Page 1 of 5 12345 LastLast
Results 1 to 10 of 46

Thread: Click.giftload problem

  1. #1
    Junior Member
    Join Date
    Mar 2011
    Posts
    26

    Default Click.giftload problem

    Hi, I got a problem with Click.giftload. Spybot can't remove it. It seems that I'm not the only one with this problem.

    Here is my DDS log, hope you will be able to help me.

    Thanks

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Tatiana at 11:18:05,89 on 25/03/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2046.1451 [GMT 1:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\savedump.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\WINDOWS\TEMP\lryj\setup.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
    C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\libusbd-nt.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Documents and Settings\Tatiana\Bureau\dds.com
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.fr/
    uURLSearchHooks: Search Class: {08c06d61-f1f3-4799-86f8-be1a89362c85} - c:\program files\orange\connexion internet orange\searchurlhook\SearchPageURL.dll
    BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\fichiers communs\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [EPSON Stylus DX4400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticae.exe /fu "c:\windows\temp\E_SAB.tmp" /EF "HKCU"
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Vkonisayik] rundll32.exe "c:\windows\msaptil.dll",Startup
    uRun: [Java] c:\docume~1\tatiana\locals~1\temp\KCO2E.exe
    uRun: [Java] c:\docume~1\tatiana\locals~1\temp\KCO2E.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [NeroFilterCheck] c:\program files\fichiers communs\ahead\lib\NeroCheck.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [ORAHSSSessionManager] "c:\program files\orange\connexion internet orange\sessionmanager\SessionManager.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [AMService] c:\windows\temp\lryj\setup.exe
    StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\dmarra~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: {1062E4BC-2F27-4BDF-9FBB-F7A8150EBCAB} = 212.27.53.252,212.27.54.252
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, maltrcgn.dll, mnrpaitr.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    .
    =============== Created Last 30 ================
    .
    .
    ==================== Find3M ====================
    .
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\iaStor0
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89C83439]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89c897d0]; MOV EAX, [0x89c8984c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A5C7AB8]
    3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89CAE7B8]
    \Driver\iastor[0x8A5EA938] -> IRP_MJ_CREATE -> 0x89C83439
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskRAIDHOME1.0.00__#4&674c230&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user != kernel MBR !!!
    sectors 488275966 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
    .
    ============= FINISH: 11:20:14,78 ===============

  2. #2
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi Kvitrafn,

    Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


    • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
    • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


    The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


    Unfortunately your machine appears to have been infected by the TDSS rootkit/backdoor infection. These kind of malware is very dangerous. Backdoor Trojans provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.


    If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

    • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
      paypal, ebay, etc. You should also change the passwords for any other site you use.
    • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
      credit card information may have been stolen and ask what steps to take with regard to your account.
    • Consider what other private information could possibly have been taken from your computer and take appropriate steps


    Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:


    When should I re-format? How should I reinstall?
    Where to draw the line? When to recommend a format and reinstall?

    Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.


    Please read the following for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
    What Should I Do If I've Become A Victim Of Identity Theft?
    Identity Theft Victims Guide - What to do
    Internet Crime Complaint Center (IC3): Filing a Complaint
    Guarding Against Computer Theft



    Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


    Step 1 | Please download aswMBR to your desktop.

    • Double click the aswMBR icon to run it.
      Vista and Windows 7 users right click the icon and choose "Run as administrator".
    • Click the Scan button to start scan.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.



    Click the image to enlarge it


    Step 2 | Please download GMER from one of the following locations and save it to your desktop:

    Main Mirror - This version will download a randomly named file (Recommended)
    Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

    --------------------------------------------------------------------

    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


    Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.



    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Make sure all options are checked except:
      • IAT/EAT
      • Drives/Partition other than Systemdrive, which is typically C:\
      • Show All (This is important, so do not miss it.)



    Click the image to enlarge it

    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.

    -- If you encounter any problems, try running GMER in Safe Mode.


    Step 3 | Please download MBRCheck.exe to your desktop.
    • Be sure to disable your security programs
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
    • A window will open on your desktop
    • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
    • Please post the contents of that file.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  3. #3
    Junior Member
    Join Date
    Mar 2011
    Posts
    26

    Default

    Thanks for your answer.

    If I choose to reformat, can I just reformat the system disc (C and not the others dics ? Or do I have to reformat all the discs ?

    If it's only C:, I'll do it, if it's evferything, I'll try to celan the pc.

  4. #4
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi Kvitrafn,


    Unfortunately you'll have to format all your drives. If you only format the system drive, then this drive could become infected from the other drives.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  5. #5
    Junior Member
    Join Date
    Mar 2011
    Posts
    26

    Default

    All right. then I'll try to celan & remove the malware, since I plan to change my computer soon.
    Thanks for your answer, I'll do what you told me to do in the second psot and post my log after.

  6. #6
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Alright
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  7. #7
    Junior Member
    Join Date
    Mar 2011
    Posts
    26

    Default

    aswMBR :

    aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
    Run date: 2011-03-27 21:12:34
    -----------------------------
    21:12:34.046 OS Version: Windows 5.1.2600 Service Pack 3
    21:12:34.046 Number of processors: 2 586 0x604
    21:12:34.046 ComputerName: ROMAIN UserName:
    21:12:34.875 Initialize success
    21:12:41.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
    21:12:41.968 Disk 0 Vendor: Intel___ 1.0. Size: 238416MB BusType: 3
    21:12:41.968 Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskRAIDHOME1.0.00__#4&674c230&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
    21:12:41.968 Disk 0 MBR read error
    21:12:41.968 Disk 0 MBR scan
    21:12:41.968 MBR BIOS signature not found 0
    21:12:41.968 Disk 0 scanning sectors +488247480
    21:12:41.968 Disk 0 scanning C:\WINDOWS\system32\drivers
    21:12:46.218 Service scanning
    21:12:47.234 Disk 0 trace - called modules:
    21:12:47.234 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89c93439]<<
    21:12:47.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89cc5ab8]
    21:12:47.234 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x89c33ab0]
    21:12:47.234 \Driver\iastor[0x89cbd9d0] -> IRP_MJ_CREATE -> 0x89c93439
    21:12:47.234 Scan finished successfully


    MBRCheck :

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000017fd

    Kernel Drivers (total 123):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E5000 \WINDOWS\system32\hal.dll
    0x89BFD000 \WINDOWS\system32\KDCOM.DLL
    0xBA4BC000 \WINDOWS\system32\BOOTVID.dll
    0xB9EA6000 spwc.sys
    0xBA5A8000 \WINDOWS\System32\Drivers\WMILIB.SYS
    0xB9E8E000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
    0xB9E5F000 ACPI.sys
    0xB9E4E000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xBA0B8000 MountMgr.sys
    0xB9E2F000 ftdisk.sys
    0xBA5AA000 dmload.sys
    0xB9E09000 dmio.sys
    0xBA330000 PartMgr.sys
    0xBA0C8000 VolSnap.sys
    0xB9D52000 iaStor.sys
    0xB9D3A000 atapi.sys
    0xBA338000 cercsr6.sys
    0xBA0D8000 disk.sys
    0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9D1A000 fltmgr.sys
    0xB9D08000 sr.sys
    0xBA0F8000 PxHelp20.sys
    0xB9CF1000 KSecDD.sys
    0xB9C64000 Ntfs.sys
    0xB9C37000 NDIS.sys
    0xB9C1D000 Mup.sys
    0xBA228000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB84B4000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB84A0000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB8478000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB844B000 \SystemRoot\system32\DRIVERS\e1e5132.sys
    0xBA418000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB8427000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA420000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB83E6000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
    0xBA428000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xBA238000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA248000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB83C3000 \SystemRoot\system32\DRIVERS\ks.sys
    0xBA430000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xBA258000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xBA5E0000 \SystemRoot\system32\DRIVERS\serscan.sys
    0xBA6E8000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA268000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB95F1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB83AC000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA288000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA298000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA438000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB839B000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA2A8000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA440000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA448000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB836B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA2B8000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA450000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA458000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA5E2000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB830D000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA57C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xB8B3E000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB0C2B000 \SystemRoot\system32\drivers\sthda.sys
    0xB0C07000 \SystemRoot\system32\drivers\portcls.sys
    0xB2A01000 \SystemRoot\system32\drivers\drmk.sys
    0xB29E1000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA646000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB29D1000 \SystemRoot\system32\drivers\libusb0.sys
    0xB1F64000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xBA648000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xB1D18000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA64A000 \SystemRoot\System32\Drivers\Beep.SYS
    0xB1F54000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xB1CBA000 \SystemRoot\System32\drivers\vga.sys
    0xBA64C000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA64E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xB1CB2000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xB1CAA000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB259E000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB0BB4000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB0B5B000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB1EB6000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xB0B35000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xB0B0D000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB1EA6000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xB0AEB000 \SystemRoot\System32\drivers\afd.sys
    0xB1E96000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xB0AC0000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB0A50000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xB1E86000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB0A29000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xB1C9A000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xADE56000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xAD930000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xAD447000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xAD920000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xAD43B000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xAC877000 \SystemRoot\System32\Drivers\dump_iastor.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xACA79000 \SystemRoot\System32\drivers\Dxapi.sys
    0xADE36000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA7FF000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xABDBE000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xBF596000 \SystemRoot\System32\ATMFD.DLL
    0xB9BA8000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xB5761000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xABDA7000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xABC2A000 \SystemRoot\system32\drivers\wdmaud.sys
    0xACFD4000 \SystemRoot\system32\drivers\sysaudio.sys
    0xAB13E000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xAA269000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA9718000 \SystemRoot\system32\DRIVERS\srv.sys
    0xAD323000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xA848D000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xA8384000 \SystemRoot\system32\drivers\kmixer.sys
    0xA8C21000 \??\C:\DOCUME~1\Tatiana\LOCALS~1\Temp\aswMBR.sys
    0xA836B000 \??\C:\DOCUME~1\Tatiana\LOCALS~1\Temp\pxtdrpoc.sys
    0x7C910000 \WINDOWS\system32\ntdll.dll

    Processes (total 54):
    0 System Idle Process
    4 System
    812 C:\WINDOWS\system32\smss.exe
    868 C:\WINDOWS\system32\csrss.exe
    892 C:\WINDOWS\system32\winlogon.exe
    940 C:\WINDOWS\system32\services.exe
    952 C:\WINDOWS\system32\lsass.exe
    1132 C:\WINDOWS\system32\svchost.exe
    1212 C:\WINDOWS\system32\svchost.exe
    1360 C:\WINDOWS\system32\svchost.exe
    1452 C:\WINDOWS\system32\svchost.exe
    1636 C:\WINDOWS\system32\svchost.exe
    1984 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    300 C:\WINDOWS\explorer.exe
    848 C:\WINDOWS\system32\spoolsv.exe
    1192 C:\WINDOWS\ehome\ehtray.exe
    1276 C:\WINDOWS\stsystra.exe
    1304 C:\Program Files\iTunes\iTunesHelper.exe
    1320 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    1420 C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
    1488 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    1572 C:\WINDOWS\system32\ctfmon.exe
    1584 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    1700 C:\WINDOWS\system32\rundll32.exe
    352 C:\Program Files\Digital Line Detect\DLG.exe
    1536 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    512 C:\WINDOWS\system32\svchost.exe
    2064 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    2204 C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
    2376 C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    2424 C:\WINDOWS\ehome\ehrecvr.exe
    2512 C:\WINDOWS\ehome\ehSched.exe
    2668 C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
    2796 C:\Program Files\Java\jre6\bin\jqs.exe
    2920 C:\WINDOWS\system32\libusbd-nt.exe
    3136 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    3148 C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    3200 C:\WINDOWS\system32\nvsvc32.exe
    3340 C:\WINDOWS\system32\svchost.exe
    3460 C:\WINDOWS\system32\svchost.exe
    3600 C:\WINDOWS\ehome\mcrdsvc.exe
    2336 C:\Program Files\iPod\bin\iPodService.exe
    2612 C:\WINDOWS\system32\dllhost.exe
    308 C:\WINDOWS\system32\alg.exe
    3240 C:\WINDOWS\ehome\ehmsas.exe
    4036 C:\Program Files\Internet Explorer\iexplore.exe
    2712 C:\Program Files\Internet Explorer\iexplore.exe
    2500 C:\Program Files\Internet Explorer\iexplore.exe
    3440 C:\Program Files\Internet Explorer\iexplore.exe
    5296 C:\WINDOWS\Temp\lryj\setup.exe
    6016 C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe
    3784 C:\WINDOWS\system32\wscntfy.exe
    3232 C:\WINDOWS\system32\HPZinw12.exe
    5228 C:\Documents and Settings\Tatiana\Bureau\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000c`34f34a00 (NTFS)
    \\.\E: --> \\.\PhysicalDrive0 at offset 0x0000001e`845f7c00 (NTFS)
    \\.\M: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (FAT32)

    PhysicalDrive0 Model Number:
    PhysicalDrive5 Model Number: SAMSUNGHM160JI, Rev:

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: 8637A6CD1F8DC55758E12C0B860CDE1133CA5719
    149 GB \\.\PhysicalDrive5 RE: Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!

  8. #8
    Junior Member
    Join Date
    Mar 2011
    Posts
    26

    Default

    GMER (pt1) :

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-03-27 21:33:02
    Windows 5.1.2600 Service Pack 3
    Running: w1l3bdcc.exe; Driver: C:\DOCUME~1\Tatiana\LOCALS~1\Temp\pxtdrpoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xB0A31CF0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xB0A31BAC]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xB0A32160]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xB0A3208A]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xB0A31782]
    SSDT spwc.sys ZwEnumerateKey [0xB9EC5CA4]
    SSDT spwc.sys ZwEnumerateValueKey [0xB9EC6032]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xB0A31C86]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xB0A316C2]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xB0A31726]
    SSDT spwc.sys ZwQueryKey [0xB9EC610A]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xB0A31DA6]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB0A3222E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xB0A31D66]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xB0A31EE6]

    INT 0x62 ? 8A620BF8
    INT 0x63 ? 8A691BF8
    INT 0x84 ? 8A690BF8
    INT 0x94 ? 8A690BF8
    INT 0xA4 ? 8A690BF8
    INT 0xB4 ? 8A690BF8

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB0A3EBAE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xB0A3E9D2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xB0A3EB0C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntkrnlpa.exe!ZwLoadDriver 80584160 7 Bytes JMP B0A3EB10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!NtCreateSection 805AB3C8 7 Bytes JMP B0A3E9D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC556 5 Bytes JMP B0A3A5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject 805C2FDA 5 Bytes JMP B0A3BFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D117A 7 Bytes JMP B0A3EBB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    ? spwc.sys Le fichier spécifié est introuvable. !
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB84B4360, 0x307AC7, 0xE8000020]
    .text USBPORT.SYS!DllUnload B843F8AC 5 Bytes JMP 8A6901D8
    ? C:\DOCUME~1\Tatiana\LOCALS~1\Temp\aswMBR.sys Le fichier spécifié est introuvable. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BB6ADE3
    .text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00CF000A
    .text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BB766A5
    .text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BB84DEB
    .text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BB6AB2D
    .text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BB7675B
    .text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00D0000A
    .text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00CE000C
    .text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BB84A78
    .text C:\WINDOWS\Explorer.EXE[300] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BB7D9C5
    .text C:\WINDOWS\Explorer.EXE[300] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6CA54
    .text C:\WINDOWS\Explorer.EXE[300] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BB720ED
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\Program Files\Digital Line Detect\DLG.exe[352] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\system32\svchost.exe[512] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\system32\svchost.exe[512] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\system32\svchost.exe[512] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\WINDOWS\system32\spoolsv.exe[848] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\system32\spoolsv.exe[848] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\system32\spoolsv.exe[848] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\system32\spoolsv.exe[848] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\system32\spoolsv.exe[848] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\system32\spoolsv.exe[848] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\system32\spoolsv.exe[848] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\system32\spoolsv.exe[848] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\system32\spoolsv.exe[848] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\system32\spoolsv.exe[848] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\system32\winlogon.exe[892] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\system32\winlogon.exe[892] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\system32\winlogon.exe[892] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\system32\lsass.exe[952] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\system32\lsass.exe[952] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\system32\lsass.exe[952] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\system32\svchost.exe[1132] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\system32\svchost.exe[1132] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\WINDOWS\system32\svchost.exe[1132] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\ehome\ehtray.exe[1192] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\ehome\ehtray.exe[1192] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\ehome\ehtray.exe[1192] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\ehome\ehtray.exe[1192] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\ehome\ehtray.exe[1192] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\ehome\ehtray.exe[1192] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\ehome\ehtray.exe[1192] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\ehome\ehtray.exe[1192] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\ehome\ehtray.exe[1192] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\ehome\ehtray.exe[1192] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\system32\svchost.exe[1212] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\WINDOWS\system32\svchost.exe[1212] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\stsystra.exe[1276] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\stsystra.exe[1276] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\stsystra.exe[1276] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\stsystra.exe[1276] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\stsystra.exe[1276] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\stsystra.exe[1276] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\stsystra.exe[1276] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\stsystra.exe[1276] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\stsystra.exe[1276] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\stsystra.exe[1276] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\stsystra.exe[1276] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\stsystra.exe[1276] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\stsystra.exe[1276] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\stsystra.exe[1276] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\stsystra.exe[1276] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\stsystra.exe[1276] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\stsystra.exe[1276] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\stsystra.exe[1276] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\stsystra.exe[1276] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\stsystra.exe[1276] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\stsystra.exe[1276] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\Program Files\iTunes\iTunesHelper.exe[1304] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00E4000A
    .text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00E5000A
    .text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00E3000C
    .text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\System32\svchost.exe[1360] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\System32\svchost.exe[1360] USER32.dll!GetCursorPos 7E3A974E 5 Bytes JMP 0088000A
    .text C:\WINDOWS\System32\svchost.exe[1360] ole32.dll!CoCreateInstance 774BF1AC 5 Bytes JMP 00FB000A
    .text C:\WINDOWS\System32\svchost.exe[1360] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\system32\svchost.exe[1452] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\system32\svchost.exe[1452] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\WINDOWS\system32\svchost.exe[1452] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299

  9. #9
    Junior Member
    Join Date
    Mar 2011
    Posts
    26

    Default

    GMER (pt2) :

    .text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\system32\ctfmon.exe[1572] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\system32\ctfmon.exe[1572] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\system32\ctfmon.exe[1572] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\system32\ctfmon.exe[1572] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] crypt32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\WINDOWS\system32\svchost.exe[1636] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\system32\svchost.exe[1636] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\system32\svchost.exe[1636] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\system32\svchost.exe[1636] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\system32\svchost.exe[1636] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\system32\svchost.exe[1636] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\system32\svchost.exe[1636] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\system32\svchost.exe[1636] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\WINDOWS\system32\svchost.exe[1636] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\system32\rundll32.exe[1700] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\system32\rundll32.exe[1700] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\system32\rundll32.exe[1700] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\system32\rundll32.exe[1700] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\system32\rundll32.exe[1700] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\system32\rundll32.exe[1700] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\system32\rundll32.exe[1700] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\system32\rundll32.exe[1700] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\system32\rundll32.exe[1700] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\system32\rundll32.exe[1700] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1984] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BB6ADE3
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BB766A5
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BB84DEB
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BB6AB2D
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BB7675B
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BB84A78
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BB7D9C5
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6CA54
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BB7B481
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BB7EAB0
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BB7B7A4
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BB7BCF9
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BB7E9C0
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BB6DD81
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BB7B36C
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BB81B7A
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BB81A1C
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BB7EBCA
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BB81CD8
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BB720ED
    .text C:\Program Files\Internet Explorer\iexplore.exe[2500] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BB7E299
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BB6ADE3
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BB766A5
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BB84DEB
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BB6AB2D
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BB7675B
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BB84A78
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BB7D9C5
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6CA54
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BB7B481
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BB7EAB0
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BB7B7A4
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BB7BCF9
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BB7E9C0
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BB6DD81
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BB7B36C
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BB81B7A
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BB81A1C
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BB7EBCA
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BB81CD8
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BB720ED
    .text C:\Program Files\Internet Explorer\iexplore.exe[2712] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BB7E299
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\eHome\ehmsas.exe[3240] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BB6ADE3
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BB766A5
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BB84DEB
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BB6AB2D
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BB7675B
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BB84A78
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BB7D9C5
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6CA54
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BB7B481
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BB7EAB0
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BB7B7A4
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BB7BCF9
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BB7E9C0
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BB6DD81
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BB7B36C
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BB81B7A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BB81A1C
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BB7EBCA
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BB81CD8
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BB720ED
    .text C:\Program Files\Internet Explorer\iexplore.exe[3440] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BB7E299
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BB6ADE3
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BB766A5
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BB84DEB
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BB6AB2D
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BB7675B
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BB84A78
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BB7D9C5
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6CA54
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BB7B481
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BB7EAB0
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BB7B7A4
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BB7BCF9
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BB7E9C0
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BB6DD81
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BB7B36C
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BB81B7A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BB81A1C
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BB7EBCA
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BB81CD8
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BB720ED
    .text C:\Program Files\Internet Explorer\iexplore.exe[4036] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BB7E299
    .text C:\WINDOWS\system32\wscntfy.exe[4236] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
    .text C:\WINDOWS\system32\wscntfy.exe[4236] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
    .text C:\WINDOWS\system32\wscntfy.exe[4236] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
    .text C:\WINDOWS\system32\wscntfy.exe[4236] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
    .text C:\WINDOWS\system32\wscntfy.exe[4236] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
    .text C:\WINDOWS\system32\wscntfy.exe[4236] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
    .text C:\WINDOWS\system32\wscntfy.exe[4236] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
    .text C:\WINDOWS\system32\wscntfy.exe[4236] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
    .text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
    .text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
    .text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
    .text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
    .text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
    .text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
    .text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
    .text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
    .text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
    .text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
    .text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
    .text C:\WINDOWS\system32\wscntfy.exe[4236] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
    .text C:\WINDOWS\system32\wscntfy.exe[4236] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BB6ADE3
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BB766A5
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BB84DEB
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BB6AB2D
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BB7675B
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BB84A78
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BB7D9C5
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6CA54
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BB7B481
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BB7EAB0
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BB7B7A4
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BB7BCF9
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BB7E9C0
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BB6DD81
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BB7B36C
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BB81B7A
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BB81A1C
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BB7EBCA
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BB81CD8
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BB720ED
    .text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BB7E299

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\Ntfs \Ntfs 8A68F1F8

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

    Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\Fastfat \FatCdrom 8926F1F8

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \Driver\usbuhci \Device\USBPDO-0 89B861F8
    Device \Driver\usbuhci \Device\USBPDO-1 89B861F8
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6211F8
    Device \Driver\dmio \Device\DmControl\DmConfig 8A6211F8
    Device \Driver\dmio \Device\DmControl\DmPnP 8A6211F8
    Device \Driver\dmio \Device\DmControl\DmInfo 8A6211F8
    Device \Driver\usbuhci \Device\USBPDO-2 89B861F8
    Device \Driver\usbuhci \Device\USBPDO-3 89B861F8
    Device \Driver\usbstor \Device\00000060 899423E8
    Device \Driver\usbehci \Device\USBPDO-4 89B591F8
    Device \Driver\usbstor \Device\00000061 899423E8

    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \Driver\usbstor \Device\00000062 899423E8
    Device \Driver\usbstor \Device\00000063 899423E8
    Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6921F8
    Device \Driver\usbstor \Device\00000064 899423E8
    Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6921F8
    Device \Driver\usbstor \Device\00000065 899423E8
    Device \Driver\Cdrom \Device\CdRom0 89B4D1F8
    Device \Driver\iastor \Device\Ide\iaStor0 [B9D8A5D0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 [B9D43B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B9D43B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B9D43B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\NetBT \Device\NetBT_Tcpip_{1062E4BC-2F27-4BDF-9FBB-F7A8150EBCAB} 892F31F8
    Device \Driver\Ftdisk \Device\HarddiskVolume3 8A6921F8
    Device \Driver\usbstor \Device\00000066 899423E8
    Device \Driver\Cdrom \Device\CdRom1 89B4D1F8
    Device \Driver\Ftdisk \Device\HarddiskVolume4 8A6921F8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 892F31F8
    Device \Driver\NetBT \Device\NetbiosSmb 892F31F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{FCA1E7DB-D53F-4401-AD4B-2260038C251D} 892F31F8

    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \Driver\usbuhci \Device\USBFDO-0 89B861F8
    Device \Driver\usbuhci \Device\USBFDO-1 89B861F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 892D61F8
    Device \Driver\usbuhci \Device\USBFDO-2 89B861F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 892D61F8
    Device \Driver\usbuhci \Device\USBFDO-3 89B861F8
    Device \Driver\usbehci \Device\USBFDO-4 89B591F8
    Device \Driver\Ftdisk \Device\FtControl 8A6921F8
    Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\Fastfat \Fat 8926F1F8

    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs 892931F8
    Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskRAIDHOME1.0.00__#4&674c230&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0x36 0x43 0x8A ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0xDB 0x0B 0xB4 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x65 0xC5 0x65 0xF1 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x51 0x27 0x05 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0x36 0x43 0x8A ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0xDB 0x0B 0xB4 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x65 0xC5 0x65 0xF1 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x51 0x27 0x05 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0x36 0x43 0x8A ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0xDB 0x0B 0xB4 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x65 0xC5 0x65 0xF1 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x51 0x27 0x05 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Recycle.Bin.exe C:\Recycle.Bin\Recycle.Bin.exe

    ---- EOF - GMER 1.0.15 ----

  10. #10
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi Kvitrafn,


    Please visit the following and have a look how you can disable your security software.

    How to disable your security programs

    After disabling your security programs, download Combofix from any of the links below and save it to your desktop.

    Link 1
    Link 2

    --------------------------------------------------------------------

    • Double click on Combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.


    If you need help, see this link:
    http://www.bleepingcomputer.com/comb...o-use-combofix
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •