRoot\system32\drivers\fwdrv.sys

********************************************************************************

**********

********************************************************************************

**********

No Kernel Hooks found

********************************************************************************

**********

********************************************************************************

**********

IRP Hooks:

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8333D01C

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\precsim.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8333D00C

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_READ

Jump To: 8333B96E

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 8333B975

Hooking Module: _unknown_

********************************************************************************

**********

********************************************************************************

**********

Ports:

Local Address: PCPASCAL:44334

Remote Address: LOCALHOST:1037

Type: TCP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

State: ESTABLISHED

Local Address: PCPASCAL:44334

Remote Address: LOCALHOST:1025

Type: TCP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

State: ESTABLISHED

Local Address: PCPASCAL:5152

Remote Address: LOCALHOST:1060

Type: TCP

Process: C:\Program Files\Java\jre6\bin\jqs.exe

State: CLOSE_WAIT

Local Address: PCPASCAL:5152

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Java\jre6\bin\jqs.exe

State: LISTENING

Local Address: PCPASCAL:1052

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

State: LISTENING

Local Address: PCPASCAL:1050

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

State: LISTENING

Local Address: PCPASCAL:1048

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

State: LISTENING

Local Address: PCPASCAL:1041

Remote Address: LOCALHOST:1039

Type: TCP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

State: ESTABLISHED

Local Address: PCPASCAL:1039

Remote Address: LOCALHOST:1041

Type: TCP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

State: ESTABLISHED

Local Address: PCPASCAL:1037

Remote Address: LOCALHOST:44334

Type: TCP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

State: ESTABLISHED

Local Address: PCPASCAL:1031

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\WINDOWS\system32\alg.exe

State: LISTENING

Local Address: PCPASCAL:1029

Remote Address: LOCALHOST:1027

Type: TCP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

State: ESTABLISHED

Local Address: PCPASCAL:1027

Remote Address: LOCALHOST:1029

Type: TCP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

State: ESTABLISHED

Local Address: PCPASCAL:1025

Remote Address: LOCALHOST:44334

Type: TCP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

State: ESTABLISHED

Local Address: PCPASCAL:44501

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

State: LISTENING

Local Address: PCPASCAL:44334

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

State: LISTENING

Local Address: PCPASCAL:1039

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

State: LISTENING

Local Address: PCPASCAL:1027

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

State: LISTENING

Local Address: PCPASCAL:MICROSOFT-DS

Remote Address: 0.0.0.0:0

Type: TCP

Process: System

State: LISTENING

Local Address: PCPASCAL:EPMAP

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\WINDOWS\system32\svchost.exe

State: LISTENING

Local Address: PCPASCAL:1900

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: PCPASCAL:123

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: PCPASCAL:44334

Remote Address: NA

Type: UDP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

State: NA

Local Address: PCPASCAL:4500

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\lsass.exe

State: NA

Local Address: PCPASCAL:1040

Remote Address: NA

Type: UDP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

State: NA

Local Address: PCPASCAL:1038

Remote Address: NA

Type: UDP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

State: NA

Local Address: PCPASCAL:1028

Remote Address: NA

Type: UDP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

State: NA

Local Address: PCPASCAL:1026

Remote Address: NA

Type: UDP

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

State: NA

Local Address: PCPASCAL:500

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\lsass.exe

State: NA

Local Address: PCPASCAL:MICROSOFT-DS

Remote Address: NA

Type: UDP

Process: System

State: NA

********************************************************************************

**********

********************************************************************************

**********

Hidden files/folders:

Object: C:\Documents and Settings\Dominique\Local Settings\Application Data\Microsoft\Messenger\x@hotmail.fr\SharingMetadata\w@voila.fr\DFSR\Staging\CS{47094F16-F549-4612-849D-50F02AE550EA}\01\10-{47094F16-F549-4612-849D-50F02AE550EA}-v1-{821F6B

Status: Hidden

Object: C:\Documents and Settings\Olivier\Local Settings\Application Data\Microsoft\Messenger\y@noos.fr\SharingMetadata\z@hotmail.com\DFSR\Staging\CS{53CD5E93-A390-C69A-A5A6-0DB6B78CF7BC}\01\10-{53CD5E93-A390-C69A-A5A6-0DB6B78CF7BC}-v1-{4CEA99A5-B5

Status: Hidden

Object: C:\Documents and Settings\Pascal Admin\Favoris\P2p\WORLD MUSIC DOWNLOAD Aralik 2007.URL

Status: Hidden

Object: C:\Documents and Settings\Pascal Admin\Favoris\P2p\? ??????sa?? ??l???a?g? g?a??i? ?.URL

Status: Hidden

Object: C:\Documents and Settings\Pascal Admin\Local Settings\Application Data\Microsoft\Messenger\w@voila.fr\SharingMetadata\z@hotmail.fr\DFSR\Staging\CS{47094F16-F549-4612-849D-50F02AE550EA}\01\10-{47094F16-F549-4612-849D-50F02AE550EA}-v1-{076

Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase

Status: Access denied

Object: C:\System Volume Information\tracking.log

Status: Access denied

Object: C:\System Volume Information\_restore{DC7E0091-EC97-43EE-B622-CDE3004E48C2}

Status: Access denied

Use "Recovery Console" command "fixmbr" to clear infection !

Connexion

Pas encore inscrit ?

Infections détectée par ZHPDIAG

Messages recommandés

pldta

pear

pldta

pear

pldta

pear

pear

pldta

pear

pldta

Rejoindre la conversation

En ligne récemment 0 membre est en ligne

Zebulon

Outils en ligne

Naviguer