View Full Version : Undetectable malware affecting online banking logins
Hi,
I noticed something funny with my machine a few days ago, but have tried many scans that have found nothing. History of scans below, and a HJT log at the bottom.
Symptoms of Malware:
1. When navigate to major UK banks with IE7 (even those I've never had an account with), the online banking login is an exact match for the official one, but a couple of extra lines asking for your full password/security details. Firefox is not affected.
2. The dopdgy bank webpages are scarily realistic, with the https link & verisign security certificate is the same as in firefox.
3. Spybot S&D fails to install, even with Avast disabled
4. This was the case for about 4 days, until I ran HJT last night, and half an hour later neither IE of Firefox will load webpages. This may be coincidence but I'm getting suspicous.
Scans that have so far not found anything (in order of scanning)
AVG - Resident AV software, running and full scan found nothing.
Panda Security online scan
Malware Bytes (downloaded and scanned)
ESET.com online scan
Checked Hosts file - only one entry, which is the standard?
Avast (downloaded and replaced AVG)
Spybot S&D - failed to install
HJT - log pasted below (both browsers stopped loading pages, now using another laptop)
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:04:32, on 30/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [OpenDNS Update] "C:\Program Files\OpenDNS U
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/47.13/uploader2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ms32clod.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
--
End of file - 10234 bytes
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
Hi,
Thanks for replying. Its great that you guys help people like me on this forum.
DDS Logs attached below (GMER in next post). I'm currently transferring the txt files on a USB stick, as don't appear to be able to navigate the web on the infected machine. I'm only copying .txt logs, not leaving the USB stick connected for long. The other laptop has avast only. Should I be taking any additional precautions?
DDS.txt:
DDS (Ver_09-05-14.01) - NTFSx86
Run by Geoff at 20:12:47.94 on 01/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1539 [GMT 1:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1335 [VPS 090530-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Documents and Settings\Geoff\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TPKMAPMN] c:\program files\thinkpad\utilities\TpKmapMn.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [S3TRAY2] S3Tray2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [FRYMXINS] "c:\program files\ati technologies\fire gl 3d studio max\atiimxgl"
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [UC_SMB]
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [<NO NAME>]
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [DSLSTATEXE] c:\program files\bt voyager 105 adsl modem\dslstat.exe icon
mRun: [DSLAGENTEXE] c:\program files\bt voyager 105 adsl modem\dslagent.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_10\bin\jusched.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [OpenDNS Update] "c:\program files\OpenDNS U
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\geoff\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.co.uk/s/v/47.13/uploader2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: QConGina - QConGina.dll
AppInit_DLLs: ms32clod.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli pwdmon
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\geoff\applic~1\mozilla\firefox\profiles\kialggbt.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\j2re1.4.2_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_10\bin\NPJPI142_10.dll
FF - plugin: c:\program files\java\j2re1.4.2_10\bin\NPOJI610.dll
============= SERVICES / DRIVERS ===============
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-27 28544]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2007-11-24 59520]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-11-24 11520]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-30 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-12 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-12 108552]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2007-11-24 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2007-11-24 4608]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2007-11-24 16384]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-30 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-30 138680]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-12 298776]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-9-24 64256]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2008-5-18 100728]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-30 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-30 352920]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2007-11-24 12288]
=============== Created Last 30 ================
2009-05-30 22:03 <DIR> --d----- c:\program files\Trend Micro
2009-05-28 15:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OpenDNS Updater
2009-05-28 15:38 <DIR> --d----- c:\program files\OpenDNS Updater
2009-05-27 14:10 <DIR> --d----- c:\docume~1\geoff\applic~1\Malwarebytes
2009-05-27 14:10 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-27 14:10 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-27 14:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 14:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-27 11:50 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-05-27 11:50 <DIR> --d----- c:\program files\Panda Security
2009-05-25 16:17 8 a------- c:\windows\system32\prt.dat
2009-05-21 20:23 <DIR> --dsh--- c:\documents and settings\geoff\IECompatCache
2009-05-21 20:22 <DIR> --dsh--- c:\documents and settings\geoff\PrivacIE
2009-05-21 20:22 <DIR> --dsh--- c:\documents and settings\geoff\IETldCache
2009-05-21 20:06 <DIR> --d----- c:\windows\ie8updates
2009-05-21 20:05 102,400 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-21 20:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-05-21 20:01 78,336 a------- c:\windows\system32\dllcache\ieencode.dll
2009-05-18 21:25 0 a------- c:\windows\system32\cok458en.dat
2009-05-18 21:24 0 a------- c:\windows\system32\mmd109en.dat
2009-05-18 21:24 3,038 a------- c:\windows\system32\u1hoqf.tmp
2009-05-18 21:24 3,038 a------- c:\windows\system32\ryjlvl.tmp
2009-05-18 21:14 83,692 a------- c:\windows\system32\24mdmi.tmp
2009-05-18 21:12 329 a------- c:\windows\system32\6iviju.tmp
2009-05-18 21:12 224 a------- c:\windows\system32\qca1v8.tmp
2009-05-18 21:12 190 a------- c:\windows\system32\ty53nz.tmp
2009-05-18 21:12 21,346 a------- c:\windows\system32\xfxhrl.tmp
2009-05-18 20:46 304,091 a------- c:\windows\system32\ihqfly.tmp
2009-05-18 20:46 304,091 a------- c:\windows\system32\ghqqac.tmp
2009-05-18 20:09 16,896 a------- c:\windows\system32\perfc5932.dat
2009-05-18 20:09 1 a------- c:\windows\system32\perfc7683.dat
==================== Find3M ====================
2009-05-04 12:34 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-04 12:34 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-04 12:34 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-20 19:50 3,358,720 a------- c:\windows\system32\GPhotos.scr
2009-03-12 23:40 50,848 a------- c:\docume~1\geoff\applic~1\GDIPFONTCACHEV1.DAT
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 15:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2008-02-21 21:27 8 a------- c:\docume~1\geoff\applic~1\usb.dat
2008-02-10 16:25 8 a------- c:\docume~1\geoff\applic~1\usb.dat.bin
2008-11-05 22:14 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110520081106\index.dat
============= FINISH: 20:13:25.27 ===============
[B]Attach.txt:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-05-14.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 22/01/2008 21:36:50
System Uptime: 06/01/2009 19:50:57 (3505 hours ago)
Motherboard: IBM | | 2373Y3B
Processor: Intel(R) Pentium(R) M processor 2.00GHz | None | 598/400mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 51 GiB total, 11.761 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP156: 10/03/2009 09:26:34 - Software Distribution Service 3.0
RP157: 10/03/2009 09:32:15 - Software Distribution Service 3.0
RP158: 10/03/2009 09:53:43 - Printer Driver Microsoft XPS Document Writer Installed
RP159: 10/03/2009 10:01:19 - Software Distribution Service 3.0
RP160: 10/03/2009 12:59:49 - Software Distribution Service 3.0
RP161: 12/03/2009 19:50:02 - Installed AVG Free 8.5
RP162: 13/03/2009 07:19:30 - Software Distribution Service 3.0
RP163: 16/03/2009 02:06:54 - Software Distribution Service 3.0
RP164: 16/03/2009 07:26:25 - Avg8 Update
RP165: 17/03/2009 20:08:30 - System Checkpoint
RP166: 27/03/2009 11:10:10 - Avg8 Update
RP167: 27/03/2009 11:11:13 - Avg8 Update
RP168: 29/03/2009 15:38:49 - System Checkpoint
RP169: 31/03/2009 11:23:06 - System Checkpoint
RP170: 01/04/2009 14:04:56 - System Checkpoint
RP171: 05/04/2009 20:59:03 - System Checkpoint
RP172: 07/04/2009 17:57:36 - System Checkpoint
RP173: 10/04/2009 10:07:18 - System Checkpoint
RP174: 13/04/2009 09:12:54 - System Checkpoint
RP175: 15/04/2009 07:54:05 - Software Distribution Service 3.0
RP176: 16/04/2009 17:45:35 - System Checkpoint
RP177: 18/04/2009 11:41:55 - Avg8 Update
RP178: 19/04/2009 15:50:55 - Software Distribution Service 3.0
RP179: 22/04/2009 13:12:24 - Avg8 Update
RP180: 25/04/2009 12:25:27 - System Checkpoint
RP181: 04/05/2009 12:29:49 - Avg8 Update
RP182: 04/05/2009 12:34:45 - Avg8 Update
RP183: 06/05/2009 17:38:57 - System Checkpoint
RP184: 07/05/2009 17:59:59 - System Checkpoint
RP185: 08/05/2009 19:10:46 - System Checkpoint
RP186: 12/05/2009 18:00:20 - Avg8 Update
RP187: 13/05/2009 17:17:24 - Software Distribution Service 3.0
RP188: 14/05/2009 17:02:56 - Software Distribution Service 3.0
RP189: 14/05/2009 21:53:43 - Software Distribution Service 3.0
RP190: 16/05/2009 08:23:02 - System Checkpoint
RP191: 17/05/2009 13:45:00 - System Checkpoint
RP192: 21/05/2009 10:18:03 - Avg8 Update
RP193: 21/05/2009 10:18:57 - Avg8 Update
RP194: 21/05/2009 19:38:08 - Software Distribution Service 3.0
RP195: 28/05/2009 17:10:08 - System Checkpoint
RP196: 30/05/2009 23:34:14 - System Checkpoint
==== Installed Programs ======================
Access IBM
Access IBM Message Center
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Advantech Device Driver
Apple Software Update
AT&T Connect Participant
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
AusLogics Disk Defrag
avast! Antivirus
AVG 8.5
BitTorrent
BMT-Respirometro
BT Voyager 105 ADSL Modem
Camera RAW Plug-In for EPSON Creativity Suite
Civilization II Multiplayer Gold Edition
Critical Update for Windows Media Player 11 (KB959772)
Cryptainer LE
CutePDF Writer 2.7
CX4300_5500_DX4400 manual
DNA
DWG TrueView 2009
e-Science
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ERUNT 1.1j
FireGL driver for 3D Studio MAX/VIZ
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
IBM 32-bit Runtime Environment for Java 2, v1.4.1
IBM Access Connections
IBM Active Protection System
IBM DLA
IBM Integrated 56K Modem
IBM RecordNow!
IBM Rescue and Recovery with Rapid Restore
IBM Themes
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Power Management Driver
IBM ThinkPad Presentation Director
IBM ThinkPad UltraNav Driver
IBM ThinkPad UltraNav Wizard
IBM ThinkVantage Technologies Welcome Message
IBM TrackPoint Accessibility Features
IBM Update Connector
Intel(R) PRO Network Adapters and Drivers
Intel(R) Sebring API
InterVideo WinDVD
IsoBuster 2.4
Java 2 Runtime Environment, SE v1.4.2_10
LucasArts' Star Wars: Episode I Racer
Malwarebytes' Anti-Malware
Merit 2007 Team Module
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2000 Financial Suite
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Outlook 2002
Microsoft Project 2000 SR-1
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB925673)
OpenDNS Updater 1.3.0.187
Panda ActiveScan 2.0
PC-Doctor for Windows
Picasa 3
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sid Meier's Alpha Centauri
Sonic Update Manager
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VegaStrike Privateer
Wallpapers
WD Diagnostics
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
Xvid 1.1.3 final uninstall
==== Event Viewer Messages From Past Week ========
30/05/2009 19:26:41, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
==== End Of File ===========================
GMER Output:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-01 22:01:05
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA16036B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA1603574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA1603A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA160314C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA160364E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA160308C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA16030F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA160376E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA160372E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA16038AE]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[296] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[296] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[296] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[296] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[296] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[296] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[296] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[296] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[296] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[296] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[296] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[296] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[504] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[504] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[504] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[504] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[504] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[504] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[504] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[504] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[504] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[504] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[504] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[504] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[504] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[948] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[948] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[948] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[948] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[948] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[948] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[948] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[948] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[948] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[948] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[948] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[948] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe[1204] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe[1204] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe[1204] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe[1204] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe[1204] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe[1204] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe[1204] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe[1204] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe[1204] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe[1204] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe[1204] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe[1204] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[1240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[1240] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[1240] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[1240] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[1240] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[1240] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[1240] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[1240] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[1240] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[1240] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[1240] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[1240] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[1240] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1596] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1596] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1596] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1596] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1596] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1596] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1596] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1596] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1596] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1596] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1596] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1596] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2336] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2336] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2336] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2336] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2336] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2336] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2336] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2336] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2336] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2336] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2336] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2336] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2336] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2408] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2408] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2408] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2408] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2408] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2408] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2408] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2408] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2408] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2408] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2408] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2408] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2408] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2464] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2464] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2464] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2464] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2464] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2464] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2464] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2464] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2464] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2464] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2464] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2464] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2464] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[2768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0091018D C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[2768] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00910089 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[2768] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 0090FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[2768] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00911D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[2768] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00911B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[2768] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 00911EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[2768] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 00913394 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[2768] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 009111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[2768] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 009108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[2768] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 00912E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[2768] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 009103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[2768] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 00912913 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE[2768] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 00910933 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[2956] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[2956] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[2956] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[2956] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[2956] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[2956] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[2956] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[2956] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[2956] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[2956] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[2956] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[2956] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[2956] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[2964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[2964] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[2964] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[2964] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[2964] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[2964] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[2964] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[2964] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[2964] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[2964] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[2964] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[2964] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[2964] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\Documents and Settings\Geoff\Desktop\gmer.exe[3068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\Documents and Settings\Geoff\Desktop\gmer.exe[3068] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\Documents and Settings\Geoff\Desktop\gmer.exe[3068] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\Documents and Settings\Geoff\Desktop\gmer.exe[3068] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\Documents and Settings\Geoff\Desktop\gmer.exe[3068] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\Documents and Settings\Geoff\Desktop\gmer.exe[3068] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\Documents and Settings\Geoff\Desktop\gmer.exe[3068] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\Documents and Settings\Geoff\Desktop\gmer.exe[3068] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\Documents and Settings\Geoff\Desktop\gmer.exe[3068] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\Documents and Settings\Geoff\Desktop\gmer.exe[3068] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\Documents and Settings\Geoff\Desktop\gmer.exe[3068] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\Documents and Settings\Geoff\Desktop\gmer.exe[3068] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\Documents and Settings\Geoff\Desktop\gmer.exe[3068] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe[3124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe[3124] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe[3124] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe[3124] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe[3124] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe[3124] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe[3124] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe[3124] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe[3124] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe[3124] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe[3124] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe[3124] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe[3124] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3208] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3208] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3208] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3208] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3208] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3208] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3208] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3208] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3208] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3208] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3208] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3208] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3208] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe[3236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe[3236] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe[3236] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe[3236] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe[3236] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe[3236] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe[3236] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe[3236] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe[3236] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe[3236] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe[3236] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe[3236] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe[3236] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3304] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01E6018D C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3304] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 01E5FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3304] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01E61D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3304] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01E61B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3304] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 01E61EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3304] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 01E63394 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3304] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 01E611F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3304] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 01E608B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3304] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 01E62E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3304] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 01E603FD C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3304] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 01E62913 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3304] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 01E60933 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3304] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 01E60089 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3376] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3376] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3376] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3376] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3376] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3376] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3376] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3376] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3376] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3376] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3376] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3376] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[3644] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1001018D C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[3644] ADVAPI32.dll!RegEnumValueW 77DD7EED 5 Bytes JMP 1000FD7B C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[3644] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10011D21 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[3644] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10011B22 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[3644] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 10010089 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[3644] WININET.dll!HttpOpenRequestA 78064321 5 Bytes JMP 10011EC8 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[3644] WININET.dll!InternetConnectA 7806497A 5 Bytes JMP 10013394 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[3644] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 100111F7 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[3644] WININET.dll!InternetQueryDataAvailable 7806ADF5 5 Bytes JMP 100108B9 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[3644] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 10012E4F C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[3644] WININET.dll!InternetSetStatusCallback 7807288F 5 Bytes JMP 100103FD C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[3644] WININET.dll!HttpSendRequestW 7808082D 5 Bytes JMP 10012913 C:\WINDOWS\system32\ms32clod.dll
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[3644] WININET.dll!InternetReadFileExA 78082AEA 5 Bytes JMP 10010933 C:\WINDOWS\system32\ms32clod.dll
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[984] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT C:\WINDOWS\system32\services.exe[984] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
Device \Driver\BTHUSB \Device\00000091 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000093 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0020e07b3953
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0020e07b3953@0012d21189ba 0xB4 0x00 0xA7 0xAC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0020e07b3953@0017830a4c5d 0x7F 0xD0 0x96 0x1D ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0020e07b3953
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0020e07b3953@0012d21189ba 0xB4 0x00 0xA7 0xAC ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0020e07b3953@0017830a4c5d 0x7F 0xD0 0x96 0x1D ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@AppInit_DLLs SYS:Microsoft\Windows NT\CurrentVersion\Windows
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@Beep #USR:Control Panel\Sound
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@BorderWidth #USR:Control Panel\Desktop\WindowMetrics
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@CoolSwitch USR:Control Panel\Desktop
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@CursorBlinkRate #USR:Control Panel\Desktop
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@DefaultSeparateVDM \Registry\Machine\System\CurrentControlSet\Control\WOW
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@DeviceNotSelectedTimeout #SYS:Microsoft\Windows NT\CurrentVersion\Windows
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@DoubleClickHeight #USR:Control Panel\Mouse
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@DoubleClickSpeed #USR:Control Panel\Mouse
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@DoubleClickWidth #USR:Control Panel\Mouse
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@DragFullWindows USR:Control Panel\Desktop
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@InitialKeyboardIndicators USR:Control Panel\Keyboard
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@KeyboardDelay #USR:Control Panel\Keyboard
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@KeyboardSpeed #USR:Control Panel\Keyboard
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@LowPowerActive #USR:Control Panel\Desktop
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@LowPowerTimeOut #USR:Control Panel\Desktop
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@MouseSpeed #USR:Control Panel\Mouse
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@MouseThreshold1 #USR:Control Panel\Mouse
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@MouseThreshold2 #USR:Control Panel\Mouse
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@PowerOffActive #USR:Control Panel\Desktop
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@PowerOffTimeOut #USR:Control Panel\Desktop
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@ScreenSaveActive #USR:Control Panel\Desktop
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@ScreenSaveTimeOut #USR:Control Panel\Desktop
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@SnapToDefaultButton #USR:Control Panel\Mouse
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@Spooler #SYS:Microsoft\Windows NT\CurrentVersion\Windows
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@swapdisk SYS:Microsoft\Windows NT\CurrentVersion\Windows
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@SwapMouseButtons #USR:Control Panel\Mouse
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows@TransmissionRetryTimeout #SYS:Microsoft\Windows NT\CurrentVersion\Windows
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs ms32clod.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
---- EOF - GMER 1.0.15 ----
Hi,
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Please upload this file:
C:\WINDOWS\system32\ms32clod.dll
to this (http://www.bleepingcomputer.com/submit-malware.php?channel=76) website.
Kindly include a link to this topic in the message.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.
Blade,
Thanks for getting back. The machine hasn't been connected to the internet since Friday. We haven't logged into anything more than email since we noticed the problem.
This sounds bad. I have a couple of questions:
1. If we reinstall the OS, can we trust the machine?
2. We'd like to get some data off the machine before reinstalling the OS, we could either resynchronise the backup we last took a couple of months ago (sounds risky), or just copy specific files via a memory stick. Is the memory stick likely to transfer the problem as well?
3. Currently we're connecting to the internet via a USB modem, but we were using a wireless router with the infected machine. Is a hardware reset sufficient for the router to be safe?
4. Can you see from the posted logs whether there was a keylogger? I think we've only used passwords to email (which are now being changed) since we noticed the problem.
Thanks, I'm thinking that reinstalling the OS is the best option at this point. Could you point to a walkthrough?
Thanks again
Hi again,
Could you submit the dll file I asked for (instructions for submitting in my previous post)? Would like to do some researching on it.
1. If we reinstall the OS, can we trust the machine?
Yes.
2. We'd like to get some data off the machine before reinstalling the OS, we could either resynchronise the backup we last took a couple of months ago (sounds risky), or just copy specific files via a memory stick. Is the memory stick likely to transfer the problem as well?
Better make sure that stick doesn't carry infection.
1. Download Flash_Disinfector (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) and save it to your Desktop of your clean system.
2. After downloading, double-click on Flash_Disinfector to run it.
3. Just follow the prompts and continue until it begin scanning.
4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
5. It will scan removable drives, wait for the scan to finish. Done.
After that run Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) on clean machine to check your USB drive.
If Kaspersky doesn't find anything bad on USB drive then you can use it to backup stuff from infected system.
3. Currently we're connecting to the internet via a USB modem, but we were using a wireless router with the infected machine. Is a hardware reset sufficient for the router to be safe?
Signs don't indicate DNS changer kind of infection. To be safe you may reset the router, though. Remember to change router's password to something else from default one after the reset.
4. Can you see from the posted logs whether there was a keylogger? I think we've only used passwords to email (which are now being changed) since we noticed the problem.
Can't say for sure but signs tell it could be possible.
Thanks, I'm thinking that reinstalling the OS is the best option at this point. Could you point to a walkthrough?
A good walkthrough can be found here (http://spyware-free.us/tutorials/reformat/).
Blade,
Have uploaded the file as requested. Thanks for answering my questions.
Thanks for the submission :) I'll keep the topic open for a few days. Unless you post back I'll archive it.
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.