Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware/Virus/Something


  • This topic is locked This topic is locked
15 replies to this topic

#1 cheezfri

cheezfri

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 18 April 2009 - 10:48 AM

I have Windows XP; I have had unknown malware issues in the past. Have never really been able to get rid of them, and now it's getting worse.
I cannot log into either of my regular XP accounts. I can only log into my Guest account.
I cannot run Internet Explorer at all. When I double click the icon, nothing happens and nothing new appears in the processes in Task Manager. So I can only run Firefox.
When I do a Google search and click one of the results, it opens an ad in a new tab. I can not open any real Google results.
So I'm starting from the beginning and posting Attach.txt and DDS.txt.

Thank you in advance

cheezfri

Attached Files



BC AdBot (Login to Remove)

 


#2 cheezfri

cheezfri
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 19 April 2009 - 09:17 AM

Do I need to post a hijackthis log here?

I have Windows XP; I have had unknown malware issues in the past. Have never really been able to get rid of them, and now it's getting worse.
I cannot log into either of my regular XP accounts. I can only log into my Guest account.
I cannot run Internet Explorer at all. When I double click the icon, nothing happens and nothing new appears in the processes in Task Manager. So I can only run Firefox.
When I do a Google search and click one of the results, it opens an ad in a new tab. I can not open any real Google results.
So I'm starting from the beginning and posting Attach.txt and DDS.txt.

Thank you in advance

cheezfri



#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:38 AM

Posted 19 April 2009 - 11:41 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 cheezfri

cheezfri
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 19 April 2009 - 02:22 PM

Thank you Sam. Here are the results files:

OTListIt.Txt:

OTListIt logfile created on: 4/19/2009 2:13:45 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Other\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18372)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.94 Gb Available Physical Memory | 62.99% Memory free
2.11 Gb Paging File | 1.72 Gb Available in Paging File | 81.44% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.54 Gb Total Space | 11.87 Gb Free Space | 16.37% Space Free | Partition Type: NTFS
Drive D: | 1.95 Gb Total Space | 1.24 Gb Free Space | 63.29% Space Free | Partition Type: NTFS
Drive E: | 2.77 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COOPER
Current User Name: Other
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2003/07/28 15:19:00 | 00,077,824 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/03/11 21:34:40 | 00,049,152 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
PRC - [2007/08/15 14:19:44 | 01,564,672 | ---- | M] (Belkin) -- C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe
PRC - [2007/03/11 21:26:24 | 00,210,520 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2008/09/19 17:34:20 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
PRC - [2007/03/11 21:32:42 | 00,151,552 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
PRC - [2009/01/17 10:48:13 | 07,666,288 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/04/19 14:13:05 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Other\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/08/23 22:18:19 | 00,353,280 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG7\avgamsvr.exe -- (Avg7Alrt [Disabled | Stopped])
SRV - [2007/08/23 22:18:24 | 00,049,664 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG7\avgupsvc.exe -- (Avg7UpdSvc [Disabled | Stopped])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/06/04 22:14:50 | 00,217,088 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08 [On_Demand | Running])
SRV - [2007/06/04 22:14:50 | 00,131,072 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [Disabled | Stopped])
SRV - [2006/11/08 16:35:36 | 00,043,520 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12 [Auto | Running])
SRV - [2003/07/28 15:19:00 | 00,077,824 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [Disabled | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [Disabled | Stopped])
SRV - [2006/11/08 16:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Disabled | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2008/11/03 19:30:07 | 00,021,035 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2002/07/16 20:05:10 | 00,016,512 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32 [Auto | Running])
DRV - [2007/08/31 11:24:47 | 00,821,600 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\Drivers\avg7core.sys -- (Avg7Core [System | Stopped])
DRV - [2007/08/23 22:18:19 | 00,004,224 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\Drivers\avg7rsw.sys -- (Avg7RsW [System | Running])
DRV - [2007/08/23 22:18:21 | 00,027,776 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\Drivers\avg7rsxp.sys -- (Avg7RsXP [System | Stopped])
DRV - [2007/08/23 22:18:22 | 00,003,968 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgclean.sys -- (AvgClean [System | Running])
DRV - [2007/06/01 00:13:20 | 00,238,848 | R--- | M] (Belkin Corporation. ) -- C:\WINDOWS\system32\DRIVERS\BLKWGU.sys -- (BELKIN [On_Demand | Running])
DRV - [2003/07/16 23:28:02 | 00,017,142 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\System32\CBTNDIS5.SYS -- (CBTNDIS5 [On_Demand | Stopped])
DRV - [2003/09/22 09:48:06 | 00,130,192 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys -- (ctsfm2k [On_Demand | Stopped])
DRV - [2006/10/26 13:22:00 | 00,357,344 | R--- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\PRISMA02.sys -- (DELL_A02 [On_Demand | Stopped])
DRV - [2003/03/04 13:56:26 | 00,145,408 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2006/11/15 17:23:06 | 00,038,144 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\DRIVERS\EAPPkt.sys -- (EAPPkt [Auto | Running])
DRV - [2001/08/17 13:19:26 | 00,283,904 | ---- | M] () -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k [On_Demand | Stopped])
DRV - [2001/08/17 13:19:28 | 00,006,912 | ---- | M] () -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1 [On_Demand | Stopped])
DRV - [2008/04/13 13:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [2007/03/07 23:20:48 | 00,049,920 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2007/03/07 23:20:49 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2007/03/07 23:20:50 | 00,021,568 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2003/08/05 02:07:00 | 00,083,552 | R--- | M] (ALinx Corporation) -- C:\WINDOWS\System32\DRIVERS\m4301A.sys -- (m4301a [On_Demand | Stopped])
DRV - [2003/07/28 15:19:00 | 01,341,339 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2001/05/14 19:15:40 | 00,010,368 | ---- | M] (Dell Computer Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI [System | Running])
DRV - [2003/09/22 09:47:38 | 00,178,672 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\DRIVERS\ctoss2k.sys -- (ossrv [On_Demand | Stopped])
DRV - [2003/07/09 17:25:27 | 00,031,744 | ---- | M] () -- C:\Documents and Settings\Other\Local Settings\temp\oUltraf.sys -- (oUltraf [On_Demand | Stopped])
DRV - [2002/08/30 11:29:02 | 01,293,440 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\P16X.sys -- (P16X [On_Demand | Running])
DRV - [2003/03/05 13:19:28 | 00,015,840 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\PfModNT.sys -- (PfModNT [Auto | Running])
DRV - [2003/03/31 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/03/29 04:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 13:19:34 | 00,036,480 | ---- | M] () -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman [On_Demand | Stopped])
DRV - [2007/07/03 19:54:24 | 00,080,552 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\sscdbus.sys -- (sscdbus [On_Demand | Stopped])
DRV - [2007/07/03 19:57:24 | 00,011,944 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys -- (sscdmdfl [On_Demand | Stopped])
DRV - [2007/07/03 19:58:20 | 00,106,792 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\sscdmdm.sys -- (sscdmdm [On_Demand | Stopped])
DRV - [2007/07/03 19:59:10 | 00,086,824 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\DRIVERS\sscdserd.sys -- (sscdserd [On_Demand | Stopped])
DRV - [2001/08/17 14:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\serscan.sys -- (StillCam [On_Demand | Running])
DRV - [2008/04/13 13:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\usb8023x.sys -- (usb_rndisx [On_Demand | Stopped])
DRV - [2006/11/06 19:04:56 | 00,028,672 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\wceusbsh.sys -- (wceusbsh [On_Demand | Stopped])
DRV - [2007/12/13 14:52:12 | 00,031,400 | ---- | M] (Exent Technologies Ltd.) -- C:\Program Files\GameTap\bin\Release\X4HSX32.Sys -- (X4HSX32 [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2025429265-1060284298-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2025429265-1060284298-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-2025429265-1060284298-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-2025429265-1060284298-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2025429265-1060284298-682003330-1004\S-1-5-21-2025429265-1060284298-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:3.1.20081127W
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.5

FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.15\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/01/17 10:48:25 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.15\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/02/13 16:23:07 | 00,000,000 | ---D | M]

[2008/12/17 19:10:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Other\Application Data\mozilla\Extensions
[2008/12/17 19:10:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Other\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/02/15 20:51:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Other\Application Data\mozilla\Firefox\Profiles\pk6na3lk.default\extensions
[2009/12/22 22:38:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Other\Application Data\mozilla\Firefox\Profiles\pk6na3lk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/03/01 11:52:34 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/12/17 19:10:23 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/05/11 14:14:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2009/01/17 10:48:09 | 00,067,696 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2009/01/17 10:48:09 | 00,054,376 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2009/01/17 10:48:09 | 00,034,952 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\myspell.dll
[2009/01/17 10:48:10 | 00,046,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\spellchk.dll
[2009/01/17 10:48:10 | 00,172,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
[2009/01/17 10:48:16 | 00,001,514 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/01/17 10:48:16 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/01/17 10:48:16 | 00,001,038 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/01/17 10:48:16 | 00,001,046 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/01/17 10:48:16 | 00,002,351 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/12/02 03:04:40 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/01/17 10:48:16 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - Reg Error: Key error. File not found
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (HP Print Clips) - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll File not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (BHO) - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll ()
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKU\.DEFAULT..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\459ce0261.dll"" File not found
O4 - HKU\S-1-5-18..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\459ce0261.dll"" File not found
O4 - HKU\S-1-5-19..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\459ce0261.dll"" File not found
O4 - HKU\S-1-5-20..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\459ce0261.dll"" File not found
O4 - HKU\S-1-5-21-2025429265-1060284298-682003330-1004..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent (Electronic Arts)
O4 - HKU\S-1-5-21-2025429265-1060284298-682003330-1004..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)
O4 - HKU\S-1-5-21-2025429265-1060284298-682003330-1004..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\Other\Application Data\Macromedia\Common\459ce0261.dll"" File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless G USB Adapter Client Utility.lnk = C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe (Belkin)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\Other\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Other\Local Settings\temp\{85A4CCAF-7462-4718-8008-69673F9A7A29}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-2025429265-1060284298-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-2025429265-1060284298-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2025429265-1060284298-682003330-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/su/ocx/15030/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1005.cab (MySpace Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1187906124500 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.gamehouse.com/realarcade-webgam...opcaploader.cab (PopCapLoader Object)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/su/ocx/15030/CTPID.cab (Creative Software AutoUpdate Support Package)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/23 14:51:33 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/27 19:56:48 | 00,431,368 | R--- | M] (Electronic Arts) - E:\AutoRun.exe -- [ UDF ]
O32 - AutoRun File - [2008/05/27 19:56:48 | 00,431,368 | R--- | M] (Electronic Arts) - E:\Autorun.exe -- [ UDF ]
O32 - AutoRun File - [2008/04/09 20:19:21 | 00,000,136 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O33 - MountPoints2\{7f22f9c3-517e-11dc-9d5d-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{7f22f9c3-517e-11dc-9d5d-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7f22f9c3-517e-11dc-9d5d-806d6172696f}\Shell\AutoRun\command - "" = E:\Autorun.exe -- [2008/05/27 19:56:48 | 00,431,368 | R--- | M] (Electronic Arts)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[5 C:\WINDOWS\*.tmp files]
[2009/12/23 13:15:44 | 00,012,305 | ---- | C] () -- C:\Documents and Settings\Other\Desktop\pink.jpg
[2009/12/23 12:59:03 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/12/22 23:14:55 | 00,008,192 | ---- | C] () -- C:\Documents and Settings\Other\My Documents\Tony Hawk's Pro Skater 4 # GBA.sav
[2009/12/22 23:13:38 | 08,388,608 | ---- | C] () -- C:\Documents and Settings\Other\My Documents\Tony Hawk's Pro Skater 4 # GBA.GBA
[2009/04/19 14:13:05 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Other\Desktop\OTListIt2.exe
[2009/04/19 11:42:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/04/18 21:24:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Other\My Documents\SimCity Societies
[2009/04/18 21:24:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SimCity Societies
[2009/04/18 21:22:39 | 00,001,908 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SimCity™ Societies.lnk
[2009/04/18 20:30:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Other\Local Settings\Application Data\Warner Bros. Interactive Entertainment
[2009/04/18 20:23:10 | 00,000,000 | ---D | C] -- C:\Program Files\Warner Bros. Interactive Entertainment
[2009/04/18 18:23:20 | 00,000,861 | ---- | C] () -- C:\Documents and Settings\Other\Desktop\RollerCoaster Tycoon® 3.lnk
[2009/04/18 14:13:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Other\Local Settings\Application Data\Lemonade Productions
[2009/04/16 17:39:18 | 00,000,000 | ---D | C] -- C:\dc90c5daeb50094db187b95706
[2009/04/15 20:59:14 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 20:59:14 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 20:59:13 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 20:59:13 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/15 20:59:13 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 20:59:13 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 20:59:12 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 20:59:12 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 20:59:12 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 20:56:39 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/15 20:56:39 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/15 20:56:39 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/12 19:32:46 | 00,000,281 | ---- | C] () -- C:\WINDOWS\EReg072.dat
[2009/04/12 19:32:35 | 00,000,864 | ---- | C] () -- C:\Documents and Settings\Other\Desktop\SimCity 3000.lnk
[2009/04/12 19:31:29 | 00,000,000 | ---D | C] -- C:\Program Files\Maxis
[2009/04/12 18:20:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Other\My Documents\RCT3
[2009/04/12 18:20:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Other\Application Data\Atari
[2009/04/12 18:16:53 | 00,001,478 | ---- | C] () -- C:\Documents and Settings\Other\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
[2009/04/12 18:16:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Other\Application Data\Leadertech
[2009/04/12 18:16:34 | 00,197,120 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2009/04/12 18:16:34 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PocketSoft
[2009/04/12 18:13:56 | 00,000,000 | ---D | C] -- C:\Program Files\Atari
[2009/03/21 09:06:58 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll
[2009/02/28 23:02:20 | 00,009,728 | ---- | C] () -- C:\WINDOWS\System32\iehelper.dll
[2008/11/10 21:58:04 | 00,000,145 | ---- | C] () -- C:\WINDOWS\Eudcedit.ini
[2008/11/03 19:29:22 | 00,013,768 | ---- | C] () -- C:\WINDOWS\System32\drivers\string.ini
[2008/09/02 19:37:54 | 00,000,082 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2008/07/21 18:09:46 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2008/06/12 22:25:14 | 00,000,094 | -H-- | C] () -- C:\WINDOWS\System32\tbd_G1ssg.ini
[2008/01/27 22:03:11 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/12/23 22:20:48 | 00,000,001 | ---- | C] () -- C:\WINDOWS\hlp-fastvid.dll
[2007/09/26 13:17:53 | 00,002,092 | ---- | C] () -- C:\WINDOWS\System32\P16X.ini
[2007/09/26 13:17:53 | 00,000,026 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/09/11 15:07:10 | 00,495,616 | ---- | C] () -- C:\WINDOWS\System32\sblfx.dll
[2007/09/11 15:07:10 | 00,283,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\emu10k1m.sys
[2007/09/11 15:07:10 | 00,256,512 | ---- | C] () -- C:\WINDOWS\System32\devcon32.dll
[2007/09/11 15:07:10 | 00,051,200 | ---- | C] () -- C:\WINDOWS\System32\sfman32.dll
[2007/09/11 15:07:10 | 00,036,480 | ---- | C] () -- C:\WINDOWS\System32\drivers\sfmanm.sys
[2007/09/11 15:07:10 | 00,006,912 | ---- | C] () -- C:\WINDOWS\System32\drivers\ctlfacem.sys
[2007/09/11 14:44:22 | 00,000,011 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2007/08/23 18:56:22 | 00,049,152 | R--- | C] () -- C:\WINDOWS\System32\CoPrism.dll
[2007/08/23 16:19:03 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\IsUser11b.dll
[2007/08/23 15:01:32 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2003/03/31 07:00:00 | 00,000,679 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/03/31 07:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2002/05/10 01:25:00 | 00,039,936 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll
[2002/04/21 21:24:50 | 00,005,917 | ---- | C] () -- C:\WINDOWS\SBMIXDEF.INI
[2002/04/10 20:41:00 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[2002/04/03 04:28:54 | 00,006,175 | ---- | C] () -- C:\WINDOWS\MIXDEF.INI

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/12/23 13:15:44 | 00,012,305 | ---- | M] () -- C:\Documents and Settings\Other\Desktop\pink.jpg
[2009/12/22 23:16:27 | 00,008,192 | ---- | M] () -- C:\Documents and Settings\Other\My Documents\Tony Hawk's Pro Skater 4 # GBA.sav
[2009/04/19 14:13:05 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Other\Desktop\OTListIt2.exe
[2009/04/19 14:10:39 | 00,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1060284298-682003330-1003.job
[2009/04/19 09:03:37 | 00,000,476 | ---- | M] () -- C:\WINDOWS\tasks\SDMsgUpdate (TE).job
[2009/04/19 09:03:17 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/19 09:03:10 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/19 09:03:06 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/19 09:03:04 | 16,096,17408 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/18 21:22:39 | 00,001,908 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SimCity™ Societies.lnk
[2009/04/18 18:23:41 | 00,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2009/04/18 15:29:24 | 02,108,300 | -H-- | M] () -- C:\Documents and Settings\Other\Local Settings\Application Data\IconCache.db
[2009/04/18 14:12:30 | 00,464,860 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/18 14:12:30 | 00,397,560 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/18 14:12:30 | 00,059,780 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/16 17:39:16 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/12 19:32:46 | 00,000,281 | ---- | M] () -- C:\WINDOWS\EReg072.dat
[2009/04/12 19:32:35 | 00,000,864 | ---- | M] () -- C:\Documents and Settings\Other\Desktop\SimCity 3000.lnk
[2009/04/12 18:16:53 | 00,001,478 | ---- | M] () -- C:\Documents and Settings\Other\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
[2009/04/12 18:14:03 | 00,000,861 | ---- | M] () -- C:\Documents and Settings\Other\Desktop\RollerCoaster Tycoon® 3.lnk
[2009/04/06 09:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/27 01:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/21 09:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\kernel32.dll
[2009/03/21 09:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll
< End of report >

Extras.Txt:

OTListIt Extras logfile created on: 4/19/2009 2:13:45 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Other\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18372)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.94 Gb Available Physical Memory | 62.99% Memory free
2.11 Gb Paging File | 1.72 Gb Available in Paging File | 81.44% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.54 Gb Total Space | 11.87 Gb Free Space | 16.37% Space Free | Partition Type: NTFS
Drive D: | 1.95 Gb Total Space | 1.24 Gb Free Space | 63.29% Space Free | Partition Type: NTFS
Drive E: | 2.77 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COOPER
Current User Name: Other
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2025429265-1060284298-682003330-1004\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"16381:TCP" = 16381:TCP:*:Enabled:BitComet 16381 TCP
"16381:UDP" = 16381:UDP:*:Enabled:BitComet 16381 UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/08/23 22:18:23 | 00,438,272 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe
[2007/08/23 22:18:19 | 00,353,280 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe
[2007/08/24 12:07:43 | 00,416,256 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe
[2008/09/19 17:34:18 | 04,347,120 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2008/07/07 13:14:40 | 00,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare
[2008/08/18 18:03:45 | 01,320,961 | ---- | M] (Sony Pictures Digital Networks Inc.) -- C:\Program Files\Sony Pictures Games\Rock and Roll JEOPARDY!\Rock & Roll JEOPARDY!.exe:*:Enabled:Rock & Roll JEOPARDY!
[2008/05/23 22:43:24 | 01,357,825 | ---- | M] (Sony Pictures Digital Networks Inc.) -- C:\Program Files\Sony Pictures Games\JEOPARDY!\JEOPARDY!.exe:*:Enabled:JEOPARDY!
[2008/06/11 19:19:47 | 00,086,016 | ---- | M] (AndNow LCC) -- C:\My Games\SmallBall Baseball\smallball.exe:*:Enabled:SmallBall BaseBall
[2009/02/06 13:17:38 | 03,325,952 | ---- | M] (Electronic Arts) -- C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager
[2008/04/13 19:12:15 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®
[2007/11/12 16:48:02 | 21,760,296 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{001E7FB6-BB6B-4ED0-BEDC-B5404ED96D4E}" = DocProc
"{03EDED24-8375-407D-A721-4643D9768BE1}" = kgchlwn
"{073F22CE-9A5B-4A40-A604-C7270AC6BF34}" = ESSSONIC
"{0B5154C0-8F00-4616-B0AB-6240AE80D9CE}" = SimCity™ Societies
"{10E1E87C-656C-4D08-86D6-5443D28583BE}" = TrayApp
"{11F3F858-4131-4FFA-A560-3FE282933B6E}" = kgchday
"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{22466889-7642-488d-AA0E-F619704CF7AB}" = DeviceDiscovery
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2B59AB31-EBD0-45E4-A725-7112904DA605}" = Family Tree Maker Version 16
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{2F29D6D2-824E-4FEF-8AED-7013F39F642A}" = OpenOffice.org 2.3
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{398AB469-77FC-4935-820B-D419388C0A6A}" = LEGO® Batman™
"{40C03514-89C3-41BA-0090-3B440256DB87}" = The Sims 2
"{415CDA53-9100-476F-A7B2-476691E117C7}" = HP Smart Web Printing
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{4817189D-1785-4627-A33C-39FD90919300}" = The Sims 2 Pets
"{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{5C648FDB-0138-4619-B66E-230EF53E8E2C}" = The Sims™ 2 Teen Style Stuff
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.6
"{5E06C076-E4E7-4239-A886-B3D8AC84C166}" = HP Print Diagnostic Utility
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{64963F0E-03F2-4B59-8D1B-1806545E7092}" = NVIDIA DDS Utilities
"{6522C636-B04C-4333-9BEB-9E0C0B6350D6}" = The Sims™ 2 Kitchen & Bath Interior Design Stuff
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67E158AF-8856-4337-B483-EA21930786AF}" = GameTap
"{693C08A7-9E76-43FF-B11E-9A58175474C4}" = kgckids
"{6BDD9CE6-D0A6-478A-BAD3-BA6945E89EB0}" = The Sims 2 Family Fun Stuff
"{6E17F9751-F056-4335-B718-8AF1B1092AFB}" = The Sims™ 2 IKEA® Home Stuff
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7059BDA7-E1DB-442C-B7A1-6144596720A4}" = HP Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}" = The Sims 2 Open For Business
"{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
"{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
"{84DDE556-43EF-43ed-B2DF-37AF9E5DDD75}" = The Sims™ 2 H&M® Fashion Stuff
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{87F6C83D-F949-4d14-B5CB-DC8C75F8932D}" = The Sims™ 2 FreeTime
"{8912A802-1DD4-41F3-8450-B3209081BDB9}" = Sprint media manager
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A8664E1-84C8-4936-891C-BC1F07797549}" = kgcvday
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{8FD3F4BA-A4A6-4380-00A6-CC6853AB2DC2}" = The Sims 2 University
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{907B4640-266B-4A21-92FB-CD1A86CD0F63}" = RollerCoaster Tycoon® 3
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{911A0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Outlook 2002
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{95774351-6087-3A3B-8CA8-70BEE49D2BD5}" = Google Gears
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9B0F9788-3141-4009-846E-52E59843E963}" = SimCity™ Societies
"{9BD54685-1496-46A5-AB62-357CD140ED8B}" = kgcinvt
"{9CDBC303-3EED-40b0-8E41-A7C65AA96C26}" = The Sims 2 Glamour Life Stuff
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{A1588373-1D86-4D44-86C9-78ABD190F9CC}" = kgcmove
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{ACA85783-8EEA-4f0a-B2A3-A8173F30209F}" = C4200_doccd
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B09BCBF6-87EE-4403-A336-3A9510856535}" = HP Photosmart All-In-One Software 9.0
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B6F5B704-06D3-4687-90F3-6195304AD755}" = The Sims™ 2 Apartment Life
"{B78823CD-488F-43B4-80D6-FAEADAE40EC4}" = Instant Wireless USB Adapter
"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{BFDE4176-5DFE-4db9-AA00-8F30CB001BDA}" = c4200_Help
"{C39E671D-0528-4c5e-A034-8470C5BC393A}" = C4200
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D1C7BB12-BE01-11DC-AAC9-EEBA55D89593}" = SimCity™ Societies Destinations
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D593C72C-435B-4171-8106-9CA8AA34D716}" = Belkin Wireless G USB Adapter Software
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{D8B7A682-20DA-4797-8415-B1FB14D4D32B}" = PS_AIO_Software
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DF507C99-7DE1-4fa8-8632-AB8A205F1258}" = The Sims™ 2 Store Edition
"{DF6DA606-904D-4C18-823F-A4CFC3035E53}" = eFax Messenger
"{DFEF49D9-FC95-4301-99B9-2FB91C6ABA06}" = The Sims™ 2 Seasons
"{E18B549C-5D15-45DA-8D8F-8FD2BD946344}" = kgcbaby
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E28750A2-45F2-4b63-99F7-9F81A94B1E2D}" = PS_AIO_Software_min
"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{E9ED0801-253D-4FE9-AB20-F63DEFE72547}" = SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"{EAA38532-7AD0-4f78-918A-4F4F02096ECE}" = The Sims™ 2 Celebration! Stuff
"{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}" = kgcbase
"{F248ADFA-64E0-4b03-8A83-059078BED6A0}" = The Sims™ 2 Bon Voyage
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
"{F7529650-B9DB-481B-0089-A2AC3C2821C1}" = The Sims 2 Nightlife
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FD7F242B-9AA0-40c3-941E-3A9821D19C09}" = PS_AIO_ProductContext
"{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}" = Status
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3
"Astraware Bejeweled 2 for Pocket PC" = Bejeweled 2 for Pocket PC
"Astraware Chuzzle for Pocket PC" = Chuzzle for Pocket PC
"Audacity_is1" = Audacity 1.2.6
"AVG7Uninstall" = AVG 7.5
"bejeweledtwisttm" = Bejeweled Twist™
"CamStudio" = CamStudio
"CEP - Colour Enable Packages_is1" = CEP - Color Enable Package
"EADM" = EA Download Manager
"ExpressBurn" = Express Burn
"ExpressRip" = Express Rip
"Fish Tycoon" = Fish Tycoon
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"HP Photosmart Essential" = HP Photosmart Essential 2.01
"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
"HPExtendedCapabilities" = HP Customer Participation Program 9.0
"HPOCR" = HP OCR Software 9.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8 Release Candidate 1
"InstallShield_{398AB469-77FC-4935-820B-D419388C0A6A}" = LEGO® Batman™
"InstallShield_{E9ED0801-253D-4FE9-AB20-F63DEFE72547}" = SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"InterActual Player" = InterActual Player
"JEOPARDY!" = JEOPARDY! (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (2.0.0.15)" = Mozilla Firefox (2.0.0.15)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"Plant Tycoon" = Plant Tycoon
"PROR" = Microsoft Office Professional 2007 Trial
"PROSet" = Intel® PRO Network Adapters and Drivers
"RealArcade" = RealArcade
"Rock and Roll JEOPARDY!" = Rock and Roll JEOPARDY! (remove only)
"SimCity 3000" = SimCity 3000
"SimPE_is1" = SimPE 0.62 (alpha)
"Simple Sudoku_is1" = Simple Sudoku 4.2
"VLC media player" = VideoLAN VLC media player 0.8.6i
"WavePad" = WavePad Uninstall
"WIC" = Windows Imaging Component
"Windows Essentials Media Codec Pack" = Windows Essentials Media Codec Pack 1.0
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WinXMedia AVI/WMV MP4 Converter" = WinXMedia AVI/WMV MP4 Converter 3.15
"WinXMedia DVD MP4 Video Converter" = WinXMedia DVD MP4 Video Converter 3.25
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"SmartDraw 2009" = SmartDraw 2009

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2025429265-1060284298-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"SmartDraw 2009" = SmartDraw 2009

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/18/2009 3:11:54 PM | Computer Name = COOPER | Source = Application Error | ID = 1004
Description = Faulting application wmiprvse.exe, version 5.1.2600.5755, faulting
module unknown, version 0.0.0.0, fault address 0x01419bbf.

Error - 4/18/2009 3:11:56 PM | Computer Name = COOPER | Source = Application Error | ID = 1004
Description = Faulting application wmiprvse.exe, version 5.1.2600.5755, faulting
module unknown, version 0.0.0.0, fault address 0x01419bbf.

Error - 4/18/2009 4:14:52 PM | Computer Name = COOPER | Source = Application Error | ID = 1000
Description = Faulting application belkinwcui.exe, version 1.0.0.20, faulting module
belkinrtl87b.dll, version 402.1130.528.2007, fault address 0x0000ed21.

Error - 4/18/2009 8:00:32 PM | Computer Name = COOPER | Source = Application Hang | ID = 1002
Description = Hanging application SporeApp.exe, version 1.1.0.338, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/18/2009 9:57:19 PM | Computer Name = COOPER | Source = Application Error | ID = 1000
Description = Faulting application simcitysocieties.exe, version 1.0.4.270, faulting
module msvcr80.dll, version 8.0.50727.1433, fault address 0x000046b4.

Error - 4/18/2009 10:25:16 PM | Computer Name = COOPER | Source = Application Error | ID = 1000
Description = Faulting application wmiprvse.exe, version 5.1.2600.5755, faulting
module unknown, version 0.0.0.0, fault address 0x00ec9bbf.

Error - 4/19/2009 10:01:06 AM | Computer Name = COOPER | Source = Application Error | ID = 1000
Description = Faulting application wmiprvse.exe, version 5.1.2600.5755, faulting
module unknown, version 0.0.0.0, fault address 0x01419bbf.

Error - 4/19/2009 10:01:10 AM | Computer Name = COOPER | Source = Application Error | ID = 1000
Description = Faulting application wmiprvse.exe, version 5.1.2600.5755, faulting
module unknown, version 0.0.0.0, fault address 0x01419bbf.

Error - 4/19/2009 10:03:24 AM | Computer Name = COOPER | Source = Application Error | ID = 1004
Description = Faulting application wmiprvse.exe, version 5.1.2600.5755, faulting
module unknown, version 0.0.0.0, fault address 0x01419bbf.

Error - 4/19/2009 10:03:33 AM | Computer Name = COOPER | Source = Application Error | ID = 1004
Description = Faulting application wmiprvse.exe, version 5.1.2600.5755, faulting
module unknown, version 0.0.0.0, fault address 0x01419bbf.

[ System Events ]
Error - 3/1/2009 6:44:08 PM | Computer Name = COOPER | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support
Environment service which failed to start because of the following error: %%31

Error - 3/1/2009 6:44:08 PM | Computer Name = COOPER | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 3/1/2009 6:44:08 PM | Computer Name = COOPER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Avg7RsW Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss Tcpip

Error - 4/6/2009 7:51:09 PM | Computer Name = COOPER | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 4/6/2009 7:51:09 PM | Computer Name = COOPER | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 4/7/2009 3:30:18 PM | Computer Name = COOPER | Source = Service Control Manager | ID = 7034
Description = The Windows Image Acquisition (WIA) service terminated unexpectedly.
It has done this 1 time(s).

Error - 4/7/2009 3:30:21 PM | Computer Name = COOPER | Source = Service Control Manager | ID = 7031
Description = The DCOM Server Process Launcher service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.

Error - 4/7/2009 3:30:21 PM | Computer Name = COOPER | Source = Service Control Manager | ID = 7034
Description = The Terminal Services service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/11/2009 4:10:19 PM | Computer Name = COOPER | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 4/19/2009 10:02:09 AM | Computer Name = COOPER | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0xd0000005: Security Update for Windows XP (KB959426).


< End of report >

GMER popped up a window saying "WARNING!!! GMER has found system modification caused by ROOTKIT activity.

GMER output:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-19 14:21:48
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 8A0AAF38 ZwEnumerateKey
Code 8A0ABC60 ZwFlushInstructionCache
Code 89CD60D6 IofCallDriver
Code 8A01BA2E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 89CD60DB
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 8A01BA33
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 8A0AAF3C
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 8A0ABC64

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[128] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 01, 01, 50, ...] {POP EAX; PUSH 0x1012336; PUSH EAX; PUSH 0x875e10; RET }
.text C:\WINDOWS\System32\svchost.exe[128] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 02, 01, 50] {POP EAX; PUSH 0x102cb12; PUSH EAX}
.text C:\WINDOWS\System32\svchost.exe[128] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 87, 00, C3] {XOR [EBP-0x79], BL; ADD BL, AL}
.text C:\WINDOWS\System32\svchost.exe[128] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 21, 01, 50, ...] {POP EAX; PUSH 0x1219ffd; PUSH EAX; PUSH 0x875de0; RET }
.text C:\WINDOWS\System32\svchost.exe[128] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 21, 01, 50, ...] {POP EAX; PUSH 0x121a1f1; PUSH EAX; PUSH 0x875d80; RET }
.text C:\WINDOWS\System32\svchost.exe[128] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 24, 01, 50, ...] {POP EAX; PUSH 0x1241849; PUSH EAX; PUSH 0x875db0; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, EF, 00, 50, ...] {POP EAX; PUSH 0xef4c27; PUSH EAX; PUSH 0x875610; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 12, 01, 50, ...] {POP EAX; PUSH 0x1120e7f; PUSH EAX; PUSH 0x875c70; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 12, 01, 50, ...] {POP EAX; PUSH 0x112782b; PUSH EAX; PUSH 0x875bd0; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 12, 01, 50, ...] {POP EAX; PUSH 0x112846a; PUSH EAX; PUSH 0x875710; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 12, 01, 50, ...] {POP EAX; PUSH 0x112df1f; PUSH EAX; PUSH 0x875920; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 12, 01, 50, ...] {POP EAX; PUSH 0x112e393; PUSH EAX; PUSH 0x875ba0; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 12, 01, 50, ...] {POP EAX; PUSH 0x112e4d0; PUSH EAX; PUSH 0x875c10; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 12, 01, 50, ...] {POP EAX; PUSH 0x112f165; PUSH EAX; PUSH 0x875a50; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 13, 01, 50, ...] {POP EAX; PUSH 0x1139522; PUSH EAX; PUSH 0x875af0; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 14, 01, 50, ...] {POP EAX; PUSH 0x11433be; PUSH EAX; PUSH 0x875cd0; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 14, 01, 50, ...] {POP EAX; PUSH 0x1148d5b; PUSH EAX; PUSH 0x8758f0; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 14, 01, 50, ...] {POP EAX; PUSH 0x1148d93; PUSH EAX; PUSH 0x875790; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 18, 01, 50, ...] {POP EAX; PUSH 0x11851e6; PUSH EAX; PUSH 0x875740; RET }
.text C:\WINDOWS\System32\svchost.exe[128] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 1A, 01, 50, ...] {POP EAX; PUSH 0x11a9739; PUSH EAX; PUSH 0x875ad0; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B0000A
.text C:\WINDOWS\system32\ctfmon.exe[244] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B1000A
.text C:\WINDOWS\system32\ctfmon.exe[244] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 18, 01, 50, ...] {POP EAX; PUSH 0x1182336; PUSH EAX; PUSH 0xa05e10; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 19, 01, 50] {POP EAX; PUSH 0x119cb12; PUSH EAX}
.text C:\WINDOWS\system32\ctfmon.exe[244] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, A0, 00, C3] {XOR [EBP-0x60], BL; ADD BL, AL}
.text C:\WINDOWS\system32\ctfmon.exe[244] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 38, 01, 50, ...] {POP EAX; PUSH 0x1389ffd; PUSH EAX; PUSH 0xa05de0; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 38, 01, 50, ...] {POP EAX; PUSH 0x138a1f1; PUSH EAX; PUSH 0xa05d80; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 3B, 01, 50, ...] {POP EAX; PUSH 0x13b1849; PUSH EAX; PUSH 0xa05db0; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, 0A, 01, 50, ...] {POP EAX; PUSH 0x10a4c27; PUSH EAX; PUSH 0xa05610; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 29, 01, 50, ...] {POP EAX; PUSH 0x1290e7f; PUSH EAX; PUSH 0xa05c70; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 29, 01, 50, ...] {POP EAX; PUSH 0x129782b; PUSH EAX; PUSH 0xa05bd0; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 29, 01, 50, ...] {POP EAX; PUSH 0x129846a; PUSH EAX; PUSH 0xa05710; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 29, 01, 50, ...] {POP EAX; PUSH 0x129df1f; PUSH EAX; PUSH 0xa05920; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 29, 01, 50, ...] {POP EAX; PUSH 0x129e393; PUSH EAX; PUSH 0xa05ba0; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 29, 01, 50, ...] {POP EAX; PUSH 0x129e4d0; PUSH EAX; PUSH 0xa05c10; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 29, 01, 50, ...] {POP EAX; PUSH 0x129f165; PUSH EAX; PUSH 0xa05a50; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 2A, 01, 50, ...] {POP EAX; PUSH 0x12a9522; PUSH EAX; PUSH 0xa05af0; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 2B, 01, 50, ...] {POP EAX; PUSH 0x12b33be; PUSH EAX; PUSH 0xa05cd0; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 2B, 01, 50, ...] {POP EAX; PUSH 0x12b8d5b; PUSH EAX; PUSH 0xa058f0; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 2B, 01, 50, ...] {POP EAX; PUSH 0x12b8d93; PUSH EAX; PUSH 0xa05790; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 2F, 01, 50, ...] {POP EAX; PUSH 0x12f51e6; PUSH EAX; PUSH 0xa05740; RET }
.text C:\WINDOWS\system32\ctfmon.exe[244] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 31, 01, 50, ...] {POP EAX; PUSH 0x1319739; PUSH EAX; PUSH 0xa05ad0; RET }
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 01, 01, 50, ...] {POP EAX; PUSH 0x1012336; PUSH EAX; PUSH 0x875e10; RET }
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 02, 01, 50] {POP EAX; PUSH 0x102cb12; PUSH EAX}
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 87, 00, C3] {XOR [EBP-0x79], BL; ADD BL, AL}
.text C:\WINDOWS\System32\svchost.exe[316] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 5C, 01, 50, ...] {POP EAX; PUSH 0x15c9ffd; PUSH EAX; PUSH 0x875de0; RET }
.text C:\WINDOWS\System32\svchost.exe[316] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 5C, 01, 50, ...] {POP EAX; PUSH 0x15ca1f1; PUSH EAX; PUSH 0x875d80; RET }
.text C:\WINDOWS\System32\svchost.exe[316] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 5F, 01, 50, ...] {POP EAX; PUSH 0x15f1849; PUSH EAX; PUSH 0x875db0; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, FC, 00, 50, ...] {POP EAX; PUSH 0xfc4c27; PUSH EAX; PUSH 0x875610; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 4D, 01, 50, ...] {POP EAX; PUSH 0x14d0e7f; PUSH EAX; PUSH 0x875c70; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 4D, 01, 50, ...] {POP EAX; PUSH 0x14d782b; PUSH EAX; PUSH 0x875bd0; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 4D, 01, 50, ...] {POP EAX; PUSH 0x14d846a; PUSH EAX; PUSH 0x875710; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 4D, 01, 50, ...] {POP EAX; PUSH 0x14ddf1f; PUSH EAX; PUSH 0x875920; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 4D, 01, 50, ...] {POP EAX; PUSH 0x14de393; PUSH EAX; PUSH 0x875ba0; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 4D, 01, 50, ...] {POP EAX; PUSH 0x14de4d0; PUSH EAX; PUSH 0x875c10; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 4D, 01, 50, ...] {POP EAX; PUSH 0x14df165; PUSH EAX; PUSH 0x875a50; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 4E, 01, 50, ...] {POP EAX; PUSH 0x14e9522; PUSH EAX; PUSH 0x875af0; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 4F, 01, 50, ...] {POP EAX; PUSH 0x14f33be; PUSH EAX; PUSH 0x875cd0; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 4F, 01, 50, ...] {POP EAX; PUSH 0x14f8d5b; PUSH EAX; PUSH 0x8758f0; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 4F, 01, 50, ...] {POP EAX; PUSH 0x14f8d93; PUSH EAX; PUSH 0x875790; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 53, 01, 50, ...] {POP EAX; PUSH 0x15351e6; PUSH EAX; PUSH 0x875740; RET }
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 55, 01, 50, ...] {POP EAX; PUSH 0x1559739; PUSH EAX; PUSH 0x875ad0; RET }
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[736] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0096000A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[736] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0097000A
.text C:\WINDOWS\system32\winlogon.exe[820] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0068000A
.text C:\WINDOWS\system32\winlogon.exe[820] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0069000A
.text C:\WINDOWS\system32\winlogon.exe[820] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 67, 02, 50, ...] {POP EAX; PUSH 0x2672336; PUSH EAX; PUSH 0x21c5e10; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 68, 02, 50] {POP EAX; PUSH 0x268cb12; PUSH EAX}
.text C:\WINDOWS\system32\winlogon.exe[820] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 1C, 02, C3] {XOR [EBP+0x1c], BL; ADD AL, BL}
.text C:\WINDOWS\system32\winlogon.exe[820] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 8C, 02, 50, ...] {POP EAX; PUSH 0x28c9ffd; PUSH EAX; PUSH 0x21c5de0; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 8C, 02, 50, ...] {POP EAX; PUSH 0x28ca1f1; PUSH EAX; PUSH 0x21c5d80; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 8F, 02, 50, ...] {POP EAX; PUSH 0x28f1849; PUSH EAX; PUSH 0x21c5db0; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, 43, 02, 50, ...] {POP EAX; PUSH 0x2434c27; PUSH EAX; PUSH 0x21c5610; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 33, 02, 50, ...] {POP EAX; PUSH 0x2330e7f; PUSH EAX; PUSH 0x21c5c70; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 33, 02, 50, ...] {POP EAX; PUSH 0x233782b; PUSH EAX; PUSH 0x21c5bd0; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 33, 02, 50, ...] {POP EAX; PUSH 0x233846a; PUSH EAX; PUSH 0x21c5710; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 33, 02, 50, ...] {POP EAX; PUSH 0x233df1f; PUSH EAX; PUSH 0x21c5920; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 33, 02, 50, ...] {POP EAX; PUSH 0x233e393; PUSH EAX; PUSH 0x21c5ba0; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 33, 02, 50, ...] {POP EAX; PUSH 0x233e4d0; PUSH EAX; PUSH 0x21c5c10; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 33, 02, 50, ...] {POP EAX; PUSH 0x233f165; PUSH EAX; PUSH 0x21c5a50; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 34, 02, 50, ...] {POP EAX; PUSH 0x2349522; PUSH EAX; PUSH 0x21c5af0; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 35, 02, 50, ...] {POP EAX; PUSH 0x23533be; PUSH EAX; PUSH 0x21c5cd0; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 35, 02, 50, ...] {POP EAX; PUSH 0x2358d5b; PUSH EAX; PUSH 0x21c58f0; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 35, 02, 50, ...] {POP EAX; PUSH 0x2358d93; PUSH EAX; PUSH 0x21c5790; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 39, 02, 50, ...] {POP EAX; PUSH 0x23951e6; PUSH EAX; PUSH 0x21c5740; RET }
.text C:\WINDOWS\system32\winlogon.exe[820] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 3B, 02, 50, ...] {POP EAX; PUSH 0x23b9739; PUSH EAX; PUSH 0x21c5ad0; RET }
.text C:\WINDOWS\system32\services.exe[868] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\services.exe[868] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\lsass.exe[880] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0074000A
.text C:\WINDOWS\system32\lsass.exe[880] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0077000A
.text C:\WINDOWS\system32\lsass.exe[880] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, E0, 00, 50, ...] {POP EAX; PUSH 0xe02336; PUSH EAX; PUSH 0x795e10; RET }
.text C:\WINDOWS\system32\lsass.exe[880] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, E1, 00, 50] {POP EAX; PUSH 0xe1cb12; PUSH EAX}
.text C:\WINDOWS\system32\lsass.exe[880] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 79, 00, C3] {XOR [EBP+0x79], BL; ADD BL, AL}
.text C:\WINDOWS\system32\lsass.exe[880] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 0C, 01, 50, ...] {POP EAX; PUSH 0x10c9ffd; PUSH EAX; PUSH 0x795de0; RET }
.text C:\WINDOWS\system32\lsass.exe[880] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 0C, 01, 50, ...] {POP EAX; PUSH 0x10ca1f1; PUSH EAX; PUSH 0x795d80; RET }
.text C:\WINDOWS\system32\lsass.exe[880] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 0F, 01, 50, ...] {POP EAX; PUSH 0x10f1849; PUSH EAX; PUSH 0x795db0; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, D3, 00, 50, ...] {POP EAX; PUSH 0xd34c27; PUSH EAX; PUSH 0x795610; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, F1, 00, 50, ...] {POP EAX; PUSH 0xf10e7f; PUSH EAX; PUSH 0x795c70; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, F1, 00, 50, ...] {POP EAX; PUSH 0xf1782b; PUSH EAX; PUSH 0x795bd0; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, F1, 00, 50, ...] {POP EAX; PUSH 0xf1846a; PUSH EAX; PUSH 0x795710; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, F1, 00, 50, ...] {POP EAX; PUSH 0xf1df1f; PUSH EAX; PUSH 0x795920; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, F1, 00, 50, ...] {POP EAX; PUSH 0xf1e393; PUSH EAX; PUSH 0x795ba0; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, F1, 00, 50, ...] {POP EAX; PUSH 0xf1e4d0; PUSH EAX; PUSH 0x795c10; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, F1, 00, 50, ...] {POP EAX; PUSH 0xf1f165; PUSH EAX; PUSH 0x795a50; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, F2, 00, 50, ...] {POP EAX; PUSH 0xf29522; PUSH EAX; PUSH 0x795af0; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, F3, 00, 50, ...] {POP EAX; PUSH 0xf333be; PUSH EAX; PUSH 0x795cd0; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, F3, 00, 50, ...] {POP EAX; PUSH 0xf38d5b; PUSH EAX; PUSH 0x7958f0; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, F3, 00, 50, ...] {POP EAX; PUSH 0xf38d93; PUSH EAX; PUSH 0x795790; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, F7, 00, 50, ...] {POP EAX; PUSH 0xf751e6; PUSH EAX; PUSH 0x795740; RET }
.text C:\WINDOWS\system32\lsass.exe[880] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, F9, 00, 50, ...] {POP EAX; PUSH 0xf99739; PUSH EAX; PUSH 0x795ad0; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 2E, 01, 50, ...] {POP EAX; PUSH 0x12e2336; PUSH EAX; PUSH 0x875e10; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 2F, 01, 50] {POP EAX; PUSH 0x12fcb12; PUSH EAX}
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 87, 00, C3] {XOR [EBP-0x79], BL; ADD BL, AL}
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 5C, 01, 50, ...] {POP EAX; PUSH 0x15c9ffd; PUSH EAX; PUSH 0x875de0; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 5C, 01, 50, ...] {POP EAX; PUSH 0x15ca1f1; PUSH EAX; PUSH 0x875d80; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 5F, 01, 50, ...] {POP EAX; PUSH 0x15f1849; PUSH EAX; PUSH 0x875db0; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] WS2_32.dll!send 71AB4C27 13 Bytes JMP 82139C2C
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 4D, 01, 50, ...] {POP EAX; PUSH 0x14d0e7f; PUSH EAX; PUSH 0x875c70; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 4D, 01, 50, ...] {POP EAX; PUSH 0x14d782b; PUSH EAX; PUSH 0x875bd0; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 4D, 01, 50, ...] {POP EAX; PUSH 0x14d846a; PUSH EAX; PUSH 0x875710; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 4D, 01, 50, ...] {POP EAX; PUSH 0x14ddf1f; PUSH EAX; PUSH 0x875920; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 4D, 01, 50, ...] {POP EAX; PUSH 0x14de393; PUSH EAX; PUSH 0x875ba0; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 4D, 01, 50, ...] {POP EAX; PUSH 0x14de4d0; PUSH EAX; PUSH 0x875c10; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 4D, 01, 50, ...] {POP EAX; PUSH 0x14df165; PUSH EAX; PUSH 0x875a50; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 4E, 01, 50, ...] {POP EAX; PUSH 0x14e9522; PUSH EAX; PUSH 0x875af0; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 4F, 01, 50, ...] {POP EAX; PUSH 0x14f33be; PUSH EAX; PUSH 0x875cd0; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 4F, 01, 50, ...] {POP EAX; PUSH 0x14f8d5b; PUSH EAX; PUSH 0x8758f0; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 4F, 01, 50, ...] {POP EAX; PUSH 0x14f8d93; PUSH EAX; PUSH 0x875790; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 53, 01, 50, ...] {POP EAX; PUSH 0x15351e6; PUSH EAX; PUSH 0x875740; RET }
.text C:\WINDOWS\system32\svchost.exe[1056] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 55, 01, 50, ...] {POP EAX; PUSH 0x1559739; PUSH EAX; PUSH 0x875ad0; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 2E, 01, 50, ...] {POP EAX; PUSH 0x12e2336; PUSH EAX; PUSH 0x875e10; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 2F, 01, 50] {POP EAX; PUSH 0x12fcb12; PUSH EAX}
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 87, 00, C3] {XOR [EBP-0x79], BL; ADD BL, AL}
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 72, 01, 50, ...] {POP EAX; PUSH 0x1729ffd; PUSH EAX; PUSH 0x875de0; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 72, 01, 50, ...] {POP EAX; PUSH 0x172a1f1; PUSH EAX; PUSH 0x875d80; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 75, 01, 50, ...] {POP EAX; PUSH 0x1751849; PUSH EAX; PUSH 0x875db0; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, 4A, 01, 50, ...] {POP EAX; PUSH 0x14a4c27; PUSH EAX; PUSH 0x875610; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 59, 01, 50, ...] {POP EAX; PUSH 0x1590e7f; PUSH EAX; PUSH 0x875c70; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 59, 01, 50, ...] {POP EAX; PUSH 0x159782b; PUSH EAX; PUSH 0x875bd0; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 59, 01, 50, ...] {POP EAX; PUSH 0x159846a; PUSH EAX; PUSH 0x875710; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 59, 01, 50, ...] {POP EAX; PUSH 0x159df1f; PUSH EAX; PUSH 0x875920; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 59, 01, 50, ...] {POP EAX; PUSH 0x159e393; PUSH EAX; PUSH 0x875ba0; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 59, 01, 50, ...] {POP EAX; PUSH 0x159e4d0; PUSH EAX; PUSH 0x875c10; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 59, 01, 50, ...] {POP EAX; PUSH 0x159f165; PUSH EAX; PUSH 0x875a50; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 5A, 01, 50, ...] {POP EAX; PUSH 0x15a9522; PUSH EAX; PUSH 0x875af0; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 5B, 01, 50, ...] {POP EAX; PUSH 0x15b33be; PUSH EAX; PUSH 0x875cd0; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 5B, 01, 50, ...] {POP EAX; PUSH 0x15b8d5b; PUSH EAX; PUSH 0x8758f0; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 5B, 01, 50, ...] {POP EAX; PUSH 0x15b8d93; PUSH EAX; PUSH 0x875790; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 5F, 01, 50, ...] {POP EAX; PUSH 0x15f51e6; PUSH EAX; PUSH 0x875740; RET }
.text C:\WINDOWS\system32\svchost.exe[1116] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 61, 01, 50, ...] {POP EAX; PUSH 0x1619739; PUSH EAX; PUSH 0x875ad0; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 46, 01, 50, ...] {POP EAX; PUSH 0x1462336; PUSH EAX; PUSH 0x875e10; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 47, 01, 50] {POP EAX; PUSH 0x147cb12; PUSH EAX}
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 87, 00, C3] {XOR [EBP-0x79], BL; ADD BL, AL}
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 66, 01, 50, ...] {POP EAX; PUSH 0x1669ffd; PUSH EAX; PUSH 0x875de0; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 66, 01, 50, ...] {POP EAX; PUSH 0x166a1f1; PUSH EAX; PUSH 0x875d80; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 69, 01, 50, ...] {POP EAX; PUSH 0x1691849; PUSH EAX; PUSH 0x875db0; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, 36, 01, 50, ...] {POP EAX; PUSH 0x1364c27; PUSH EAX; PUSH 0x875610; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 57, 01, 50, ...] {POP EAX; PUSH 0x1570e7f; PUSH EAX; PUSH 0x875c70; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 57, 01, 50, ...] {POP EAX; PUSH 0x157782b; PUSH EAX; PUSH 0x875bd0; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 57, 01, 50, ...] {POP EAX; PUSH 0x157846a; PUSH EAX; PUSH 0x875710; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 57, 01, 50, ...] {POP EAX; PUSH 0x157df1f; PUSH EAX; PUSH 0x875920; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 57, 01, 50, ...] {POP EAX; PUSH 0x157e393; PUSH EAX; PUSH 0x875ba0; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 57, 01, 50, ...] {POP EAX; PUSH 0x157e4d0; PUSH EAX; PUSH 0x875c10; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 57, 01, 50, ...] {POP EAX; PUSH 0x157f165; PUSH EAX; PUSH 0x875a50; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 58, 01, 50, ...] {POP EAX; PUSH 0x1589522; PUSH EAX; PUSH 0x875af0; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 59, 01, 50, ...] {POP EAX; PUSH 0x15933be; PUSH EAX; PUSH 0x875cd0; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 59, 01, 50, ...] {POP EAX; PUSH 0x1598d5b; PUSH EAX; PUSH 0x8758f0; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 59, 01, 50, ...] {POP EAX; PUSH 0x1598d93; PUSH EAX; PUSH 0x875790; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 5D, 01, 50, ...] {POP EAX; PUSH 0x15d51e6; PUSH EAX; PUSH 0x875740; RET }
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 5F, 01, 50, ...] {POP EAX; PUSH 0x15f9739; PUSH EAX; PUSH 0x875ad0; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0099000A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009A000A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, D5, 02, 50, ...] {POP EAX; PUSH 0x2d52336; PUSH EAX; PUSH 0xe55e10; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, D6, 02, 50] {POP EAX; PUSH 0x2d6cb12; PUSH EAX}
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, E5, 00, C3] {XOR [EBP-0x1b], BL; ADD BL, AL}
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, F5, 02, 50, ...] {POP EAX; PUSH 0x2f59ffd; PUSH EAX; PUSH 0xe55de0; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, F5, 02, 50, ...] {POP EAX; PUSH 0x2f5a1f1; PUSH EAX; PUSH 0xe55d80; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, F8, 02, 50, ...] {POP EAX; PUSH 0x2f81849; PUSH EAX; PUSH 0xe55db0; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, DB, 01, 50, ...] {POP EAX; PUSH 0x1db4c27; PUSH EAX; PUSH 0xe55610; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, E6, 02, 50, ...] {POP EAX; PUSH 0x2e60e7f; PUSH EAX; PUSH 0xe55c70; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, E6, 02, 50, ...] {POP EAX; PUSH 0x2e6782b; PUSH EAX; PUSH 0xe55bd0; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, E6, 02, 50, ...] {POP EAX; PUSH 0x2e6846a; PUSH EAX; PUSH 0xe55710; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, E6, 02, 50, ...] {POP EAX; PUSH 0x2e6df1f; PUSH EAX; PUSH 0xe55920; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, E6, 02, 50, ...] {POP EAX; PUSH 0x2e6e393; PUSH EAX; PUSH 0xe55ba0; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, E6, 02, 50, ...] {POP EAX; PUSH 0x2e6e4d0; PUSH EAX; PUSH 0xe55c10; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, E6, 02, 50, ...] {POP EAX; PUSH 0x2e6f165; PUSH EAX; PUSH 0xe55a50; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, E7, 02, 50, ...] {POP EAX; PUSH 0x2e79522; PUSH EAX; PUSH 0xe55af0; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes CALL 336B83C5
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes CALL 536BDD62
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WININET.dll!InternetWriteFile 630751E6 4 Bytes [58, 68, E6, 51]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WININET.dll!InternetWriteFile + 5 630751EB 8 Bytes [02, 50, 68, 40, 57, E5, 00, ...] {ADD DL, [EAX+0x68]; INC EAX; PUSH EDI; IN EAX, 0x0; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1268] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, EE, 02, 50, ...] {POP EAX; PUSH 0x2ee9739; PUSH EAX; PUSH 0xe55ad0; RET }
.text C:\WINDOWS\Explorer.EXE[1320] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C8000A
.text C:\WINDOWS\Explorer.EXE[1320] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C9000A
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 2C, 01, 50, ...] {POP EAX; PUSH 0x12c2336; PUSH EAX; PUSH 0xba5e10; RET }
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 2D, 01, 50] {POP EAX; PUSH 0x12dcb12; PUSH EAX}
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, BA, 00, C3] {XOR [EBP-0x46], BL; ADD BL, AL}
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 11, 01, 50, ...] {POP EAX; PUSH 0x1112336; PUSH EAX; PUSH 0x875e10; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 12, 01, 50] {POP EAX; PUSH 0x112cb12; PUSH EAX}
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 87, 00, C3] {XOR [EBP-0x79], BL; ADD BL, AL}
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 31, 01, 50, ...] {POP EAX; PUSH 0x1319ffd; PUSH EAX; PUSH 0x875de0; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 31, 01, 50, ...] {POP EAX; PUSH 0x131a1f1; PUSH EAX; PUSH 0x875d80; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 34, 01, 50, ...] {POP EAX; PUSH 0x1341849; PUSH EAX; PUSH 0x875db0; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, F7, 00, 50, ...] {POP EAX; PUSH 0xf74c27; PUSH EAX; PUSH 0x875610; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 22, 01, 50, ...] {POP EAX; PUSH 0x1220e7f; PUSH EAX; PUSH 0x875c70; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 22, 01, 50, ...] {POP EAX; PUSH 0x122782b; PUSH EAX; PUSH 0x875bd0; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 22, 01, 50, ...] {POP EAX; PUSH 0x122846a; PUSH EAX; PUSH 0x875710; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 22, 01, 50, ...] {POP EAX; PUSH 0x122df1f; PUSH EAX; PUSH 0x875920; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 22, 01, 50, ...] {POP EAX; PUSH 0x122e393; PUSH EAX; PUSH 0x875ba0; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 22, 01, 50, ...] {POP EAX; PUSH 0x122e4d0; PUSH EAX; PUSH 0x875c10; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 22, 01, 50, ...] {POP EAX; PUSH 0x122f165; PUSH EAX; PUSH 0x875a50; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 23, 01, 50, ...] {POP EAX; PUSH 0x1239522; PUSH EAX; PUSH 0x875af0; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 24, 01, 50, ...] {POP EAX; PUSH 0x12433be; PUSH EAX; PUSH 0x875cd0; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 24, 01, 50, ...] {POP EAX; PUSH 0x1248d5b; PUSH EAX; PUSH 0x8758f0; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 24, 01, 50, ...] {POP EAX; PUSH 0x1248d93; PUSH EAX; PUSH 0x875790; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 28, 01, 50, ...] {POP EAX; PUSH 0x12851e6; PUSH EAX; PUSH 0x875740; RET }
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 2A, 01, 50, ...] {POP EAX; PUSH 0x12a9739; PUSH EAX; PUSH 0x875ad0; RET }
.text C:\WINDOWS\System32\alg.exe[1404] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0076000A
.text C:\WINDOWS\System32\alg.exe[1404] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0078000A
.text C:\WINDOWS\System32\alg.exe[1404] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 25, 01, 50, ...] {POP EAX; PUSH 0x1252336; PUSH EAX; PUSH 0x7d5e10; RET }
.text C:\WINDOWS\System32\alg.exe[1404] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 26, 01, 50] {POP EAX; PUSH 0x126cb12; PUSH EAX}
.text C:\WINDOWS\System32\alg.exe[1404] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 7D, 00, C3] {XOR [EBP+0x7d], BL; ADD BL, AL}
.text C:\WINDOWS\System32\alg.exe[1404] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 45, 01, 50, ...] {POP EAX; PUSH 0x1459ffd; PUSH EAX; PUSH 0x7d5de0; RET }
.text C:\WINDOWS\System32\alg.exe[1404] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 45, 01, 50, ...] {POP EAX; PUSH 0x145a1f1; PUSH EAX; PUSH 0x7d5d80; RET }
.text C:\WINDOWS\System32\alg.exe[1404] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 48, 01, 50, ...] {POP EAX; PUSH 0x1481849; PUSH EAX; PUSH 0x7d5db0; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, 17, 01, 50, ...] {POP EAX; PUSH 0x1174c27; PUSH EAX; PUSH 0x7d5610; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 36, 01, 50, ...] {POP EAX; PUSH 0x1360e7f; PUSH EAX; PUSH 0x7d5c70; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 36, 01, 50, ...] {POP EAX; PUSH 0x136782b; PUSH EAX; PUSH 0x7d5bd0; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 36, 01, 50, ...] {POP EAX; PUSH 0x136846a; PUSH EAX; PUSH 0x7d5710; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 36, 01, 50, ...] {POP EAX; PUSH 0x136df1f; PUSH EAX; PUSH 0x7d5920; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 36, 01, 50, ...] {POP EAX; PUSH 0x136e393; PUSH EAX; PUSH 0x7d5ba0; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 36, 01, 50, ...] {POP EAX; PUSH 0x136e4d0; PUSH EAX; PUSH 0x7d5c10; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 36, 01, 50, ...] {POP EAX; PUSH 0x136f165; PUSH EAX; PUSH 0x7d5a50; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 37, 01, 50, ...] {POP EAX; PUSH 0x1379522; PUSH EAX; PUSH 0x7d5af0; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 38, 01, 50, ...] {POP EAX; PUSH 0x13833be; PUSH EAX; PUSH 0x7d5cd0; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 38, 01, 50, ...] {POP EAX; PUSH 0x1388d5b; PUSH EAX; PUSH 0x7d58f0; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 38, 01, 50, ...] {POP EAX; PUSH 0x1388d93; PUSH EAX; PUSH 0x7d5790; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 3C, 01, 50, ...] {POP EAX; PUSH 0x13c51e6; PUSH EAX; PUSH 0x7d5740; RET }
.text C:\WINDOWS\System32\alg.exe[1404] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 3E, 01, 50, ...] {POP EAX; PUSH 0x13e9739; PUSH EAX; PUSH 0x7d5ad0; RET }
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1420] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C3000A
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1420] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\spoolsv.exe[1712] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\spoolsv.exe[1712] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 19, 01, 50, ...] {POP EAX; PUSH 0x1192336; PUSH EAX; PUSH 0x9e5e10; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 1A, 01, 50] {POP EAX; PUSH 0x11acb12; PUSH EAX}
.text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 9E, 00, C3] {XOR [EBP-0x62], BL; ADD BL, AL}
.text C:\WINDOWS\system32\spoolsv.exe[1712] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 39, 01, 50, ...] {POP EAX; PUSH 0x1399ffd; PUSH EAX; PUSH 0x9e5de0; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 39, 01, 50, ...] {POP EAX; PUSH 0x139a1f1; PUSH EAX; PUSH 0x9e5d80; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 3C, 01, 50, ...] {POP EAX; PUSH 0x13c1849; PUSH EAX; PUSH 0x9e5db0; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, 09, 01, 50, ...] {POP EAX; PUSH 0x1094c27; PUSH EAX; PUSH 0x9e5610; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 2A, 01, 50, ...] {POP EAX; PUSH 0x12a0e7f; PUSH EAX; PUSH 0x9e5c70; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 2A, 01, 50, ...] {POP EAX; PUSH 0x12a782b; PUSH EAX; PUSH 0x9e5bd0; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 2A, 01, 50, ...] {POP EAX; PUSH 0x12a846a; PUSH EAX; PUSH 0x9e5710; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 2A, 01, 50, ...] {POP EAX; PUSH 0x12adf1f; PUSH EAX; PUSH 0x9e5920; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 2A, 01, 50, ...] {POP EAX; PUSH 0x12ae393; PUSH EAX; PUSH 0x9e5ba0; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 2A, 01, 50, ...] {POP EAX; PUSH 0x12ae4d0; PUSH EAX; PUSH 0x9e5c10; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 2A, 01, 50, ...] {POP EAX; PUSH 0x12af165; PUSH EAX; PUSH 0x9e5a50; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 2B, 01, 50, ...] {POP EAX; PUSH 0x12b9522; PUSH EAX; PUSH 0x9e5af0; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 2C, 01, 50, ...] {POP EAX; PUSH 0x12c33be; PUSH EAX; PUSH 0x9e5cd0; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 2C, 01, 50, ...] {POP EAX; PUSH 0x12c8d5b; PUSH EAX; PUSH 0x9e58f0; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 2C, 01, 50, ...] {POP EAX; PUSH 0x12c8d93; PUSH EAX; PUSH 0x9e5790; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 30, 01, 50, ...] {POP EAX; PUSH 0x13051e6; PUSH EAX; PUSH 0x9e5740; RET }
.text C:\WINDOWS\system32\spoolsv.exe[1712] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 32, 01, 50, ...] {POP EAX; PUSH 0x1329739; PUSH EAX; PUSH 0x9e5ad0; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 2E, 01, 50, ...] {POP EAX; PUSH 0x12e2336; PUSH EAX; PUSH 0x875e10; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 2F, 01, 50] {POP EAX; PUSH 0x12fcb12; PUSH EAX}
.text C:\WINDOWS\System32\svchost.exe[1796] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 87, 00, C3] {XOR [EBP-0x79], BL; ADD BL, AL}
.text C:\WINDOWS\System32\svchost.exe[1796] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 5A, 01, 50, ...] {POP EAX; PUSH 0x15a9ffd; PUSH EAX; PUSH 0x875de0; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 5A, 01, 50, ...] {POP EAX; PUSH 0x15aa1f1; PUSH EAX; PUSH 0x875d80; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 5D, 01, 50, ...] {POP EAX; PUSH 0x15d1849; PUSH EAX; PUSH 0x875db0; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] WS2_32.dll!send 71AB4C27 4 Bytes [58, 68, 27, 4C]
.text C:\WINDOWS\System32\svchost.exe[1796] WS2_32.dll!send + 5 71AB4C2C 8 Bytes [00, 50, 68, 10, 56, 87, 00, ...] {ADD [EAX+0x68], DL; ADC [ESI-0x79], DL; ADD BL, AL}
.text C:\WINDOWS\System32\svchost.exe[1796] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 43, 01, 50, ...] {POP EAX; PUSH 0x1430e7f; PUSH EAX; PUSH 0x875c70; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 43, 01, 50, ...] {POP EAX; PUSH 0x143782b; PUSH EAX; PUSH 0x875bd0; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 43, 01, 50, ...] {POP EAX; PUSH 0x143846a; PUSH EAX; PUSH 0x875710; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 43, 01, 50, ...] {POP EAX; PUSH 0x143df1f; PUSH EAX; PUSH 0x875920; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 43, 01, 50, ...] {POP EAX; PUSH 0x143e393; PUSH EAX; PUSH 0x875ba0; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 43, 01, 50, ...] {POP EAX; PUSH 0x143e4d0; PUSH EAX; PUSH 0x875c10; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 43, 01, 50, ...] {POP EAX; PUSH 0x143f165; PUSH EAX; PUSH 0x875a50; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 44, 01, 50, ...] {POP EAX; PUSH 0x1449522; PUSH EAX; PUSH 0x875af0; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 45, 01, 50, ...] {POP EAX; PUSH 0x14533be; PUSH EAX; PUSH 0x875cd0; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 45, 01, 50, ...] {POP EAX; PUSH 0x1458d5b; PUSH EAX; PUSH 0x8758f0; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 45, 01, 50, ...] {POP EAX; PUSH 0x1458d93; PUSH EAX; PUSH 0x875790; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 49, 01, 50, ...] {POP EAX; PUSH 0x14951e6; PUSH EAX; PUSH 0x875740; RET }
.text C:\WINDOWS\System32\svchost.exe[1796] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 4B, 01, 50, ...] {POP EAX; PUSH 0x14b9739; PUSH EAX; PUSH 0x875ad0; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 46, 01, 50, ...] {POP EAX; PUSH 0x1462336; PUSH EAX; PUSH 0x875e10; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 47, 01, 50] {POP EAX; PUSH 0x147cb12; PUSH EAX}
.text C:\WINDOWS\system32\svchost.exe[1856] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 87, 00, C3] {XOR [EBP-0x79], BL; ADD BL, AL}
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 66, 01, 50, ...] {POP EAX; PUSH 0x1669ffd; PUSH EAX; PUSH 0x875de0; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 66, 01, 50, ...] {POP EAX; PUSH 0x166a1f1; PUSH EAX; PUSH 0x875d80; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 69, 01, 50, ...] {POP EAX; PUSH 0x1691849; PUSH EAX; PUSH 0x875db0; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, 38, 01, 50, ...] {POP EAX; PUSH 0x1384c27; PUSH EAX; PUSH 0x875610; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 57, 01, 50, ...] {POP EAX; PUSH 0x1570e7f; PUSH EAX; PUSH 0x875c70; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 57, 01, 50, ...] {POP EAX; PUSH 0x157782b; PUSH EAX; PUSH 0x875bd0; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 57, 01, 50, ...] {POP EAX; PUSH 0x157846a; PUSH EAX; PUSH 0x875710; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 57, 01, 50, ...] {POP EAX; PUSH 0x157df1f; PUSH EAX; PUSH 0x875920; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 57, 01, 50, ...] {POP EAX; PUSH 0x157e393; PUSH EAX; PUSH 0x875ba0; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 57, 01, 50, ...] {POP EAX; PUSH 0x157e4d0; PUSH EAX; PUSH 0x875c10; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 57, 01, 50, ...] {POP EAX; PUSH 0x157f165; PUSH EAX; PUSH 0x875a50; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 58, 01, 50, ...] {POP EAX; PUSH 0x1589522; PUSH EAX; PUSH 0x875af0; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 59, 01, 50, ...] {POP EAX; PUSH 0x15933be; PUSH EAX; PUSH 0x875cd0; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 59, 01, 50, ...] {POP EAX; PUSH 0x1598d5b; PUSH EAX; PUSH 0x8758f0; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 59, 01, 50, ...] {POP EAX; PUSH 0x1598d93; PUSH EAX; PUSH 0x875790; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 5D, 01, 50, ...] {POP EAX; PUSH 0x15d51e6; PUSH EAX; PUSH 0x875740; RET }
.text C:\WINDOWS\system32\svchost.exe[1856] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 5F, 01, 50, ...] {POP EAX; PUSH 0x15f9739; PUSH EAX; PUSH 0x875ad0; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 01, 01, 50, ...] {POP EAX; PUSH 0x1012336; PUSH EAX; PUSH 0x875e10; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 02, 01, 50] {POP EAX; PUSH 0x102cb12; PUSH EAX}
.text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 87, 00, C3] {XOR [EBP-0x79], BL; ADD BL, AL}
.text C:\WINDOWS\System32\svchost.exe[1896] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 21, 01, 50, ...] {POP EAX; PUSH 0x1219ffd; PUSH EAX; PUSH 0x875de0; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 21, 01, 50, ...] {POP EAX; PUSH 0x121a1f1; PUSH EAX; PUSH 0x875d80; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 24, 01, 50, ...] {POP EAX; PUSH 0x1241849; PUSH EAX; PUSH 0x875db0; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, EF, 00, 50, ...] {POP EAX; PUSH 0xef4c27; PUSH EAX; PUSH 0x875610; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 12, 01, 50, ...] {POP EAX; PUSH 0x1120e7f; PUSH EAX; PUSH 0x875c70; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 12, 01, 50, ...] {POP EAX; PUSH 0x112782b; PUSH EAX; PUSH 0x875bd0; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 12, 01, 50, ...] {POP EAX; PUSH 0x112846a; PUSH EAX; PUSH 0x875710; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 12, 01, 50, ...] {POP EAX; PUSH 0x112df1f; PUSH EAX; PUSH 0x875920; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 12, 01, 50, ...] {POP EAX; PUSH 0x112e393; PUSH EAX; PUSH 0x875ba0; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 12, 01, 50, ...] {POP EAX; PUSH 0x112e4d0; PUSH EAX; PUSH 0x875c10; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 12, 01, 50, ...] {POP EAX; PUSH 0x112f165; PUSH EAX; PUSH 0x875a50; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 13, 01, 50, ...] {POP EAX; PUSH 0x1139522; PUSH EAX; PUSH 0x875af0; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 14, 01, 50, ...] {POP EAX; PUSH 0x11433be; PUSH EAX; PUSH 0x875cd0; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 14, 01, 50, ...] {POP EAX; PUSH 0x1148d5b; PUSH EAX; PUSH 0x8758f0; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 14, 01, 50, ...] {POP EAX; PUSH 0x1148d93; PUSH EAX; PUSH 0x875790; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 18, 01, 50, ...] {POP EAX; PUSH 0x11851e6; PUSH EAX; PUSH 0x875740; RET }
.text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 1A, 01, 50, ...] {POP EAX; PUSH 0x11a9739; PUSH EAX; PUSH 0x875ad0; RET }
.text C:\WINDOWS\system32\nvsvc32.exe[2028] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\nvsvc32.exe[2028] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 006C000A
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AE000A
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AF000A
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 5A, 01, 50, ...] {POP EAX; PUSH 0x15a2336; PUSH EAX; PUSH 0x1365e10; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 5B, 01, 50] {POP EAX; PUSH 0x15bcb12; PUSH EAX}
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 36, 01, C3] {XOR [EBP+0x36], BL; ADD EBX, EAX}
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 7A, 01, 50, ...] {POP EAX; PUSH 0x17a9ffd; PUSH EAX; PUSH 0x1365de0; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 7A, 01, 50, ...] {POP EAX; PUSH 0x17aa1f1; PUSH EAX; PUSH 0x1365d80; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 7D, 01, 50, ...] {POP EAX; PUSH 0x17d1849; PUSH EAX; PUSH 0x1365db0; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, 4C, 01, 50, ...] {POP EAX; PUSH 0x14c4c27; PUSH EAX; PUSH 0x1365610; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 6B, 01, 50, ...] {POP EAX; PUSH 0x16b0e7f; PUSH EAX; PUSH 0x1365c70; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 6B, 01, 50, ...] {POP EAX; PUSH 0x16b782b; PUSH EAX; PUSH 0x1365bd0; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 6B, 01, 50, ...] {POP EAX; PUSH 0x16b846a; PUSH EAX; PUSH 0x1365710; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 6B, 01, 50, ...] {POP EAX; PUSH 0x16bdf1f; PUSH EAX; PUSH 0x1365920; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 6B, 01, 50, ...] {POP EAX; PUSH 0x16be393; PUSH EAX; PUSH 0x1365ba0; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 6B, 01, 50, ...] {POP EAX; PUSH 0x16be4d0; PUSH EAX; PUSH 0x1365c10; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 6B, 01, 50, ...] {POP EAX; PUSH 0x16bf165; PUSH EAX; PUSH 0x1365a50; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 6C, 01, 50, ...] {POP EAX; PUSH 0x16c9522; PUSH EAX; PUSH 0x1365af0; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 6D, 01, 50, ...] {POP EAX; PUSH 0x16d33be; PUSH EAX; PUSH 0x1365cd0; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 6D, 01, 50, ...] {POP EAX; PUSH 0x16d8d5b; PUSH EAX; PUSH 0x13658f0; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 6D, 01, 50, ...] {POP EAX; PUSH 0x16d8d93; PUSH EAX; PUSH 0x1365790; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 71, 01, 50, ...] {POP EAX; PUSH 0x17151e6; PUSH EAX; PUSH 0x1365740; RET }
.text C:\Documents and Settings\Other\Desktop\OTListIt2.exe[2036] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 73, 01, 50, ...] {POP EAX; PUSH 0x1739739; PUSH EAX; PUSH 0x1365ad0; RET }
.text C:\WINDOWS\notepad.exe[2120] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AF000A
.text C:\WINDOWS\notepad.exe[2120] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B0000A
.text C:\WINDOWS\notepad.exe[2120] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 12, 01, 50, ...] {POP EAX; PUSH 0x1122336; PUSH EAX; PUSH 0xa15e10; RET }
.text C:\WINDOWS\notepad.exe[2120] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 13, 01, 50] {POP EAX; PUSH 0x113cb12; PUSH EAX}
.text C:\WINDOWS\notepad.exe[2120] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, A1, 00, C3] {XOR [EBP-0x5f], BL; ADD BL, AL}
.text C:\WINDOWS\notepad.exe[2120] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 32, 01, 50, ...] {POP EAX; PUSH 0x1329ffd; PUSH EAX; PUSH 0xa15de0; RET }
.text C:\WINDOWS\notepad.exe[2120] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 32, 01, 50, ...] {POP EAX; PUSH 0x132a1f1; PUSH EAX; PUSH 0xa15d80; RET }
.text C:\WINDOWS\notepad.exe[2120] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 35, 01, 50, ...] {POP EAX; PUSH 0x1351849; PUSH EAX; PUSH 0xa15db0; RET }
.text C:\WINDOWS\notepad.exe[2120] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, 02, 01, 50, ...] {POP EAX; PUSH 0x1024c27; PUSH EAX; PUSH 0xa15610; RET }
.text C:\WINDOWS\notepad.exe[2120] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 23, 01, 50, ...] {POP EAX; PUSH 0x1230e7f; PUSH EAX; PUSH 0xa15c70; RET }
.text C:\WINDOWS\notepad.exe[2120] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 23, 01, 50, ...] {POP EAX; PUSH 0x123782b; PUSH EAX; PUSH 0xa15bd0; RET }
.text C:\WINDOWS\notepad.exe[2120] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 23, 01, 50, ...] {POP EAX; PUSH 0x123846a; PUSH EAX; PUSH 0xa15710; RET }
.text C:\WINDOWS\notepad.exe[2120] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 23, 01, 50, ...] {POP EAX; PUSH 0x123df1f; PUSH EAX; PUSH 0xa15920; RET }
.text C:\WINDOWS\notepad.exe[2120] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 23, 01, 50, ...] {POP EAX; PUSH 0x123e393; PUSH EAX; PUSH 0xa15ba0; RET }
.text C:\WINDOWS\notepad.exe[2120] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 23, 01, 50, ...] {POP EAX; PUSH 0x123e4d0; PUSH EAX; PUSH 0xa15c10; RET }
.text C:\WINDOWS\notepad.exe[2120] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 23, 01, 50, ...] {POP EAX; PUSH 0x123f165; PUSH EAX; PUSH 0xa15a50; RET }
.text C:\WINDOWS\notepad.exe[2120] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 24, 01, 50, ...] {POP EAX; PUSH 0x1249522; PUSH EAX; PUSH 0xa15af0; RET }
.text C:\WINDOWS\notepad.exe[2120] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 25, 01, 50, ...] {POP EAX; PUSH 0x12533be; PUSH EAX; PUSH 0xa15cd0; RET }
.text C:\WINDOWS\notepad.exe[2120] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 25, 01, 50, ...] {POP EAX; PUSH 0x1258d5b; PUSH EAX; PUSH 0xa158f0; RET }
.text C:\WINDOWS\notepad.exe[2120] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 25, 01, 50, ...] {POP EAX; PUSH 0x1258d93; PUSH EAX; PUSH 0xa15790; RET }
.text C:\WINDOWS\notepad.exe[2120] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 29, 01, 50, ...] {POP EAX; PUSH 0x12951e6; PUSH EAX; PUSH 0xa15740; RET }
.text C:\WINDOWS\notepad.exe[2120] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 2B, 01, 50, ...] {POP EAX; PUSH 0x12b9739; PUSH EAX; PUSH 0xa15ad0; RET }
.text C:\WINDOWS\notepad.exe[2404] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B0000A
.text C:\WINDOWS\notepad.exe[2404] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B1000A
.text C:\WINDOWS\notepad.exe[2404] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 12, 01, 50, ...] {POP EAX; PUSH 0x1122336; PUSH EAX; PUSH 0xa15e10; RET }
.text C:\WINDOWS\notepad.exe[2404] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 13, 01, 50] {POP EAX; PUSH 0x113cb12; PUSH EAX}
.text C:\WINDOWS\notepad.exe[2404] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, A1, 00, C3] {XOR [EBP-0x5f], BL; ADD BL, AL}
.text C:\WINDOWS\notepad.exe[2404] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 32, 01, 50, ...] {POP EAX; PUSH 0x1329ffd; PUSH EAX; PUSH 0xa15de0; RET }
.text C:\WINDOWS\notepad.exe[2404] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 32, 01, 50, ...] {POP EAX; PUSH 0x132a1f1; PUSH EAX; PUSH 0xa15d80; RET }
.text C:\WINDOWS\notepad.exe[2404] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 35, 01, 50, ...] {POP EAX; PUSH 0x1351849; PUSH EAX; PUSH 0xa15db0; RET }
.text C:\WINDOWS\notepad.exe[2404] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, 02, 01, 50, ...] {POP EAX; PUSH 0x1024c27; PUSH EAX; PUSH 0xa15610; RET }
.text C:\WINDOWS\notepad.exe[2404] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 23, 01, 50, ...] {POP EAX; PUSH 0x1230e7f; PUSH EAX; PUSH 0xa15c70; RET }
.text C:\WINDOWS\notepad.exe[2404] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 23, 01, 50, ...] {POP EAX; PUSH 0x123782b; PUSH EAX; PUSH 0xa15bd0; RET }
.text C:\WINDOWS\notepad.exe[2404] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 23, 01, 50, ...] {POP EAX; PUSH 0x123846a; PUSH EAX; PUSH 0xa15710; RET }
.text C:\WINDOWS\notepad.exe[2404] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 23, 01, 50, ...] {POP EAX; PUSH 0x123df1f; PUSH EAX; PUSH 0xa15920; RET }
.text C:\WINDOWS\notepad.exe[2404] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 23, 01, 50, ...] {POP EAX; PUSH 0x123e393; PUSH EAX; PUSH 0xa15ba0; RET }
.text C:\WINDOWS\notepad.exe[2404] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 23, 01, 50, ...] {POP EAX; PUSH 0x123e4d0; PUSH EAX; PUSH 0xa15c10; RET }
.text C:\WINDOWS\notepad.exe[2404] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 23, 01, 50, ...] {POP EAX; PUSH 0x123f165; PUSH EAX; PUSH 0xa15a50; RET }
.text C:\WINDOWS\notepad.exe[2404] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 24, 01, 50, ...] {POP EAX; PUSH 0x1249522; PUSH EAX; PUSH 0xa15af0; RET }
.text C:\WINDOWS\notepad.exe[2404] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 25, 01, 50, ...] {POP EAX; PUSH 0x12533be; PUSH EAX; PUSH 0xa15cd0; RET }
.text C:\WINDOWS\notepad.exe[2404] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 25, 01, 50, ...] {POP EAX; PUSH 0x1258d5b; PUSH EAX; PUSH 0xa158f0; RET }
.text C:\WINDOWS\notepad.exe[2404] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 25, 01, 50, ...] {POP EAX; PUSH 0x1258d93; PUSH EAX; PUSH 0xa15790; RET }
.text C:\WINDOWS\notepad.exe[2404] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 29, 01, 50, ...] {POP EAX; PUSH 0x12951e6; PUSH EAX; PUSH 0xa15740; RET }
.text C:\WINDOWS\notepad.exe[2404] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 2B, 01, 50, ...] {POP EAX; PUSH 0x12b9739; PUSH EAX; PUSH 0xa15ad0; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 32, 01, 50, ...] {POP EAX; PUSH 0x1322336; PUSH EAX; PUSH 0x875e10; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 33, 01, 50] {POP EAX; PUSH 0x133cb12; PUSH EAX}
.text C:\WINDOWS\System32\svchost.exe[2804] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 87, 00, C3] {XOR [EBP-0x79], BL; ADD BL, AL}
.text C:\WINDOWS\System32\svchost.exe[2804] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 94, 01, 50, ...] {POP EAX; PUSH 0x1949ffd; PUSH EAX; PUSH 0x875de0; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 94, 01, 50, ...] {POP EAX; PUSH 0x194a1f1; PUSH EAX; PUSH 0x875d80; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 97, 01, 50, ...] {POP EAX; PUSH 0x1971849; PUSH EAX; PUSH 0x875db0; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, FD, 00, 50, ...] {POP EAX; PUSH 0xfd4c27; PUSH EAX; PUSH 0x875610; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 85, 01, 50, ...] {POP EAX; PUSH 0x1850e7f; PUSH EAX; PUSH 0x875c70; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 85, 01, 50, ...] {POP EAX; PUSH 0x185782b; PUSH EAX; PUSH 0x875bd0; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 85, 01, 50, ...] {POP EAX; PUSH 0x185846a; PUSH EAX; PUSH 0x875710; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 85, 01, 50, ...] {POP EAX; PUSH 0x185df1f; PUSH EAX; PUSH 0x875920; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 85, 01, 50, ...] {POP EAX; PUSH 0x185e393; PUSH EAX; PUSH 0x875ba0; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 85, 01, 50, ...] {POP EAX; PUSH 0x185e4d0; PUSH EAX; PUSH 0x875c10; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 85, 01, 50, ...] {POP EAX; PUSH 0x185f165; PUSH EAX; PUSH 0x875a50; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 86, 01, 50, ...] {POP EAX; PUSH 0x1869522; PUSH EAX; PUSH 0x875af0; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 87, 01, 50, ...] {POP EAX; PUSH 0x18733be; PUSH EAX; PUSH 0x875cd0; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 87, 01, 50, ...] {POP EAX; PUSH 0x1878d5b; PUSH EAX; PUSH 0x8758f0; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 87, 01, 50, ...] {POP EAX; PUSH 0x1878d93; PUSH EAX; PUSH 0x875790; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 8B, 01, 50, ...] {POP EAX; PUSH 0x18b51e6; PUSH EAX; PUSH 0x875740; RET }
.text C:\WINDOWS\System32\svchost.exe[2804] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 8D, 01, 50, ...] {POP EAX; PUSH 0x18d9739; PUSH EAX; PUSH 0x875ad0; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 010D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 010E000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, B2, 01, 50, ...] {POP EAX; PUSH 0x1b22336; PUSH EAX; PUSH 0x1135e10; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, B3, 01, 50] {POP EAX; PUSH 0x1b3cb12; PUSH EAX}
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, 13, 01, C3] {XOR [EBP+0x13], BL; ADD EBX, EAX}
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, ED, 01, 50, ...] {POP EAX; PUSH 0x1ed9ffd; PUSH EAX; PUSH 0x1135de0; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, ED, 01, 50, ...] {POP EAX; PUSH 0x1eda1f1; PUSH EAX; PUSH 0x1135d80; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, F0, 01, 50, ...] {POP EAX; PUSH 0x1f01849; PUSH EAX; PUSH 0x1135db0; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WS2_32.dll!getaddrinfo 71AB2A6F 3 Bytes JMP 0136F9F0
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WS2_32.dll!getaddrinfo + 4 71AB2A73 1 Byte [8F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WS2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 01370A60
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WS2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WS2_32.dll!connect 71AB4A07 3 Bytes JMP 013708A0
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WS2_32.dll!connect + 4 71AB4A0B 1 Byte [8F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, 46, 01, 50, ...] {POP EAX; PUSH 0x1464c27; PUSH EAX; PUSH 0x1135610; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WS2_32.dll!gethostbyname 71AB5355 3 Bytes JMP 0136FDA0
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WS2_32.dll!gethostbyname + 4 71AB5359 1 Byte [8F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, A2, 01, 50, ...] {POP EAX; PUSH 0x1a20e7f; PUSH EAX; PUSH 0x1135c70; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, A2, 01, 50, ...] {POP EAX; PUSH 0x1a2782b; PUSH EAX; PUSH 0x1135bd0; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, A2, 01, 50, ...] {POP EAX; PUSH 0x1a2846a; PUSH EAX; PUSH 0x1135710; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, A2, 01, 50, ...] {POP EAX; PUSH 0x1a2df1f; PUSH EAX; PUSH 0x1135920; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, A2, 01, 50, ...] {POP EAX; PUSH 0x1a2e393; PUSH EAX; PUSH 0x1135ba0; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, A2, 01, 50, ...] {POP EAX; PUSH 0x1a2e4d0; PUSH EAX; PUSH 0x1135c10; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, A2, 01, 50, ...] {POP EAX; PUSH 0x1a2f165; PUSH EAX; PUSH 0x1135a50; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, A3, 01, 50, ...] {POP EAX; PUSH 0x1a39522; PUSH EAX; PUSH 0x1135af0; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, A4, 01, 50, ...] {POP EAX; PUSH 0x1a433be; PUSH EAX; PUSH 0x1135cd0; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, A4, 01, 50, ...] {POP EAX; PUSH 0x1a48d5b; PUSH EAX; PUSH 0x11358f0; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, A4, 01, 50, ...] {POP EAX; PUSH 0x1a48d93; PUSH EAX; PUSH 0x1135790; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, A8, 01, 50, ...] {POP EAX; PUSH 0x1a851e6; PUSH EAX; PUSH 0x1135740; RET }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2988] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, AA, 01, 50, ...] {POP EAX; PUSH 0x1aa9739; PUSH EAX; PUSH 0x1135ad0; RET }
.text C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00DB000A
.text C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00DC000A
.text C:\WINDOWS\system32\wuauclt.exe[3172] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AF000A
.text C:\WINDOWS\system32\wuauclt.exe[3172] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B0000A
.text C:\WINDOWS\system32\wuauclt.exe[3172] kernel32.dll!CreateProcessW 7C802336 13 Bytes [58, 68, 36, 23, 49, 01, 50, ...] {POP EAX; PUSH 0x1492336; PUSH EAX; PUSH 0xa05e10; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] kernel32.dll!ExitProcess 7C81CB12 7 Bytes [58, 68, 12, CB, 4A, 01, 50] {POP EAX; PUSH 0x14acb12; PUSH EAX}
.text C:\WINDOWS\system32\wuauclt.exe[3172] kernel32.dll!ExitProcess + 8 7C81CB1A 5 Bytes [30, 5D, A0, 00, C3] {XOR [EBP-0x60], BL; ADD BL, AL}
.text C:\WINDOWS\system32\wuauclt.exe[3172] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 13 Bytes [58, 68, FD, 9F, 69, 01, 50, ...] {POP EAX; PUSH 0x1699ffd; PUSH EAX; PUSH 0xa05de0; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] ADVAPI32.dll!CryptImportKey 77DEA1F1 13 Bytes [58, 68, F1, A1, 69, 01, 50, ...] {POP EAX; PUSH 0x169a1f1; PUSH EAX; PUSH 0xa05d80; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] ADVAPI32.dll!CryptGenKey 77E11849 13 Bytes [58, 68, 49, 18, 6C, 01, 50, ...] {POP EAX; PUSH 0x16c1849; PUSH EAX; PUSH 0xa05db0; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WS2_32.dll!send 71AB4C27 13 Bytes [58, 68, 27, 4C, 36, 01, 50, ...] {POP EAX; PUSH 0x1364c27; PUSH EAX; PUSH 0xa05610; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WININET.dll!CommitUrlCacheEntryA 63010E7F 13 Bytes [58, 68, 7F, 0E, 5A, 01, 50, ...] {POP EAX; PUSH 0x15a0e7f; PUSH EAX; PUSH 0xa05c70; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WININET.dll!HttpOpenRequestA 6301782B 13 Bytes [58, 68, 2B, 78, 5A, 01, 50, ...] {POP EAX; PUSH 0x15a782b; PUSH EAX; PUSH 0xa05bd0; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WININET.dll!InternetConnectA 6301846A 13 Bytes [58, 68, 6A, 84, 5A, 01, 50, ...] {POP EAX; PUSH 0x15a846a; PUSH EAX; PUSH 0xa05710; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WININET.dll!InternetReadFile 6301DF1F 13 Bytes [58, 68, 1F, DF, 5A, 01, 50, ...] {POP EAX; PUSH 0x15adf1f; PUSH EAX; PUSH 0xa05920; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WININET.dll!HttpSendRequestW 6301E393 13 Bytes [58, 68, 93, E3, 5A, 01, 50, ...] {POP EAX; PUSH 0x15ae393; PUSH EAX; PUSH 0xa05ba0; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WININET.dll!HttpOpenRequestW 6301E4D0 13 Bytes [58, 68, D0, E4, 5A, 01, 50, ...] {POP EAX; PUSH 0x15ae4d0; PUSH EAX; PUSH 0xa05c10; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WININET.dll!InternetQueryDataAvailable 6301F165 13 Bytes [58, 68, 65, F1, 5A, 01, 50, ...] {POP EAX; PUSH 0x15af165; PUSH EAX; PUSH 0xa05a50; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WININET.dll!HttpSendRequestA 63029522 13 Bytes [58, 68, 22, 95, 5B, 01, 50, ...] {POP EAX; PUSH 0x15b9522; PUSH EAX; PUSH 0xa05af0; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WININET.dll!CommitUrlCacheEntryW 630333BE 13 Bytes [58, 68, BE, 33, 5C, 01, 50, ...] {POP EAX; PUSH 0x15c33be; PUSH EAX; PUSH 0xa05cd0; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WININET.dll!InternetReadFileExW 63038D5B 13 Bytes [58, 68, 5B, 8D, 5C, 01, 50, ...] {POP EAX; PUSH 0x15c8d5b; PUSH EAX; PUSH 0xa058f0; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WININET.dll!InternetReadFileExA 63038D93 13 Bytes [58, 68, 93, 8D, 5C, 01, 50, ...] {POP EAX; PUSH 0x15c8d93; PUSH EAX; PUSH 0xa05790; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WININET.dll!InternetWriteFile 630751E6 13 Bytes [58, 68, E6, 51, 60, 01, 50, ...] {POP EAX; PUSH 0x16051e6; PUSH EAX; PUSH 0xa05740; RET }
.text C:\WINDOWS\system32\wuauclt.exe[3172] WININET.dll!InternetErrorDlg 63099739 13 Bytes [58, 68, 39, 97, 62, 01, 50, ...] {POP EAX; PUSH 0x1629739; PUSH EAX; PUSH 0xa05ad0; RET }
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3208] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0096000A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3208] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0097000A
.text C:\Documents and Settings\Other\Desktop\zi7it6qq.exe[3564] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009E000A
.text C:\Documents and Settings\Other\Desktop\zi7it6qq.exe[3564] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009F000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61118BE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61118BE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [61119CC3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61118B2C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61118AB0] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61118AEE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61118BE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [61119CC3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61118C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61118AEE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61118B2C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61118BEF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3016] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61118AB0] C:\Program Files\Yahoo!\Messenger\yui.dll
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACbppbfdxv.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [128] 0x00AC0000
Library \\?\globalroot\systemroot\system32\UACbppbfdxv.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [316] 0x009B0000
Library \\?\globalroot\systemroot\system32\UACbppbfdxv.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1056] 0x00AC0000
Library \\?\globalroot\systemroot\system32\UACbppbfdxv.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1116] 0x00AC0000
Library \\?\globalroot\systemroot\system32\UACbppbfdxv.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1168] 0x009A0000
Library \\?\globalroot\systemroot\system32\UACbppbfdxv.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1344] 0x009A0000
Library \\?\globalroot\systemroot\system32\UACbppbfdxv.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1508] 0x00830000
Library \\?\globalroot\systemroot\system32\UACbppbfdxv.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1796] 0x00AC0000
Library \\?\globalroot\systemroot\system32\UACbppbfdxv.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1856] 0x00AC0000
Library \\?\globalroot\systemroot\system32\UACbppbfdxv.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1896] 0x00AB0000
Library \\?\globalroot\systemroot\system32\UACbppbfdxv.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2804] 0x00AC0000
Library \\?\globalroot\systemroot\system32\UACbppbfdxv.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2988] 0x01520000

---- EOF - GMER 1.0.15 ----

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:38 AM

Posted 19 April 2009 - 06:08 PM

We need to run Combofix.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 cheezfri

cheezfri
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 19 April 2009 - 06:59 PM

Hi Sam, I downloaded ComboFix and was not able to run it. It would show up in the processes tab of Task Mgr but nothing happened. So I killed those processes and renamed the file CF.exe and it ran part way. It told me to disable AVG 7.5 but it isn't in my systray or in the processes, and I have never been able to uninstall it. So any advice on how to kill and remove it completely would be appreciated. Anyway, it got stuck when downloading Recovery Console. After about a 1/2 hr I killed it and had to reboot. I ran CF again and Recovery Console had actually installed last time, so it kept going until an error window that said "bleep" popped up. Twice. So it finished and here is the log file (does this mean we're done now?):

ComboFix 09-04-20.02 - Other 04/19/2009 18:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1240 [GMT -5:00]
Running from: c:\documents and settings\Other\Desktop\cf.exe.exe
AV: AVG 7.5.485 *On-access scanning enabled* (Updated)
.
/wow section not completed

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9C42510-9B21-41c1-9DCD-8382A2D07C61}]
2009-03-01 05:47 9728 ----a-w c:\windows\system32\iehelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-07-28 323584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D7050v5\Belkinwcui.exe [2008-11-3 1564672]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKLM\~\startupfolder\C:^Documents and Settings^Sherry^Start Menu^Programs^Startup^Sprint media monitor.lnk]
path=c:\documents and settings\Sherry\Start Menu\Programs\Startup\Sprint media monitor.lnk
backup=c:\windows\pss\Sprint media monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"IDriverT"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Sony Pictures Games\\Rock and Roll JEOPARDY!\\Rock & Roll JEOPARDY!.exe"=
"c:\\Program Files\\Sony Pictures Games\\JEOPARDY!\\JEOPARDY!.exe"=
"c:\\My Games\\SmallBall Baseball\\smallball.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16381:TCP"= 16381:TCP:BitComet 16381 TCP
"16381:UDP"= 16381:UDP:BitComet 16381 UDP

R3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\DRIVERS\m4301A.sys [2003-08-05 83552]
R3 oUltraf;oUltraf;c:\docume~1\Other\LOCALS~1\Temp\oUltraf.sys [2003-07-09 31744]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys [2006-11-15 38144]
S3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\DRIVERS\BLKWGU.sys [2007-06-01 238848]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SmartDraw 2009\Messages\SDNotify.exe [2008-12-11 12:29]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-rundll32.exe - c:\documents and settings\Other\Application Data\Macromedia\Common\459ce0261.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ad.doubleclick.net/click;h=v8/3657/0/0/%2a/q;5284490;4-0;0;5896463;4307-300/250;10609948/10627844/1;;~aopt=2/1/ff/0;~sscs=%3fhttp://switchboard.real.com/arcade/download.html?file=games/demorgses/rgp/magicball2newworlds_free.rgp&src=infowindows
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.gamehouse.com/realarcade-webgames/bejeweled2/popcaploader.cab
FF - ProfilePath - c:\documents and settings\Other\Application Data\Mozilla\Firefox\Profiles\pk6na3lk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npImgCtl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 18:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-1060284298-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:17,f0,75,2f,17,1e,07,40,5f,87,5a,07,93,27,39,eb,66,5b,af,67,b5,d6,b7,
17,a7,02,e6,48,ad,85,84,c6,1e,a6,65,9d,0d,00,a3,da,81,84,18,45,61,66,96,d6,\
"??"=hex:50,33,48,fd,71,0d,43,b1,a3,c9,59,d2,5a,99,42,47

[HKEY_USERS\S-1-5-21-2025429265-1060284298-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:2d,84,e3,c8,39,f2,dd,4e,a3,e0,7f,dd,96,e5,a9,aa,fb,33,9d,71,22,
b8,7f,b2,29,63,9e,10,a6,c6,a1,1a,f4,4e,57,7a,ca,b5,0d,5c,3a,6c,45,37,73,e2,\
"rkeysecu"=hex:a7,cd,ef,bf,dc,4c,51,32,f5,e9,02,c9,70,fa,8c,38
.
Completion time: 2009-04-19 18:50
ComboFix-quarantined-files.txt 2009-04-19 23:50
ComboFix2.txt 2009-01-17 16:54

Pre-Run: 12,761,780,224 bytes free
Post-Run: 12,749,041,664 bytes free

120 --- E O F --- 2009-04-19 14:02

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:38 AM

Posted 20 April 2009 - 11:32 AM

It still looks like Combofix didn't run completely. Let's try this.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 cheezfri

cheezfri
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 20 April 2009 - 05:01 PM

Here is the 2nd log file:

ComboFix 09-04-21.06 - Other 04/20/2009 16:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1055 [GMT -5:00]
Running from: c:\documents and settings\Other\Desktop\Combo-Fix.exe
AV: AVG 7.5.485 *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\syssvc.exe
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common\459ce0261.dll
c:\windows\system32\iehelper.dll
c:\windows\system32\uacinit.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OULTRAF
-------\Service_oUltraf


((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-12-23 17:59 . 2009-03-01 16:32 -------- d-----w c:\windows\ie8updates
2009-04-19 23:42 . 2009-04-19 23:51 -------- d-----w C:\cf.exe
2009-04-19 02:24 . 2009-04-19 02:31 -------- d-----w c:\documents and settings\All Users\Application Data\SimCity Societies
2009-04-19 01:30 . 2009-04-19 01:30 -------- d-----w c:\documents and settings\Other\Local Settings\Application Data\Warner Bros. Interactive Entertainment
2009-04-18 19:41 . 2009-04-18 19:41 -------- d-sh--w c:\documents and settings\Other\IECompatCache
2009-04-18 19:13 . 2009-04-18 19:13 -------- d-----w c:\documents and settings\Other\Local Settings\Application Data\Lemonade Productions
2009-04-18 15:51 . 2009-04-18 15:51 72456 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 22:39 . 2009-04-16 22:39 -------- d-----w C:\dc90c5daeb50094db187b95706
2009-04-16 01:59 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 01:59 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 01:59 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 01:59 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 01:59 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 01:59 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 01:59 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 01:59 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 01:59 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 01:56 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 01:56 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 01:56 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 00:32 . 2009-04-13 00:32 281 ----a-w c:\windows\EReg072.dat
2009-04-13 00:31 . 2009-04-13 00:31 -------- d-----w c:\documents and settings\Other\WINDOWS
2009-04-12 23:20 . 2009-04-12 23:20 -------- d-----w c:\documents and settings\Other\Application Data\Atari
2009-04-12 23:16 . 2009-04-12 23:16 -------- d-----w c:\documents and settings\Other\Application Data\Leadertech
2009-04-12 23:16 . 2002-02-27 23:50 197120 ----a-w c:\windows\patchw32.dll
2009-03-30 14:09 . 2009-03-30 14:09 -------- d-sh--w c:\documents and settings\Other\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 02:11 . 2008-06-19 11:16 -------- d-----w c:\program files\Electronic Arts
2009-04-19 01:23 . 2009-04-19 01:23 -------- d-----w c:\program files\Warner Bros. Interactive Entertainment
2009-04-18 23:23 . 2007-09-13 02:28 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-04-13 00:31 . 2009-04-13 00:31 -------- d-----w c:\program files\Maxis
2009-04-12 23:16 . 2009-04-12 23:16 -------- d-----w c:\program files\Common Files\PocketSoft
2009-04-12 23:14 . 2007-08-23 21:19 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-12 23:13 . 2009-04-12 23:13 -------- d-----w c:\program files\Atari
2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-01 19:32 . 2009-03-01 19:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-01 19:10 . 2009-03-01 19:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-01 19:06 . 2009-03-01 19:06 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-02-20 19:30 . 2008-12-05 17:54 -------- d-----w c:\documents and settings\Other\Application Data\eFax Messenger
2009-02-13 19:12 . 2008-07-13 20:36 139772 ----a-w c:\windows\hpoins15.dat
2009-02-09 12:10 . 2003-03-31 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-03-31 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-03-31 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-03-31 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2003-03-31 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2003-03-31 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-03-31 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2002-08-29 01:04 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2003-03-31 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-12-11 21:36 . 2008-01-29 21:49 72456 ----a-w c:\documents and settings\Other\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-01-27 19:32 . 2008-01-27 19:32 774144 ----a-w c:\program files\RngInterstitial.dll
2007-12-10 23:47 . 2007-12-10 23:47 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-09-17 01:12 . 2007-09-17 01:12 237568 ----a-w c:\windows\system32\config\systemprofile\NTUSER(4).DAT
2007-09-17 01:12 . 2007-09-17 01:12 237568 ----a-w c:\windows\system32\config\systemprofile\NTUSER(2).DAT
2007-09-12 02:27 . 2007-09-12 02:27 237568 ----a-w c:\windows\system32\config\systemprofile\NTUSER(3).DAT
2007-09-02 15:46 . 2007-09-02 15:46 237568 ----a-w c:\windows\system32\config\systemprofile\NTUSER(5).DAT
2009-01-17 15:2009-01-17 15:48 48:09 . c:\program files\mozilla firefox\components\jar50.dll
2009-01-17 15:2009-01-17 15:48 48:09 . c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-17 15:2009-01-17 15:48 48:09 . c:\program files\mozilla firefox\components\myspell.dll
2009-01-17 15:2009-01-17 15:48 48:10 . c:\program files\mozilla firefox\components\spellchk.dll
2009-01-17 15:2009-01-17 15:48 48:10 . c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-30 03:17 . 2008-10-30 03:17 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102920081030\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-19_23.48.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-20 21:53 . 2009-04-20 21:53 16384 c:\windows\temp\Perflib_Perfdata_608.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-07-28 323584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D7050v5\Belkinwcui.exe [2008-11-3 1564672]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKLM\~\startupfolder\C:^Documents and Settings^Sherry^Start Menu^Programs^Startup^Sprint media monitor.lnk]
path=c:\documents and settings\Sherry\Start Menu\Programs\Startup\Sprint media monitor.lnk
backup=c:\windows\pss\Sprint media monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"IDriverT"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Sony Pictures Games\\Rock and Roll JEOPARDY!\\Rock & Roll JEOPARDY!.exe"=
"c:\\Program Files\\Sony Pictures Games\\JEOPARDY!\\JEOPARDY!.exe"=
"c:\\My Games\\SmallBall Baseball\\smallball.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16381:TCP"= 16381:TCP:BitComet 16381 TCP
"16381:UDP"= 16381:UDP:BitComet 16381 UDP

R3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\DRIVERS\m4301A.sys [2003-08-05 83552]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys [2006-11-15 38144]
S3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\DRIVERS\BLKWGU.sys [2007-06-01 238848]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SmartDraw 2009\Messages\SDNotify.exe [2008-12-11 12:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ad.doubleclick.net/click;h=v8/3657/0/0/%2a/q;5284490;4-0;0;5896463;4307-300/250;10609948/10627844/1;;~aopt=2/1/ff/0;~sscs=%3fhttp://switchboard.real.com/arcade/download.html?file=games/demorgses/rgp/magicball2newworlds_free.rgp&src=infowindows
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Other\Application Data\Mozilla\Firefox\Profiles\pk6na3lk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npImgCtl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 16:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-1060284298-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:17,f0,75,2f,17,1e,07,40,5f,87,5a,07,93,27,39,eb,66,5b,af,67,b5,d6,b7,
17,a7,02,e6,48,ad,85,84,c6,1e,a6,65,9d,0d,00,a3,da,81,84,18,45,61,66,96,d6,\
"??"=hex:50,33,48,fd,71,0d,43,b1,a3,c9,59,d2,5a,99,42,47

[HKEY_USERS\S-1-5-21-2025429265-1060284298-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:11,59,a0,59,4e,31,77,27,8a,12,9f,f0,55,e0,f4,c2,72,1e,25,e8,e8,
4b,e6,87,b8,48,93,05,5b,52,82,b4,92,e4,6f,8b,1d,47,60,d6,39,b7,61,77,be,b9,\
"rkeysecu"=hex:a7,cd,ef,bf,dc,4c,51,32,f5,e9,02,c9,70,fa,8c,38
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(728)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-20 16:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 21:58
ComboFix2.txt 2009-04-19 23:50
ComboFix3.txt 2009-01-17 16:54

Pre-Run: 12,848,607,232 bytes free
Post-Run: 12,760,313,856 bytes free

212 --- E O F --- 2009-04-19 14:02

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:38 AM

Posted 20 April 2009 - 05:03 PM

Much better!
How is your computer behaving now? What issues are you still having?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 cheezfri

cheezfri
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 20 April 2009 - 10:25 PM

Yeek, not sure what the problem is. I just opened IE8.0 and 52 windows opened up at once. All going to strange websites like search or ad sites. I closed them, and several more popped up.

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:38 AM

Posted 21 April 2009 - 04:01 PM

That can't be good.

Please post a new log from Gmer.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 cheezfri

cheezfri
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 21 April 2009 - 05:34 PM

New Gmer output:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-21 17:33:44
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\Other\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\Other\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- EOF - GMER 1.0.15 ----

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:38 AM

Posted 21 April 2009 - 05:37 PM

Please post a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 cheezfri

cheezfri
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 21 April 2009 - 06:01 PM

Combofix:

ComboFix 09-04-21.06 - Other 04/21/2009 17:53.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.974 [GMT -5:00]
Running from: c:\documents and settings\Other\Desktop\Combo-Fix.exe
AV: AVG 7.5.485 *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-12-23 17:59 . 2009-03-01 16:32 -------- d-----w c:\windows\ie8updates
2009-04-19 23:42 . 2009-04-19 23:51 -------- d-----w C:\cf.exe
2009-04-19 02:24 . 2009-04-19 02:31 -------- d-----w c:\documents and settings\All Users\Application Data\SimCity Societies
2009-04-19 01:30 . 2009-04-19 01:30 -------- d-----w c:\documents and settings\Other\Local Settings\Application Data\Warner Bros. Interactive Entertainment
2009-04-18 19:41 . 2009-04-18 19:41 -------- d-sh--w c:\documents and settings\Other\IECompatCache
2009-04-18 19:13 . 2009-04-18 19:13 -------- d-----w c:\documents and settings\Other\Local Settings\Application Data\Lemonade Productions
2009-04-18 15:51 . 2009-04-18 15:51 72456 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 22:39 . 2009-04-16 22:39 -------- d-----w C:\dc90c5daeb50094db187b95706
2009-04-16 01:59 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 01:59 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 01:59 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 01:59 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 01:59 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 01:59 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 01:59 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 01:59 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 01:59 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 01:56 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 01:56 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 01:56 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 00:32 . 2009-04-13 00:32 281 ----a-w c:\windows\EReg072.dat
2009-04-13 00:31 . 2009-04-13 00:31 -------- d-----w c:\documents and settings\Other\WINDOWS
2009-04-12 23:20 . 2009-04-12 23:20 -------- d-----w c:\documents and settings\Other\Application Data\Atari
2009-04-12 23:16 . 2009-04-12 23:16 -------- d-----w c:\documents and settings\Other\Application Data\Leadertech
2009-04-12 23:16 . 2002-02-27 23:50 197120 ----a-w c:\windows\patchw32.dll
2009-03-30 14:09 . 2009-03-30 14:09 -------- d-sh--w c:\documents and settings\Other\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 02:11 . 2008-06-19 11:16 -------- d-----w c:\program files\Electronic Arts
2009-04-19 01:23 . 2009-04-19 01:23 -------- d-----w c:\program files\Warner Bros. Interactive Entertainment
2009-04-18 23:23 . 2007-09-13 02:28 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-04-13 00:31 . 2009-04-13 00:31 -------- d-----w c:\program files\Maxis
2009-04-12 23:16 . 2009-04-12 23:16 -------- d-----w c:\program files\Common Files\PocketSoft
2009-04-12 23:14 . 2007-08-23 21:19 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-12 23:13 . 2009-04-12 23:13 -------- d-----w c:\program files\Atari
2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-01 19:32 . 2009-03-01 19:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-01 19:10 . 2009-03-01 19:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-01 19:06 . 2009-03-01 19:06 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-02-13 19:12 . 2008-07-13 20:36 139772 ----a-w c:\windows\hpoins15.dat
2009-02-09 12:10 . 2003-03-31 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-03-31 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-03-31 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-03-31 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2003-03-31 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2003-03-31 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-03-31 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2002-08-29 01:04 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2003-03-31 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-12-11 21:36 . 2008-01-29 21:49 72456 ----a-w c:\documents and settings\Other\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-01-27 19:32 . 2008-01-27 19:32 774144 ----a-w c:\program files\RngInterstitial.dll
2007-12-10 23:47 . 2007-12-10 23:47 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-09-17 01:12 . 2007-09-17 01:12 237568 ----a-w c:\windows\system32\config\systemprofile\NTUSER(4).DAT
2007-09-17 01:12 . 2007-09-17 01:12 237568 ----a-w c:\windows\system32\config\systemprofile\NTUSER(2).DAT
2007-09-12 02:27 . 2007-09-12 02:27 237568 ----a-w c:\windows\system32\config\systemprofile\NTUSER(3).DAT
2007-09-02 15:46 . 2007-09-02 15:46 237568 ----a-w c:\windows\system32\config\systemprofile\NTUSER(5).DAT
2009-01-17 15:2009-01-17 15:48 48:09 . c:\program files\mozilla firefox\components\jar50.dll
2009-01-17 15:2009-01-17 15:48 48:09 . c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-17 15:2009-01-17 15:48 48:09 . c:\program files\mozilla firefox\components\myspell.dll
2009-01-17 15:2009-01-17 15:48 48:10 . c:\program files\mozilla firefox\components\spellchk.dll
2009-01-17 15:2009-01-17 15:48 48:10 . c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-30 03:17 . 2008-10-30 03:17 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102920081030\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-07-28 323584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D7050v5\Belkinwcui.exe [2008-11-3 1564672]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKLM\~\startupfolder\C:^Documents and Settings^Sherry^Start Menu^Programs^Startup^Sprint media monitor.lnk]
path=c:\documents and settings\Sherry\Start Menu\Programs\Startup\Sprint media monitor.lnk
backup=c:\windows\pss\Sprint media monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"IDriverT"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Sony Pictures Games\\Rock and Roll JEOPARDY!\\Rock & Roll JEOPARDY!.exe"=
"c:\\Program Files\\Sony Pictures Games\\JEOPARDY!\\JEOPARDY!.exe"=
"c:\\My Games\\SmallBall Baseball\\smallball.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16381:TCP"= 16381:TCP:BitComet 16381 TCP
"16381:UDP"= 16381:UDP:BitComet 16381 UDP

R3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\DRIVERS\m4301A.sys [2003-08-05 83552]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys [2006-11-15 38144]
S3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\DRIVERS\BLKWGU.sys [2007-06-01 238848]


--- Other Services/Drivers In Memory ---

*Deregistered* - aujasnkj

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SmartDraw 2009\Messages\SDNotify.exe [2008-12-11 12:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ad.doubleclick.net/click;h=v8/3657/0/0/%2a/q;5284490;4-0;0;5896463;4307-300/250;10609948/10627844/1;;~aopt=2/1/ff/0;~sscs=%3fhttp://switchboard.real.com/arcade/download.html?file=games/demorgses/rgp/magicball2newworlds_free.rgp&src=infowindows
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Other\Application Data\Mozilla\Firefox\Profiles\pk6na3lk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npImgCtl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 17:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-1060284298-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:17,f0,75,2f,17,1e,07,40,5f,87,5a,07,93,27,39,eb,66,5b,af,67,b5,d6,b7,
17,a7,02,e6,48,ad,85,84,c6,1e,a6,65,9d,0d,00,a3,da,81,84,18,45,61,66,96,d6,\
"??"=hex:50,33,48,fd,71,0d,43,b1,a3,c9,59,d2,5a,99,42,47

[HKEY_USERS\S-1-5-21-2025429265-1060284298-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:2d,9c,d0,99,4a,4c,4a,d1,33,bb,d9,72,ac,ac,71,51,6f,b1,f5,76,50,
2e,0e,b7,fd,5e,f7,f8,7b,17,59,f8,06,4c,d9,e3,a8,c2,94,3c,30,2a,47,5c,1e,2c,\
"rkeysecu"=hex:a7,cd,ef,bf,dc,4c,51,32,f5,e9,02,c9,70,fa,8c,38
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5264)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-21 17:57
ComboFix-quarantined-files.txt 2009-04-21 22:57
ComboFix2.txt 2009-04-20 21:58
ComboFix3.txt 2009-04-19 23:50
ComboFix4.txt 2009-01-17 16:54

Pre-Run: 12,793,323,520 bytes free
Post-Run: 12,786,405,376 bytes free

188 --- E O F --- 2009-04-19 14:02

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:38 AM

Posted 21 April 2009 - 06:59 PM

Are you still having problems with IE?

Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users