Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sqlserv.exe damaged by virus removal


  • This topic is locked This topic is locked
16 replies to this topic

#1 tiaz

tiaz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 23 May 2009 - 05:02 AM

Moderator edit: Member was previously receiving assistance here: http://forums.spybot.info/showthread.php?t=48694 then posted here without informing helper. Helper discovered topic here and has closed the one at Spybot. ~ OB

Hi,
I had a virus on pc despite having anti virus and malware progs and had someone advise and help me remove it. As far as I know now the virus should be gone now, however it's left me with a problem. When I afterwards rebooted my pc, I AN got an error message that said, sqlserv.exe has been damaged or currupted. Wasnt sure what this would mean to workings of my pc, but it seems to now have caused an issue that stops me downloading progs in zip and opening them and getting them running. I've tried with two progs that I need that I know are safe and have no issues, they wont work.I
Have googled sqlserv.exe and it does seem to be a legit prog that I need to have to run many progs that I need to use and it seems to have been removed or damaged by fixing the virus. I use firefox mostly- but have also noticed that IE wont load either.
The person helping remove the virus says this issue is now beyond them- so can anyone here please advise, I would be most greatful if you could.

In the process of removing the virus the following have been installed and used:
Hjack this
erunt
gooredfix
ccleaner (I already had this on pc)
malwarebytes
combofix
all used as per instructions

I have windows xp.

Including a hjack this log - just incase it's of use with this issue- Thank You.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:31, on 23/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dee\Desktop\SYSTEMTOOLS\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?d4a8adb91c0f4702972ae83164765d84
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?d4a8adb91c0f4702972ae83164765d84
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 13072 bytes

Thank You

PPS. I have so much not working now on my pc- i'm going to restore it pre the virus fix as I cant work without doing so.
Everything is now working on pc after restore and here is a fresh hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:58, on 23/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Affiliate Organizer\Affiliate Organizer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dee\Desktop\SYSTEMTOOLS\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?d4a8adb91c0f4702972ae83164765d84
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?d4a8adb91c0f4702972ae83164765d84
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.6.0_10) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 12968 bytes
thanks

Edited by Orange Blossom, 23 May 2009 - 09:06 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 04 June 2009 - 08:07 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 tiaz

tiaz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 05 June 2009 - 07:30 AM

Hi,
I have a website and after making a couple of changes to it- it got infected with code and I was told I may have the gumblar virus on the pc. I have run and tried various things like unhackme, avast etc. but I have no real idea if its cleared. Heres the file you asked for below. Ive updated windows (do so weekely and all adobe products also. I always have a firewall up and avg paid running at all times.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Dee at 13:22:11.51 on 05/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.313 [GMT 1:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Affiliate Organizer\Affiliate Organizer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Dee\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hpq\iam\bin\ItIeAddIN.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [ICQ] "c:\program files\icq6.5\ICQ.exe" silent
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: &Windows Live Search
IE: Customize Menu
IE: Download FLV video content with IDM
IE: Fill Forms
IE: Open in new background tab
IE: Open in new foreground tab
IE: RoboForm Toolbar
IE: Save Forms
IE: Send to &Bluetooth Device...
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli AsWlnPkg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dee\applic~1\mozilla\firefox\profiles\lvnyvz54.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - BoardTracker
FF - prefs.js: browser.startup.homepage - hxxp://www.future-forcast.co.uk
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-3 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-12-8 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-3 108552]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-5-16 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-5-16 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-5-16 28872]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-11-29 36768]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-15 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-15 298776]
R2 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2008-3-6 355840]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-5-16 1402568]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2005-7-27 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2005-7-27 36352]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-21 36352]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2005-7-27 77056]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-5-29 34760]
S2 Machnm32;Machnm32 Driver;\??\c:\windows\system32\machnm32.sys --> c:\windows\system32\Machnm32.sys [?]
S3 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-5-16 3321032]
S3 tap0801;Smarthide TAP driver;c:\windows\system32\drivers\tap0801.sys [2007-10-12 55808]

=============== Created Last 30 ================

2009-06-02 19:22 26 a------- c:\windows\Zone.Identifier
2009-06-01 23:03 <DIR> --dsh--- c:\documents and settings\dee\IETldCache
2009-06-01 21:52 <DIR> --d----- c:\program files\ICQ6.5
2009-05-31 20:19 <DIR> --d----- c:\windows\ie8updates
2009-05-31 20:02 <DIR> -cd-h--- c:\windows\ie8
2009-05-31 19:56 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-29 16:35 134 a------- c:\windows\rootkitno.ini
2009-05-29 16:35 <DIR> --d----- C:\RootkitNO
2009-05-29 15:45 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2009-05-29 15:45 32,480 a------- c:\windows\system32\Partizan.exe
2009-05-29 15:44 2 a--shrot c:\windows\winstart.bat
2009-05-29 15:43 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-05-29 15:43 <DIR> --d----- c:\program files\UnHackMe
2009-05-23 11:48 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-05-23 11:43 <DIR> --d----- c:\program files\IEToolbar
2009-05-23 11:35 <DIR> --d----- c:\program files\Affiliate Organizer
2009-05-23 01:20 <DIR> --d----- c:\program files\Affiliate Organizer(2)
2009-05-23 01:04 <DIR> --d----- c:\windows\system32\Adobe
2009-05-23 00:24 <DIR> --d----- c:\program files\Affiliate Organizer(3)
2009-05-23 00:18 <DIR> --dsh--- C:\RECYCLER(3)
2009-05-23 00:04 <DIR> --d----- C:\cmdcons(2)
2009-05-21 15:29 <DIR> --dsh--- C:\RECYCLER(2)
2009-05-20 01:00 <DIR> --d----- c:\docume~1\dee\applic~1\Malwarebytes
2009-05-20 01:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-20 01:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-17 00:04 <DIR> --d----- c:\program files\Defraggler
2009-05-16 22:38 389,120 a------- c:\windows\system32\CF16633.exe
2009-05-16 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-16 20:27 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-16 20:27 <DIR> --d----- c:\docume~1\dee\applic~1\SUPERAntiSpyware.com
2009-05-16 19:46 <DIR> --d----- c:\program files\CONEXANT
2009-05-16 17:36 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-16 15:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-05-16 15:03 <DIR> --d----- c:\docume~1\dee\applic~1\OnlineArmor
2009-05-16 15:02 178,376 a------- c:\windows\system32\drivers\OADriver.sys
2009-05-16 15:02 30,920 a------- c:\windows\system32\drivers\OAmon.sys
2009-05-16 15:02 28,872 a------- c:\windows\system32\drivers\OAnet.sys
2009-05-16 15:02 <DIR> --d----- c:\program files\Tall Emu
2009-05-13 23:59 <DIR> --d----- c:\program files\GC Keyword Analyzer
2009-05-12 12:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ultimate Keyword Theme Extractor
2009-05-12 12:42 <DIR> --d----- c:\program files\Ultimate Keyword Theme Extractor

==================== Find3M ====================

2009-04-30 18:12 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-30 18:12 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-30 18:12 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 14:22 1,241,088 a------- c:\windows\system32\SET386.tmp
2009-03-08 14:22 1,241,088 -------- c:\windows\system32\dllcache\SET30F.tmp
2009-03-08 14:21 10,240 -------- c:\windows\system32\SET375.tmp
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\SET324.tmp
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\SET31D.tmp
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 14:09 391,536 -------- c:\windows\system32\SET383.tmp
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\SET398.tmp
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\SET32F.tmp
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\SET385.tmp
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:39 11,063,808 -------- c:\windows\system32\dllcache\SET30E.tmp
2009-03-08 04:35 385,024 a------- c:\windows\system32\SET379.tmp
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\SET373.tmp
2009-03-08 04:31 183,808 a------- c:\windows\system32\SET387.tmp
2009-03-08 04:30 66,560 a------- c:\windows\system32\SET3A2.tmp
2009-03-08 04:30 66,560 a------- c:\windows\system32\dllcache\SET33A.tmp
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\SET318.tmp
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 164,352 -------- c:\windows\system32\SET38B.tmp
2009-03-08 04:22 156,160 a------- c:\windows\system32\SET39C.tmp
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\SET333.tmp
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:15 57,667 a------- c:\windows\system32\SET38C.tmp
2009-03-08 04:11 445,952 a------- c:\windows\system32\SET382.tmp
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-08 04:11 445,952 -------- c:\windows\system32\dllcache\SET30D.tmp
2009-01-25 17:01 60,744 a------- c:\documents and settings\dee\g2mdlhlpx.exe
2008-02-22 04:30 80 -c-shr-- c:\windows\CT5PRET.BIN
2002-07-31 20:55 106 -c-sh--- c:\windows\WSYS049.SYS
2008-09-10 18:47 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091020080911\index.dat

============= FINISH: 13:23:16.68 ===============

Thank you

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:02 AM

Posted 06 June 2009 - 07:57 PM

Hi tiaz,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will get back to you with your first instructions. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:02 AM

Posted 06 June 2009 - 09:06 PM

Hi Tiaz,

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Then

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 tiaz

tiaz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 07 June 2009 - 08:03 AM

Have already subscribed. Ok will do the above and reply back shortly
Thanks

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:02 AM

Posted 13 June 2009 - 04:33 AM

Hi tiaz,

I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#8 tiaz

tiaz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 13 June 2009 - 06:54 AM

Hi sorry,
My isp has been down/on and off/partially to certain places. I'll just delete spam etc and get sorted and post the logs.
Thanks

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:02 AM

Posted 13 June 2009 - 07:05 AM

Okay, tiaz.

Thanks for letting me know :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 tiaz

tiaz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 13 June 2009 - 09:03 AM

otl scans

OTL logfile created on: 13/06/2009 14:33:05 - Run 1
OTL by OldTimer - Version 2.1.1.0 Folder = C:\Documents and Settings\Dee\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

895.36 Mb Total Physical Memory | 390.44 Mb Available Physical Memory | 43.61% Memory free
2.12 Gb Paging File | 1.46 Gb Available in Paging File | 68.71% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 67.84 Gb Total Space | 14.24 Gb Free Space | 20.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 6.68 Gb Total Space | 6.52 Gb Free Space | 97.50% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEESLAPTOP
Current User Name: Dee
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2006/04/27 10:39:50 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe
PRC - [2006/04/27 10:39:50 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe
PRC - [2005/06/29 20:06:54 | 00,043,008 | ---- | M] (Cognizance Corporation) -- C:\Program Files\HPQ\IAM\bin\asghost.exe
PRC - [2008/04/14 01:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/04/12 10:29:30 | 00,266,295 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PRC - [2008/12/18 16:28:24 | 00,355,840 | ---- | M] (Outertech) -- C:\Program Files\CachemanXP\CachemanXP.exe
PRC - [2007/05/09 16:23:47 | 00,138,680 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
PRC - [2006/03/03 16:29:04 | 00,507,904 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\system32\IFXSPMGT.exe
PRC - [2006/03/03 16:07:40 | 00,741,376 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\system32\IFXTCS.exe
PRC - [2009/03/09 05:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2006/03/24 02:48:44 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2008/11/24 23:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2002/12/17 18:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
PRC - [2009/03/07 00:40:14 | 01,402,568 | ---- | M] (Tall Emu) -- C:\Program Files\Tall Emu\Online Armor\oacat.exe
PRC - [2005/11/29 17:56:36 | 00,099,872 | ---- | M] (Infineon Technologies AG) -- C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
PRC - [2008/11/24 23:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/11/24 23:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2006/03/15 23:28:32 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2008/04/14 01:12:27 | 00,004,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqsvc.exe
PRC - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe
PRC - [2008/04/14 01:12:27 | 00,117,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqtgsvc.exe
PRC - [2006/03/03 16:28:18 | 00,136,736 | ---- | M] (Infineon Technologies AG) -- C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
PRC - [2009/03/09 05:19:17 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2006/04/12 10:37:48 | 00,643,133 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2008/04/14 01:12:28 | 00,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2007/09/28 09:01:36 | 01,998,848 | ---- | M] () -- C:\Program Files\Affiliate Organizer\Affiliate Organizer.exe
PRC - [2009/04/30 18:12:00 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/05/24 00:46:31 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/04/30 18:12:02 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/04/30 18:12:02 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/04/30 18:12:25 | 00,692,504 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2007/05/20 23:52:24 | 00,185,784 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/06/07 14:02:05 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\13wxgxou.exe
PRC - [2009/06/07 14:02:20 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dee\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2005/06/01 06:59:00 | 00,117,248 | ---- | M] (Cognizance Corporation) -- C:\Program Files\HPQ\IAM\Bin\ASChnl.dll -- (ASChannel [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2006/04/27 10:39:50 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2009/04/30 18:12:02 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/04/30 18:12:00 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2006/04/12 10:29:30 | 00,266,295 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins [Auto | Running])
SRV - [2008/12/18 16:28:24 | 00,355,840 | ---- | M] (Outertech) -- C:\Program Files\CachemanXP\CachemanXP.exe -- (CachemanXPService [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2007/05/09 16:23:47 | 00,138,680 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Running])
SRV - [2008/04/14 01:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2006/03/15 23:28:32 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2006/03/03 16:29:04 | 00,507,904 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\system32\IFXSPMGT.exe -- (IFXSpMgtSrv [Auto | Running])
SRV - [2006/03/03 16:07:40 | 00,741,376 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\system32\IFXTCS.exe -- (IFXTCS [Auto | Running])
SRV - [2009/03/09 05:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2006/03/24 02:48:44 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2008/04/14 01:12:27 | 00,004,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqsvc.exe -- (MSMQ [Auto | Running])
SRV - [2008/04/14 01:12:27 | 00,117,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqtgsvc.exe -- (MSMQTriggers [Auto | Running])
SRV - [2008/11/24 23:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS [Auto | Running])
SRV - [2002/12/17 18:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe -- (MSSQLSERVER [Auto | Running])
SRV - [2008/11/24 23:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper [Disabled | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/04/14 01:12:02 | 00,065,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\nwwks.dll -- (NWCWorkstation [Auto | Running])
SRV - [2009/03/07 00:40:14 | 01,402,568 | ---- | M] (Tall Emu) -- C:\Program Files\Tall Emu\Online Armor\oacat.exe -- (OAcat [Auto | Running])
SRV - [2006/01/12 21:22:38 | 00,294,912 | ---- | M] (SoftThinks) -- C:\WINDOWS\SMINST\PCAngel.exe -- (PCA [Auto | Stopped])
SRV - [2005/11/29 17:56:36 | 00,099,872 | ---- | M] (Infineon Technologies AG) -- C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE -- (PersonalSecureDriveService [Auto | Running])
SRV - [2008/11/24 23:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser [Auto | Running])
SRV - [2002/12/17 18:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE -- (SQLSERVERAGENT [On_Demand | Stopped])
SRV - [2008/11/24 23:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [Auto | Running])
SRV - [2009/03/07 00:40:14 | 03,321,032 | ---- | M] (Tall Emu) -- C:\Program Files\Tall Emu\Online Armor\oasrv.exe -- (SvcOnlineArmor [On_Demand | Stopped])
SRV - [2007/01/19 12:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
SRV - [2007/10/25 16:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2006/05/03 13:18:06 | 00,178,176 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService [On_Demand | Running])
DRV - [2005/06/07 15:53:46 | 00,152,960 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\AEAudio.sys -- (AEAudioService [On_Demand | Running])
DRV - [2001/08/17 16:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Boot | Running])
DRV - [2006/05/10 19:27:00 | 00,036,864 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\system32\DRIVERS\AmdK8.sys -- (AmdK8 [System | Running])
DRV - [2006/04/27 10:46:50 | 01,540,096 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2006/03/30 22:39:48 | 00,130,432 | ---- | M] (AuthenTec, Inc.) -- C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys -- (ATSWPDRV [On_Demand | Running])
DRV - [2009/06/11 08:53:10 | 00,327,688 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/04/30 18:12:26 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/04/30 18:12:14 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2006/02/09 02:00:04 | 00,142,720 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\DRIVERS\b57xp32.sys -- (b57w2k [On_Demand | Running])
DRV - [2006/10/13 00:26:56 | 00,604,928 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\DRIVERS\bcmwl5.sys -- (BCM43XX [On_Demand | Running])
DRV - [2006/04/12 10:09:32 | 00,854,538 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\DRIVERS\btkrnl.sys -- (BTKRNL [On_Demand | Running])
DRV - [2006/04/12 10:11:36 | 00,023,271 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\drivers\btserial.sys -- (BTSERIAL [Auto | Running])
DRV - [2006/04/12 10:00:46 | 00,047,811 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\DRIVERS\btwhid.sys -- (btwhid [On_Demand | Stopped])
DRV - [2006/04/12 10:04:46 | 00,065,784 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\System32\Drivers\btwusb.sys -- (BTWUSB [On_Demand | Running])
DRV - [2005/09/19 22:23:52 | 00,007,808 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\system32\DRIVERS\eabfiltr.sys -- (eabfiltr [System | Running])
DRV - [2005/09/19 22:24:20 | 00,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\system32\DRIVERS\eabusb.sys -- (eabusb [On_Demand | Stopped])
DRV - [2005/09/19 22:24:10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\system32\DRIVERS\cpqbttn.sys -- (HBtnKey [On_Demand | Running])
DRV - [2008/04/13 17:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/10/21 12:19:34 | 00,036,352 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS -- (IFXTPM [On_Demand | Running])
DRV - [2008/04/13 19:39:44 | 00,092,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mqac.sys -- (MQAC [On_Demand | Running])
DRV - [2008/04/13 19:56:06 | 00,088,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys -- (NwlnkIpx [Auto | Running])
DRV - [2004/08/04 09:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\nwlnknb.sys -- (NwlnkNb [Auto | Running])
DRV - [2004/08/04 09:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys -- (NwlnkSpx [Auto | Running])
DRV - [2008/04/13 19:34:12 | 00,163,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\nwrdr.sys -- (NWRDR [On_Demand | Running])
DRV - [2009/03/07 00:40:22 | 00,178,376 | ---- | M] (Tall Emu Pty Ltd) -- C:\WINDOWS\system32\drivers\OADriver.sys -- (OADevice [System | Running])
DRV - [2009/03/07 00:40:22 | 00,030,920 | ---- | M] (Tall Emu Pty Ltd) -- C:\WINDOWS\system32\drivers\OAmon.sys -- (OAmon [System | Running])
DRV - [2009/03/07 00:40:22 | 00,028,872 | ---- | M] (Tall Emu Pty Ltd) -- C:\WINDOWS\system32\drivers\OAnet.sys -- (OAnet [System | Running])
DRV - [2009/05/29 15:45:08 | 00,034,760 | ---- | M] (Greatis Software) -- C:\WINDOWS\system32\drivers\Partizan.sys -- (Partizan [Boot | Stopped])
DRV - [2005/11/29 17:56:28 | 00,036,768 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\System32\drivers\psd.sys -- (PersonalSecureDrive [System | Running])
DRV - [2004/08/04 09:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/05/08 15:02:52 | 00,203,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\RMCast.sys -- (RMCAST [On_Demand | Running])
DRV - [2007/11/13 11:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 20:10:28 | 00,035,913 | ---- | M] (SMC) -- C:\WINDOWS\system32\DRIVERS\smcirda.sys -- (SMCIRDA [On_Demand | Stopped])
DRV - [2006/03/31 16:41:40 | 00,193,056 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2007/10/12 14:07:10 | 00,055,808 | ---- | M] (The SHVPN Project) -- C:\WINDOWS\system32\DRIVERS\tap0801.sys -- (tap0801 [On_Demand | Stopped])
DRV - [2005/11/30 11:12:36 | 00,162,560 | ---- | M] (Texas Instruments) -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
DRV - [2007/04/26 08:34:06 | 00,076,560 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])
DRV - [2005/07/27 17:25:28 | 00,077,056 | ---- | M] (Unibrain S.A.) -- C:\WINDOWS\system32\DRIVERS\ubohci.sys -- (ubohci [On_Demand | Running])
DRV - [2005/07/27 17:25:28 | 00,014,080 | ---- | M] (Unibrain S.A.) -- C:\WINDOWS\system32\DRIVERS\ubsbm.sys -- (ubsbm [Auto | Running])
DRV - [2005/07/27 17:25:28 | 00,036,352 | ---- | M] (Unibrain S.A.) -- C:\WINDOWS\system32\DRIVERS\ubumapi.sys -- (ubumapi [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "ICQ Search"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "BoardTracker"
FF - prefs.js..browser.startup.homepage: "http://www.future-forcast.co.uk"
FF - prefs.js..extensions.enabledItems: {63b70e6a-ea9d-4de2-8166-d6c4308099ee}:1.0.11
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.90
FF - prefs.js..extensions.enabledItems: {e1170235-2845-420c-acc3-42261a29dd46}:3.5.1
FF - prefs.js..extensions.enabledItems: {671c8440-f787-11dc-95ff-0800200c9a66}:1.0.4
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:3.1.20081127W
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {289F3A4A-F3FF-4173-B994-DBC887E9C468}:0.3.3
FF - prefs.js..extensions.enabledItems: {ec9CEB59-8266-438b-91D9-82F56D595E15}:1.0
FF - prefs.js..extensions.enabledItems: {455D905A-D37C-4643-A9E2-F6FEFAA0424A}:0.8.11
FF - prefs.js..extensions.enabledItems: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:3.0.0
FF - prefs.js..extensions.enabledItems: {317B5128-0B0B-49b2-B2DB-1E7560E16C74}:2.5.6
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.29
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="


FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\FIREFOX [2008/07/26 16:34:17 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/05/02 12:12:41 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2008/10/04 04:44:39 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2008/11/21 23:12:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/28 14:13:27 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/05/31 20:10:47 | 00,000,000 | ---D | M]

[2008/08/27 01:53:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Extensions
[2008/08/27 01:53:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/06/06 15:02:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions
[2008/06/17 07:44:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{27ACE843-F2CF-4284-8501-C9306CE44D4A}
[2008/05/21 10:39:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{289F3A4A-F3FF-4173-B994-DBC887E9C468}
[2009/05/23 11:48:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
[2009/01/11 01:09:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/04/30 01:40:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2008/10/09 16:30:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{455D905A-D37C-4643-A9E2-F6FEFAA0424A}
[2009/05/23 11:48:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{5a2b4e34-ce62-42e9-a658-06ba4490adf8}
[2009/05/17 10:38:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/05/16 13:30:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{63b70e6a-ea9d-4de2-8166-d6c4308099ee}
[2009/04/10 02:48:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{671c8440-f787-11dc-95ff-0800200c9a66}
[2008/05/07 20:11:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2009/04/30 01:40:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2009/01/11 01:09:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{e1170235-2845-420c-acc3-42261a29dd46}
[2009/01/13 16:55:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{ec9CEB59-8266-438b-91D9-82F56D595E15}
[2009/05/23 11:48:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{F7EACC19-0FF2-4b10-8651-1B3E6B192AFE}
[2009/05/23 11:48:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\{fc2b8f80-d9a5-4f51-8076-7c7ce3c67ee3}
[2009/05/16 13:30:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Dee\Application Data\mozilla\Firefox\Profiles\lvnyvz54.default\extensions\staged-xpis
[2009/06/03 01:38:24 | 00,001,312 | ---- | M] () -- C:\Documents and Settings\Dee\Application Data\Mozilla\FireFox\Profiles\lvnyvz54.default\searchplugins\boardtracker.xml
[2008/12/20 15:31:28 | 00,002,463 | ---- | M] () -- C:\Documents and Settings\Dee\Application Data\Mozilla\FireFox\Profiles\lvnyvz54.default\searchplugins\diigo--google.xml
[2008/11/07 18:19:06 | 00,002,479 | ---- | M] () -- C:\Documents and Settings\Dee\Application Data\Mozilla\FireFox\Profiles\lvnyvz54.default\searchplugins\diigo-customize-search.xml
[2009/06/03 01:38:24 | 00,000,950 | ---- | M] () -- C:\Documents and Settings\Dee\Application Data\Mozilla\FireFox\Profiles\lvnyvz54.default\searchplugins\icqplugin-1.xml
[2008/02/09 22:38:47 | 00,000,949 | ---- | M] () -- C:\Documents and Settings\Dee\Application Data\Mozilla\FireFox\Profiles\lvnyvz54.default\searchplugins\icqplugin-2.xml
[2008/03/29 05:14:34 | 00,000,949 | ---- | M] () -- C:\Documents and Settings\Dee\Application Data\Mozilla\FireFox\Profiles\lvnyvz54.default\searchplugins\icqplugin-3.xml
[2008/04/18 10:43:11 | 00,000,949 | ---- | M] () -- C:\Documents and Settings\Dee\Application Data\Mozilla\FireFox\Profiles\lvnyvz54.default\searchplugins\icqplugin-4.xml
[2008/07/02 13:37:38 | 00,000,950 | ---- | M] () -- C:\Documents and Settings\Dee\Application Data\Mozilla\FireFox\Profiles\lvnyvz54.default\searchplugins\icqplugin-5.xml
[2008/07/19 19:43:39 | 00,000,950 | ---- | M] () -- C:\Documents and Settings\Dee\Application Data\Mozilla\FireFox\Profiles\lvnyvz54.default\searchplugins\icqplugin-6.xml
[2008/08/27 01:54:50 | 00,000,950 | ---- | M] () -- C:\Documents and Settings\Dee\Application Data\Mozilla\FireFox\Profiles\lvnyvz54.default\searchplugins\icqplugin-7.xml
[2007/07/25 23:04:52 | 00,000,951 | ---- | M] () -- C:\Documents and Settings\Dee\Application Data\Mozilla\FireFox\Profiles\lvnyvz54.default\searchplugins\icqplugin.xml
[2009/06/02 13:14:18 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/04/28 14:13:27 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/05/23 11:46:46 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
[2008/11/21 23:12:40 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
[2009/02/13 21:11:01 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2009/05/02 12:28:31 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/04/28 14:13:21 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/28 14:13:21 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/08/27 01:52:49 | 00,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2008/08/27 01:52:49 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/08/27 01:52:49 | 00,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2008/08/27 01:52:49 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/11/15 11:22:57 | 00,000,759 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2008/08/27 01:52:49 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/08/27 01:52:49 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/08/27 01:52:50 | 00,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (610210 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 a9rhiwa.cn #[Google.Warning]
O1 - Hosts: 127.0.0.1 www.a9rhiwa.cn
O1 - Hosts: 127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
O1 - Hosts: 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
O1 - Hosts: 127.0.0.1 phpadsnew.abac.com
O1 - Hosts: 127.0.0.1 a.abnad.net
O1 - Hosts: 127.0.0.1 b.abnad.net
O1 - Hosts: 127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
O1 - Hosts: 127.0.0.1 d.abnad.net
O1 - Hosts: 127.0.0.1 e.abnad.net
O1 - Hosts: 127.0.0.1 t.abnad.net
O1 - Hosts: 127.0.0.1 z.abnad.net
O1 - Hosts: 127.0.0.1 banners.absolpublisher.com
O1 - Hosts: 127.0.0.1 tracking.absolstats.com
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 gtb5.acecounter.com
O1 - Hosts: 127.0.0.1 gtb19.acecounter.com
O1 - Hosts: 16241 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (HP Credential Manager for ProtectTools) - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll (Infineon Technologies AG)
O2 - BHO: (FlashFXP Helper for Internet Explorer) - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Program Files\FlashFXP\IEFlash.dll (IniCom Networks, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKCU..\Run: [AdobeUpdater6] "C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe" (Adobe Systems Incorporated)
O4 - HKCU..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent (ICQ, LLC.)
O4 - HKCU..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H (PC Tools)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe (Greatis Software)
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title] UnHackMe Rootkit Check File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O8 - Extra context menu item: &Windows Live Search - Reg Error: Value error. File not found
O8 - Extra context menu item: Customize Menu - Reg Error: Value error. File not found
O8 - Extra context menu item: Download FLV video content with IDM - Reg Error: Value error. File not found
O8 - Extra context menu item: Fill Forms - Reg Error: Value error. File not found
O8 - Extra context menu item: Open in new background tab - Reg Error: Value error. File not found
O8 - Extra context menu item: Open in new foreground tab - Reg Error: Value error. File not found
O8 - Extra context menu item: RoboForm Toolbar - Reg Error: Value error. File not found
O8 - Extra context menu item: Save Forms - Reg Error: Value error. File not found
O8 - Extra context menu item: Send to &Bluetooth Device... - Reg Error: Value error. File not found
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - File not found
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - File not found
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - File not found
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - File not found
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - File not found
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - File not found
O9 - Extra Button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - Reg Error: Value error. File not found
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [NWLink IPX/SPX/NetBIOS Compatible Transport Protocol] - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\IfxWlxEN: DllName - IfxWlxEN.dll - C:\WINDOWS\system32\IfxWlxEN.dll (Infineon Technologies AG)
O20 - Winlogon\Notify\OneCard: DllName - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll (Cognizance Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/28 00:07:00 | 00,000,000 | -HS- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/04/30 16:01:00 | 00,000,053 | -HS- | M] () - E:\Autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/06/13 14:34:11 | 00,000,000 | ---D | M]
O34 - HKLM BootExecute: (Partizan) - C:\WINDOWS\System32\Partizan.exe (Greatis Software)
O34 - HKLM BootExecute: (ootExecute) - File not found
O34 - HKLM BootExecute: (settings...) - File not found
O34 - HKLM BootExecute: (on\E) - File not found

========== Files/Folders - Created Within 30 Days ==========

[63 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/06/12 14:02:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\Offline.Consultant.Newsletters
[2009/06/12 14:01:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\dog-training
[2009/06/12 13:23:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\whmcs_v401
[2009/06/12 00:15:07 | 00,001,026 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\hosting%40greenprohosting.com%20Email%20Settings.reg
[2009/06/11 08:49:30 | 00,246,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll
[2009/06/11 08:49:30 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll
[2009/06/11 08:27:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/06/11 00:12:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\Dog.Training.E-book.Collection
[2009/06/09 14:48:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\Press_Release
[2009/06/07 23:38:30 | 00,006,233 | ---- | C] () -- C:\Documents and Settings\Dee\My Documents\bg.jpg
[2009/06/07 23:12:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\EMP1_4Install
[2009/06/07 23:12:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\easymemberpromanualV1.4.1
[2009/06/07 15:15:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\AllFlex-v2
[2009/06/07 14:02:18 | 00,501,760 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dee\Desktop\OTL.exe
[2009/06/07 14:02:04 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\13wxgxou.exe
[2009/06/07 13:13:28 | 00,001,017 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\members%40k9dogbehaviour.com%20Email%20Settings.reg
[2009/06/06 17:58:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\PLUS
[2009/06/06 17:02:19 | 00,001,071 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\trainer%40dogtrainingcroydon.co.uk%20Email%20Settings.reg
[2009/06/06 16:53:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\pups
[2009/06/06 11:16:24 | 00,003,099 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\script_settings.zip
[2009/06/06 11:06:20 | 11,517,8207 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\cashinabox.zip
[2009/06/06 11:06:01 | 00,061,231 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\imrockstar.zip
[2009/06/06 11:05:55 | 00,124,980 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\googlevideoupload.zip
[2009/06/06 11:05:45 | 00,673,866 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\pets.zip
[2009/06/06 11:05:33 | 00,195,536 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\insidersecrets.zip
[2009/06/06 11:04:38 | 01,929,225 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\EMP1_4Install.zip
[2009/06/06 09:09:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\Online_Directories_PDF
[2009/06/05 13:21:54 | 00,359,893 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\dds.pif
[2009/06/02 19:22:03 | 00,000,026 | ---- | C] () -- C:\WINDOWS\Zone.Identifier
[2009/06/01 23:12:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\futurecomplete
[2009/06/01 21:52:51 | 00,000,000 | ---D | C] -- C:\Program Files\ICQ6.5
[2009/06/01 08:42:24 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/06/01 00:26:44 | 00,100,532 | ---- | C] () -- C:\Documents and Settings\Dee\My Documents\cc_20090601_002636.reg
[2009/05/31 20:19:37 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/05/31 20:17:26 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2009/05/31 20:17:25 | 00,000,000 | ---D | C] -- C:\Program Files\Adobe
[2009/05/31 20:09:34 | 00,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/05/31 20:02:57 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/05/31 19:56:48 | 00,102,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/05/31 19:41:02 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/05/31 19:39:58 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\CCleaner.lnk
[2009/05/29 16:35:41 | 00,000,134 | ---- | C] () -- C:\WINDOWS\rootkitno.ini
[2009/05/29 16:35:11 | 00,000,000 | ---D | C] -- C:\RootkitNO
[2009/05/29 15:45:08 | 00,034,760 | ---- | C] (Greatis Software) -- C:\WINDOWS\System32\drivers\Partizan.sys
[2009/05/29 15:45:08 | 00,032,480 | ---- | C] (Greatis Software) -- C:\WINDOWS\System32\Partizan.exe
[2009/05/29 15:44:03 | 00,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2009/05/29 15:43:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\My Documents\RegRun2
[2009/05/29 15:43:44 | 00,000,630 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\UnHackMe.lnk
[2009/05/29 15:43:34 | 00,012,752 | ---- | C] (Greatis Software, LLC.) -- C:\WINDOWS\System32\drivers\UnHackMeDrv.sys
[2009/05/29 15:43:31 | 00,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2009/05/24 20:55:47 | 00,572,212 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\govlinks.pdf
[2009/05/24 20:40:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\AngelaMay2009
[2009/05/24 18:07:31 | 00,001,457 | ---- | C] () -- C:\Documents and Settings\Dee\My Documents\commentkuhunasaves.html
[2009/05/24 17:52:40 | 00,002,289 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Comment Kahuna.lnk
[2009/05/24 17:52:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\commentkahuna
[2009/05/24 17:51:32 | 00,593,680 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\commentkahuna.zip
[2009/05/23 21:51:32 | 00,602,651 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\The_Negative_Calorie_Diet.zip
[2009/05/23 12:01:08 | 01,187,840 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\affiliate organizer data.bck
[2009/05/23 11:44:00 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
[2009/05/23 11:43:42 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/05/23 11:43:12 | 00,000,000 | ---D | C] -- C:\Program Files\IEToolbar
[2009/05/23 11:43:09 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/05/23 11:35:33 | 00,000,000 | ---D | C] -- C:\Program Files\Affiliate Organizer
[2009/05/23 01:20:23 | 00,000,000 | ---D | C] -- C:\Program Files\Affiliate Organizer(2)
[2009/05/23 01:04:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2009/05/23 00:27:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\My Documents\Affiliate Organizer
[2009/05/23 00:24:50 | 00,000,000 | ---D | C] -- C:\Program Files\Affiliate Organizer(3)
[2009/05/23 00:22:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\Affiliate Organizer
[2009/05/23 00:18:26 | 00,000,000 | -HSD | C] -- C:\RECYCLER(3)
[2009/05/23 00:10:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Local Settings\temp
[2009/05/23 00:04:14 | 00,000,000 | ---D | C] -- C:\cmdcons(2)
[2009/05/22 21:52:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\HiJackThis(2)
[2009/05/21 15:29:56 | 00,000,000 | -HSD | C] -- C:\RECYCLER(2)
[2009/05/21 15:04:13 | 00,000,223 | ---- | C] () -- C:\Boot.bak
[2009/05/21 15:04:00 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/05/20 01:00:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Application Data\Malwarebytes
[2009/05/20 01:00:23 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/20 01:00:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/17 23:54:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/05/17 23:54:00 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/05/17 12:49:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\RSSBot.v1.1-BCC
[2009/05/17 11:28:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Desktop\sensationalistcrappackage
[2009/05/17 00:05:02 | 00,001,580 | ---- | C] () -- C:\Documents and Settings\Dee\Desktop\Defraggler.lnk
[2009/05/17 00:04:59 | 00,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2009/05/16 23:36:16 | 00,000,738 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2009/05/16 23:36:12 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\STKIT432.DLL
[2009/05/16 23:36:09 | 00,000,000 | ---D | C] -- C:\Program Files\Registry Mechanic
[2009/05/16 22:38:56 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF16633.exe
[2009/05/16 22:33:33 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/05/16 20:27:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/05/16 20:27:31 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/05/16 20:27:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Application Data\SUPERAntiSpyware.com
[2009/05/16 19:46:24 | 00,000,000 | ---D | C] -- C:\Program Files\CONEXANT
[2009/05/16 17:36:43 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/05/16 15:03:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\OnlineArmor
[2009/05/16 15:03:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Dee\Application Data\OnlineArmor
[2009/05/16 15:02:43 | 00,178,376 | ---- | C] (Tall Emu Pty Ltd) -- C:\WINDOWS\System32\drivers\OADriver.sys
[2009/05/16 15:02:43 | 00,030,920 | ---- | C] (Tall Emu Pty Ltd) -- C:\WINDOWS\System32\drivers\OAmon.sys
[2009/05/16 15:02:43 | 00,028,872 | ---- | C] (Tall Emu Pty Ltd) -- C:\WINDOWS\System32\drivers\OAnet.sys
[2009/05/16 15:02:41 | 00,000,000 | ---D | C] -- C:\Program Files\Tall Emu
[2009/05/15 18:39:27 | 00,001,487 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ICQ6.5.lnk
[2009/05/15 00:46:58 | 00,026,196 | ---- | C] () -- C:\Documents and Settings\Dee\My Documents\articlepostarticlesstats.app
[2008/06/24 16:20:57 | 00,000,276 | ---- | C] () -- C:\WINDOWS\ias-signup.ini
[2008/05/23 16:58:53 | 00,000,068 | ---- | C] () -- C:\WINDOWS\System32\fs_di002_2.dll
[2008/02/03 21:03:20 | 00,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
[2008/01/21 01:22:39 | 00,000,043 | ---- | C] () -- C:\WINDOWS\pressequalizer.ini
[2008/01/11 11:10:14 | 00,000,081 | ---- | C] () -- C:\WINDOWS\mapforms.ini
[2008/01/11 11:09:05 | 00,000,083 | ---- | C] () -- C:\WINDOWS\forminfo.ini
[2008/01/06 15:33:47 | 00,000,106 | -HS- | C] () -- C:\WINDOWS\WSYS049.SYS
[2007/12/07 23:00:08 | 00,007,609 | ---- | C] () -- C:\WINDOWS\XMailer.INI
[2007/12/07 17:20:10 | 00,000,023 | ---- | C] () -- C:\WINDOWS\System32\pmac64.dll
[2007/12/06 22:05:57 | 00,000,085 | ---- | C] () -- C:\WINDOWS\aebconfig.ini
[2007/11/20 00:45:36 | 00,270,848 | ---- | C] () -- C:\WINDOWS\System32\EfTidy.dll
[2007/11/20 00:45:36 | 00,196,608 | ---- | C] () -- C:\WINDOWS\System32\swfobjs.dll
[2007/10/05 12:26:08 | 00,000,031 | ---- | C] () -- C:\WINDOWS\IDC.INI
[2007/09/27 11:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/09/24 12:41:07 | 00,000,070 | ---- | C] () -- C:\WINDOWS\ArticleAnnouncer.ini
[2007/08/30 00:00:16 | 00,000,040 | ---- | C] () -- C:\WINDOWS\submitequalizer.ini
[2007/08/25 10:32:34 | 00,000,296 | ---- | C] () -- C:\WINDOWS\Affiliate Organizer.INI
[2007/07/21 16:02:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2007/06/26 10:00:51 | 00,350,711 | ---- | C] () -- C:\WINDOWS\sqlite3.dll
[2007/06/09 20:30:48 | 00,372,736 | ---- | C] () -- C:\WINDOWS\System32\portmon.dll
[2007/05/29 00:36:29 | 00,000,062 | ---- | C] () -- C:\WINDOWS\guestbookequalizer.ini
[2007/04/30 09:58:43 | 00,000,040 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2007/04/29 18:17:31 | 00,000,065 | ---- | C] () -- C:\WINDOWS\instantaffiliatesubmitter.ini
[2007/04/28 22:05:06 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2007/04/28 20:54:57 | 00,000,095 | ---- | C] () -- C:\WINDOWS\instantarticlesubmitter.ini
[2007/04/28 12:07:43 | 00,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/04/27 01:33:20 | 00,000,716 | ---- | C] () -- C:\WINDOWS\aainst.ini
[2007/04/27 00:57:21 | 00,000,032 | ---- | C] () -- C:\WINDOWS\whwimg.INI
[2007/04/26 08:04:55 | 00,000,044 | ---- | C] () -- C:\WINDOWS\SMWizard.INI
[2007/01/02 16:14:24 | 00,000,859 | ---- | C] () -- C:\WINDOWS\ANS2000.INI
[2007/01/02 16:14:24 | 00,000,020 | -H-- | C] () -- C:\WINDOWS\akebook.ini
[2007/01/02 16:14:24 | 00,000,004 | -H-- | C] () -- C:\WINDOWS\a3kebook.ini
[2006/09/07 01:43:48 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/09/07 01:43:48 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/09/07 01:43:48 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/09/07 01:43:48 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/09/07 01:43:47 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/09/07 01:43:47 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/05/26 10:08:34 | 00,000,175 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/05/26 10:06:41 | 00,028,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/04/12 10:23:54 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/02/17 12:41:32 | 00,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 12:41:30 | 00,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2005/02/03 20:59:44 | 02,129,920 | ---- | C] () -- C:\WINDOWS\System32\myodbc3S.dll
[2004/08/07 14:19:16 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 14:12:40 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/07 14:03:10 | 00,000,792 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/07 06:53:36 | 00,000,304 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/06/01 10:39:56 | 00,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2001/11/14 13:56:00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[1998/06/13 23:53:26 | 00,044,544 | ---- | C] () -- C:\WINDOWS\System32\Gif89.dll
[1998/05/07 03:10:00 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\ODMA32.dll

========== Files - Modified Within 30 Days ==========

[63 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/06/13 14:16:01 | 00,000,250 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/06/13 12:30:34 | 00,075,476 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/06/13 12:30:33 | 37,090,396 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/06/12 11:51:18 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/06/12 00:15:09 | 00,001,026 | ---- | M] () -- C:\Documents and Settings\Dee\My Documents\hosting%40greenprohosting.com%20Email%20Settings.reg
[2009/06/11 08:53:10 | 00,327,688 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/06/08 14:43:23 | 00,004,540 | ---- | M] () -- C:\WINDOWS\flash.fpr
[2009/06/08 13:52:38 | 00,006,233 | ---- | M] () -- C:\Documents and Settings\Dee\My Documents\bg.jpg
[2009/06/07 14:02:20 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dee\Desktop\OTL.exe
[2009/06/07 14:02:05 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\13wxgxou.exe
[2009/06/07 13:13:31 | 00,001,017 | ---- | M] () -- C:\Documents and Settings\Dee\My Documents\members%40k9dogbehaviour.com%20Email%20Settings.reg
[2009/06/06 17:02:20 | 00,001,071 | ---- | M] () -- C:\Documents and Settings\Dee\My Documents\trainer%40dogtrainingcroydon.co.uk%20Email%20Settings.reg
[2009/06/06 11:23:54 | 11,517,8207 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\cashinabox.zip
[2009/06/06 11:16:24 | 00,003,099 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\script_settings.zip
[2009/06/06 11:06:02 | 00,061,231 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\imrockstar.zip
[2009/06/06 11:05:55 | 00,124,980 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\googlevideoupload.zip
[2009/06/06 11:05:48 | 00,673,866 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\pets.zip
[2009/06/06 11:05:34 | 00,195,536 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\insidersecrets.zip
[2009/06/06 11:04:51 | 01,929,225 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\EMP1_4Install.zip
[2009/06/06 10:57:45 | 00,610,210 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/06/05 13:21:56 | 00,359,893 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\dds.pif
[2009/06/04 14:55:45 | 00,000,134 | ---- | M] () -- C:\WINDOWS\rootkitno.ini
[2009/06/04 14:53:16 | 00,000,296 | ---- | M] () -- C:\WINDOWS\Affiliate Organizer.INI
[2009/06/03 11:05:19 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/03 11:01:02 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Dee\Local Settings\desktop.ini
[2009/06/03 11:00:57 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/06/03 11:00:55 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/06/03 11:00:52 | 93,892,1984 | -HS- | M] () -- C:\hiberfil.sys
[2009/06/02 19:41:01 | 00,000,026 | ---- | M] () -- C:\WINDOWS\Zone.Identifier
[2009/06/01 23:03:04 | 00,000,074 | -HS- | M] () -- C:\Documents and Settings\Dee\My Documents\desktop.ini
[2009/06/01 22:50:47 | 00,640,112 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/06/01 22:50:47 | 00,539,810 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/06/01 22:50:47 | 00,107,848 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/06/01 22:03:15 | 00,001,487 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ICQ6.5.lnk
[2009/06/01 17:51:12 | 23,635,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/06/01 10:33:04 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/06/01 08:42:25 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\Dee\My Documents\Adobe Reader 9.lnk
[2009/06/01 00:31:23 | 00,001,789 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2009/06/01 00:31:23 | 00,000,304 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/06/01 00:26:50 | 00,100,532 | ---- | M] () -- C:\Documents and Settings\Dee\My Documents\cc_20090601_002636.reg
[2009/05/31 19:39:58 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\CCleaner.lnk
[2009/05/29 15:45:08 | 00,034,760 | ---- | M] (Greatis Software) -- C:\WINDOWS\System32\drivers\Partizan.sys
[2009/05/29 15:45:08 | 00,032,480 | ---- | M] (Greatis Software) -- C:\WINDOWS\System32\Partizan.exe
[2009/05/29 15:44:03 | 00,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2009/05/29 15:43:44 | 00,000,630 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\UnHackMe.lnk
[2009/05/24 20:55:47 | 00,572,212 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\govlinks.pdf
[2009/05/24 19:03:18 | 00,002,289 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Comment Kahuna.lnk
[2009/05/24 18:07:31 | 00,001,457 | ---- | M] () -- C:\Documents and Settings\Dee\My Documents\commentkuhunasaves.html
[2009/05/24 17:51:34 | 00,593,680 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\commentkahuna.zip
[2009/05/23 21:51:34 | 00,602,651 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\The_Negative_Calorie_Diet.zip
[2009/05/23 12:07:08 | 00,004,328 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2009/05/23 12:06:50 | 00,000,814 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\Affiliate Organizer.lnk
[2009/05/23 12:01:09 | 01,187,840 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\affiliate organizer data.bck
[2009/05/17 00:05:02 | 00,001,580 | ---- | M] () -- C:\Documents and Settings\Dee\Desktop\Defraggler.lnk
[2009/05/16 23:36:16 | 00,000,738 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2009/05/16 22:33:23 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF16633.exe
[2009/05/16 15:03:15 | 00,000,044 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.idx
[2009/05/15 00:46:58 | 00,026,196 | ---- | M] () -- C:\Documents and Settings\Dee\My Documents\articlepostarticlesstats.app

========== Alternate Data Streams ==========

@Alternate Data Stream - 36 bytes -> E:\Autorun.inf:KAVICHS
@Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DA868A70
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BF4C5148
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

extras txt

OTL Extras logfile created on: 13/06/2009 14:33:05 - Run 1
OTL by OldTimer - Version 2.1.1.0 Folder = C:\Documents and Settings\Dee\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

895.36 Mb Total Physical Memory | 390.44 Mb Available Physical Memory | 43.61% Memory free
2.12 Gb Paging File | 1.46 Gb Available in Paging File | 68.71% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 67.84 Gb Total Space | 14.24 Gb Free Space | 20.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 6.68 Gb Total Space | 6.52 Gb Free Space | 97.50% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEESLAPTOP
Current User Name: Dee
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.scr [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/14 01:12:27 | 00,004,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing
File not found -- C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)
[2008/02/20 17:55:12 | 03,067,144 | ---- | M] (IniCom Networks, Inc.) -- C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3
[2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/01/19 12:54:56 | 05,664,768 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[2007/01/04 16:10:02 | 00,290,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/14 01:12:27 | 00,004,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing
[2006/02/15 16:43:16 | 00,892,928 | ---- | M] () -- C:\WINDOWS\SMINST\Scheduler.exe:*:Enabled:Scheduler
File not found -- C:\Program Files\ICQLite\ICQLite.exe:*:Enabled:ICQ Lite
File not found -- C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)
[2008/02/20 17:55:12 | 03,067,144 | ---- | M] (IniCom Networks, Inc.) -- C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3
File not found -- C:\Program Files\IBP 9\IBP.exe:*:Enabled:Internet Business Promoter (IBP)
File not found -- C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe
File not found -- C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe
File not found -- C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe
File not found -- C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6
[2008/03/07 03:45:29 | 00,219,952 | ---- | M] () -- C:\Documents and Settings\Dee\My Documents\Downloads\Programs\utorrent.exe:*:Enabled:µTorrent
File not found -- C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC
[2008/10/24 15:55:14 | 04,135,792 | ---- | M] ( James J. Jones, LLC.) -- C:\Program Files\Micro Niche Finder\microniche.exe:*:Enabled: Micro Niche Finder
[2008/02/17 19:55:32 | 12,985,301 | ---- | M] () -- C:\Program Files\iWatermark\iWatermark.exe:*:Enabled:Protect Your Images
Beautifully, Quickly and Easily with
the Award Winning iWatermark.
[2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2009/04/30 18:12:02 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
[2009/06/11 08:52:20 | 01,085,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
[2007/01/19 12:54:56 | 05,664,768 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[2007/01/04 16:10:02 | 00,290,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
File not found -- C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:svchost
File not found -- C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe:*:Enabled:Proxy Switcher
[2009/04/30 18:12:02 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe
[2009/06/13 14:39:33 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox
File not found -- C:\Program Files\Podmailing\podmailing.exe:*:Enabled:Podmailing Beta
[2009/03/01 11:59:42 | 00,172,792 | ---- | M] (ICQ, LLC.) -- C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6
[2009/04/14 16:57:34 | 00,471,040 | ---- | M] () -- C:\Program Files\CommentKahuna\CommentKahuna.exe:*:Enabled:CommentKahuna

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04D645A0-18D5-4C33-8D2A-7E93944982DB}" = Simple Search-Replace
"{04DA24E9-3FC6-85F7-D27A-E1F9CCB5D493}" = Market Samurai
"{07873F1A-635B-4C4A-9885-23C8B5F54DB3}" = Bookmark Sumbitter Pro
"{0BB6EA77-FE76-4A45-88C2-BF5F3AAEBF31}" = Hi5Robot
"{115CEF9E-D833-4476-A9A8-7DC8A8E8ED3D}" = CommentKahuna
"{14735B76-8B33-4DB9-A548-9918B7A2C41E}" = Microsoft Windows SDK for Windows Server 2008 Samples (6001.18000.367)
"{152CF1AF-139A-44D0-8AB1-F1721083E4E7}" =
"{15D79A82-E64C-4366-A3AA-6D4854940342}" = Directory-Submitter
"{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}" = Windows Live Sign-in Assistant
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24C242C0-28C0-43C8-A0A1-FE181F3B3319}" = OpenOffice.org 2.0
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 13
"{26DE0F0B-9CF1-4796-A1B5-01B912E35B46}" =
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{29042B1C-0713-4575-B7CA-5C8E7B0899D4}" = MyODBC
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2C0CD17D-0B06-4700-83FA-7344B868B0A2}" = Opera 9.63
"{2CCBABCB-6427-4A55-B091-49864623C43F}" =
"{2EB3B0AB-4FEB-4548-B7E7-7A0E73F69125}" = CrazyTalk v5.0 PRO
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.00 G2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352F5013-07DC-446D-8DB6-38F339086C60}" = LightScribe 1.4.84.1
"{3BD8F690-F840-4BC1-8C28-D10C95FAA951}" = Ad Word Analyzer
"{3F4EC965-28EF-45C3-B063-04B25D4E9679}" = WIDCOMM Bluetooth Software
"{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup and Recovery Manager Installer
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 F1
"{47FBF7F9-FBD3-43EF-823B-7684D56C1962}" = Tabbed Browsing (Windows Live Toolbar)
"{48CF6549-B45D-4313-9927-EFCCC8A3493F}" = TIPCI
"{496910DC-E132-4CAD-8955-BB2A8C612F0D}" = EZ Gumtree Poster 4.1
"{49B8168B-4967-4D14-99A2-EC5D735F344B}" = EZ Gumtree Poster
"{4BA3DDD4-BC91-48B2-8896-7A02C34829D7}" = HP Embedded Security for ProtectTools
"{4F0F80EE-870B-4A36-8B01-FCD81D91B95C}" = SQLite ADO.NET 2.0 Provider
"{51E39AEF-E63B-43CD-A770-4448DEB567C3}" = Default
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{58B43C4D-571D-43B5-85C6-BE08D08ADB52}" = BookMarkingDemon
"{5ABC0041-3B79-4397-AB81-CDED5A896DB9}" = AQLer
"{5D97A4A7-C274-4B63-86D9-07A33435F505}" = InterVideo DVD Check
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{621C02EA-AAFF-4026-A903-165D59529A16}" = Driver Detective
"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008
"{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}" = Windows Live Toolbar Feed Detector (Windows Live Toolbar)
"{69DF574C-8CF5-44DD-8250-049DED3EA920}" = vSearchVooDoo
"{6C518CC0-5CF1-481B-AB35-9BE5024DC106}" = Microsoft Windows SDK MDAC Headers and Libraries (6001.18000.367)
"{6EAF6269-D175-4B8A-AE2C-5DFFA4DF73AC}" = AutoYahoo
"{6ED32BB5-56B6-4317-A2D1-98A8313C3BAF}" = Microsoft Windows SDK for Windows Server 2008 (6001.18000.367)
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{760E91AC-3278-45A8-9A64-36FD1B389CDF}" = Tag Spyder
"{76F78B54-9BC9-4E3A-A091-2FCF255F0517}" = CraigsAgent 1.0.3
"{7841FE97-E075-484A-AC96-BACF99B0AF4A}" = Social Media Inspector
"{7EADB65C-70E8-4C94-AD0A-221462D41A85}" = Camtasia Studio 5
"{7EB5D4F6-B411-4765-80A6-F9B8EB5804CF}" =
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADC27DB-E2C8-446C-A576-166C05C2DD24}" =
"{914E1AB1-DCA0-4A7D-935F-B58C4B887A2B}" = HP ProtectTools Security Manager 2.00 C3
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{96405444-B006-08C8-DB78-FCEE2781CC7F}" = Market Samurai
"{96E3AED5-3D0B-4BB0-84C2-1EDADB204487}" = FlashFXP v3
"{9DF095E1-8EC2-4892-8740-93769DB1E944}" = User Agent String Utility
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A431744A-553F-4FC0-AF91-BCA47C7E0949}" = Microsoft Windows SDK for Windows Server 2008 Headers and Libraries (6001.18000.367)
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AC7265B3-4340-4910-8163-05BFCD34A05F}" = Badass Rss Poster
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.1
"{AE052EF7-2640-48D7-8915-69B810D975CB}" = HP BIOS Configuration for ProtectTools 2.00 G1
"{B102176D-EB05-4A0E-8F12-98833FDE1D5B}" = DFextractor
"{B2CF4DE3-6E41-4E2B-B472-27638626361D}" = Web 2.0 Submitter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{B46C272F-8B7A-402A-9915-8B0463F035DC}" = Microsoft Windows SDK for Windows Server 2008 Utilities for Win32 Development (6001.18000.367)
"{B7EC89B3-2B8C-44A9-815C-135F391068B0}" = Microsoft Windows SDK for Windows Server 2008 Common Utilities (6001.18000.367)
"{B893FE93-250E-4AD3-A78E-BEB32D8C943D}" = Web2Submitter
"{B8C79C46-F593-49DB-BAB4-C18CF1C5AF0D}" = Directory Submitter Full
"{B9F4C05D-E42F-4E9A-A73F-FDD9355319FB}" = HP Credential Manager for ProtectTools
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Update
"{BBCBA2A0-F0E5-4EA8-AAC0-CF1DC592221E}" = Microsoft VC Redist 2008 (6001.18000.367)
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{BF61D7A1-E894-4E3D-9129-B8D44B51FF94}" = Microsoft Windows SDK for Windows Server 2008 Win32 Documentation (6001.18000.367)
"{C003DA1D-855B-469C-BDAB-28BF9E73F446}" = WordPressBlogger
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6816FDA-0FFC-460F-9BC7-AFE1422F761B}" = Keyword Research Pro
"{C79074A0-A126-4C38-800C-10F643705967}" = GooglePageBacklinkGen
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar
"{DA990A6C-844C-4190-B381-2B2771C70A74}" = SpeedPPC Campaign Builder
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{DC2443FB-E492-4B46-BD25-E0585E05F125}" = NinjaLinkCloaker
"{DF7CFCDF-08ED-4BFA-8980-9F8F3A9596B3}" = All-in-One Submission 8.01
"{E05C9D01-CCED-4328-9EE0-0B6893087C6F}" = HP User Guides 0022
"{E0DBC47C-ED3F-4A1B-A929-9A26DAAA14B3}" = Application Installer 4.00.B6
"{E3455D9D-A333-4B02-9D21-404A7E6FDD78}" = Article Post Robot
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F65FE148-FCF5-42F7-8803-FA0B7DA8B8A4}" = ubCore
"{F7D3DF12-B018-4B54-A8B2-B87B76EEA4A7}" = PDF Printer Free
"{F9ED2BE3-7FEB-4C5E-B5D9-BC129C94B22A}" = ICS
"{FDBD41A1-7C29-404D-9AAB-2C6A2B038014}" = SliQ Submitter
"{FF4D08B0-5098-4C4A-B801-42F3B1F9FE07}" = Microsoft Document Explorer 2008 (6001.18000.367)
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"07D54BE1B4EB400BB798F15FA92BC912_is1" = A1 Keyword Research
"3883.com Advanced Site Submitter_is1" = Advanced Site Submitter 1.0
"9E140F48C9836B9B78539C08FB2B17146BDB3F65" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (04/28/2006 1.3.1.0)
"AB Keyword Research Tool_is1" = AB Keyword Research Tool
"ActiveXControlPad" = Microsoft ActiveX Control Pad
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Affiliate Organizer" = Affiliate Organizer 2.0
"AI RoboForm" = AI RoboForm (All Users)
"Allscoop RSS Submit Pro 1.0" = Allscoop RSS Submit Pro 1.0
"Article Architect_is1" = Article Architect v1.2.0
"Article Automator_is1" = Article Automator 5.7.0
"Article Submit Gold2.0" = Article Submit Gold
"Article Submitter Pro_is1" = Article Submitter Pro
"ArticleAgent" = ArticleAgent 1.5
"ATI Display Driver" = ATI Display Driver
"AuctionYen1.0.1.2" = AuctionYen
"AVG8Uninstall" = AVG 8.5
"B1523974-908E-4450-84C0-26B22144EA2F" = Psychics City
"Banner Maker Pro 7_is1" = Banner Maker Pro Version 7
"BK ReplaceEm" = BK ReplaceEm 2.0
"Branding" =
"CachemanXP 1.7.1.1" = CachemanXP 1.7.1.1
"CachemanXP 1.80" = CachemanXP 1.80
"CCleaner" = CCleaner (remove only)
"Comment Hut_is1" = Comment Hut v.0.2.81
"Connection Manager" =
"Content Magnet Article Extractor_is1" = Content Magnet Article Extractor 1.0
"CopyNow.dll" =
"Data Extractor" = Data Extractor
"DataPlugin.dll" =
"Defraggler" = Defraggler (remove only)
"digiXMAS Submitter_is1" = digiXMAS Submitter 3.5.3
"Directory Submitter_is1" = Directory Submitter 1.0.24
"dlatray.exe" =
"EditPlus 3" = EditPlus 3
"FireTune" = FireTune
"FLV Player" = FLV Player 2.0 (build 25)
"Forum Poster Pro_is1" = Forum Poster Pro
"GC Keyword Analyzer_is1" = GC Keyword Analyzer
"Golden Cash Compass1.1.0.0" = Golden Cash Compass
"Google Updater" = Google Updater
"GPL Ghostscript 8.50" = GPL Ghostscript 8.50
"GPL Ghostscript Fonts" = GPL Ghostscript Fonts
"GreenBox_is1" = GreenBox 1.0
"Hot Item Finder2.0.1.6" = Hot Item Finder
"HTML Help Workshop" = HTML Help Workshop
"IAWP" = IAWP
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield Uninstall Information" =
"InstallShield_{48CF6549-B45D-4313-9927-EFCCC8A3493F}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{621C02EA-AAFF-4026-A903-165D59529A16}" = Driver Detective
"InstallShield_{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" =
"InstallShield_{F65FE148-FCF5-42F7-8803-FA0B7DA8B8A4}" = ubCore
"Instant Article Submitter_is1" = Instant Article Submitter 1.1.6
"intocartoonpro" = intocartoonpro
"Joint Venture Professional" = Joint Venture Professional
"Keyword Expert_is1" = Keyword Expert 3.00.7.824
"Keyword Niche Power_is1" = Keyword Niche Power
"Link dump Submitter1.7" = Link dump Submitter
"Micro Niche Finder_is1" = Micro Niche Finder
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008
"Microsoft Interactive Training" =
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.0.11)" = Mozilla Firefox (3.0.11)
"MP3 to SWF Converter" = MP3 to SWF Converter 2.4 build 851
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSI30a-KB884016" =
"MSI30-Beta1" =
"MSI30-Beta2" =
"MSI30-KB884016" =
"MSI30-RC1" =
"MSI30-RC2" =
"MSI31-Beta" =
"MSI31-RC1" =
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NoteTab Pro 5_is1" = NoteTab Pro 5 (Remove only)
"NTREGOPT_is1" = NTREGOPT 1.1j
"OnlineArmor_is1" = Online Armor 3.0
"PCHealth" =
"PPC Keyword Generator (Beta)_is1" = PPC Keyword Generator 1.0 (Beta)
"Press Equalizer_is1" = Press Equalizer 1.0.21
"ProxyFirewall_is1" = ProxyFirewall 1.0.4 Beta
"RealJukebox 1.0" =
"RealPlayer 6.0" = RealPlayer
"Registry Mechanic_is1" = Registry Mechanic 8.0
"Robin Good's RSSTop55 Plug-in for RSS Submit v1.2_is1" = Robin Good's RSSTop55 Plug-in for RSS Submit v1.2
"RSS Announcer 1.4" = RSS Announcer 1.4
"RSS Feed Submitter_is1" = RSS Feed Submitter 1.0
"RSS Submit SEO Expansion Pack v1.0_is1" = RSS Submit RSS Submit SEO Expansion Pack v1.0
"RSS Submit v2.40_is1" = RSS Submit v2.40
"SDKSetup_6.0.6001.18000" = Microsoft Windows SDK for Windows Server 2008 (6001.18000.367)
"SetupStream 2.082" = SetupStream 2.082
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SocialSpeed v1.2_is1" = SocialSpeed v1.2
"Space Station_is1" = Space Station
"SquidHubSearcher" = SquidHubSearcher 2008
"ST6UNST #1" = CommissionAlert
"Submit Equalizer_is1" = Submit Equalizer 1.0.2
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Three Pillars Desktop Notifier_is1" = Three Pillars Desktop Notifier 1.0
"Ultimate Keyword Theme Extractor_is1" = Ultimate Keyword Theme Extractor v. 1.10.1125
"UnHackMe_is1" = UnHackMe 5.00 release
"vSearch2_is1" = vSearch2
"Web Data Extractor 6.1_is1" = Web Data Extractor 6.1
"WebShot_is1" = WebShot
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Live Toolbar" = Windows Live Toolbar
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = Gimp 2.6.2 Debug
"WinRAR archiver" = WinRAR archiver
"WMCSetup" =
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WordFlood" = WordFlood (remove only)
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"www.Resellfire.com My Article Submitter 1.00" = www.Resellfire.com My Article Submitter 1.00
"WYSIWYG_Web_Builder_5" = WYSIWYG Web Builder 5.5
"XAce Plus v2.6" = XAce Plus v2.6
"Xenu_is1" = Xenu's Link Sleuth
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 01/06/2009 17:18:03 | Computer Name = DEESLAPTOP | Source = Windows Search Service | ID = 3083
Description = The protocol handler IEPH.RSSHandler cannot be loaded. Error description:
MAPI: Logon failed. .

Error - 01/06/2009 18:06:01 | Computer Name = DEESLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application teatimer.exe, version 1.6.6.32, faulting module
teatimer.exe, version 1.6.6.32, fault address 0x0006e66e.

Error - 03/06/2009 09:05:11 | Computer Name = DEESLAPTOP | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEE\DESKTOP\WORKINGTOOLS\SEEPA_2.05_\SEEPASSWORD
2.05> in the hash map cannot be updated. Context: Application, SystemIndex Catalog

Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 03/06/2009 09:05:11 | Computer Name = DEESLAPTOP | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEE\DESKTOP\WORKINGTOOLS\SEEPA_2.05_\SEEPASSWORD
2.05> in the hash map cannot be updated. Context: Application, SystemIndex Catalog

Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 05/06/2009 12:41:50 | Computer Name = DEESLAPTOP | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEE\DESKTOP\WORKINGTOOLS\SEEPA_2.05_\SEEPASSWORD
2.05> in the hash map cannot be updated. Context: Application, SystemIndex Catalog

Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 05/06/2009 12:41:50 | Computer Name = DEESLAPTOP | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEE\DESKTOP\WORKINGTOOLS\SEEPA_2.05_\SEEPASSWORD
2.05> in the hash map cannot be updated. Context: Application, SystemIndex Catalog

Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 06/06/2009 12:59:16 | Computer Name = DEESLAPTOP | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEE\DESKTOP\PLUS\GOOGLE-SITEMAP-GENERATOR.3.1.2>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 06/06/2009 12:59:16 | Computer Name = DEESLAPTOP | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEE\DESKTOP\PLUS\GOOGLE-SITEMAP-GENERATOR.3.1.2>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 06/06/2009 12:59:41 | Computer Name = DEESLAPTOP | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEE\DESKTOP\PLUS\GLOBAL-TRANSLATOR.1.2.3>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 06/06/2009 12:59:41 | Computer Name = DEESLAPTOP | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DEE\DESKTOP\PLUS\GLOBAL-TRANSLATOR.1.2.3>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

[ System Events ]
Error - 05/06/2009 07:49:22 | Computer Name = DEESLAPTOP | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 05/06/2009 07:49:22 | Computer Name = DEESLAPTOP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 09/06/2009 08:55:24 | Computer Name = DEESLAPTOP | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 10/06/2009 18:40:55 | Computer Name = DEESLAPTOP | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 11/06/2009 03:26:14 | Computer Name = DEESLAPTOP | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 11/06/2009 09:48:34 | Computer Name = DEESLAPTOP | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 11/06/2009 14:06:52 | Computer Name = DEESLAPTOP | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 11/06/2009 14:06:52 | Computer Name = DEESLAPTOP | Source = atapi | ID = 262155
Description = The driver detected a controller error on \Device\Ide\IdePort2.

Error - 12/06/2009 06:37:42 | Computer Name = DEESLAPTOP | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 13/06/2009 07:26:44 | Computer Name = DEESLAPTOP | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the W32Time service.


< End of report >

other one is still running. pc is working fine so dont know if gumblar was removed and all is ok now. Will post next one once its finished its run
Thanks

#11 tiaz

tiaz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 13 June 2009 - 01:25 PM

gmers

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-13 17:48:28
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwAllocateVirtualMemory [0xED4780F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwAssignProcessToJobObject [0xED4786E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwConnectPort [0xED477370]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreateFile [0xED484E80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreateKey [0xED4831B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreatePort [0xED4771D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreateProcess [0xED474A10]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreateProcessEx [0xED474DE0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreateSection [0xED474520]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreateThread [0xED475C80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwDebugActiveProcess [0xED4767B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwDeleteFile [0xED4859C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwDeleteKey [0xED483760]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwDeleteValueKey [0xED4840B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwEnumerateKey [0xED484E20]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwEnumerateValueKey [0xED484E50]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwLoadDriver [0xED477BC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwOpenFile [0xED4855D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwOpenKey [0xED4839A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwOpenProcess [0xED475780]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwOpenSection [0xED4747A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwOpenThread [0xED476140]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwProtectVirtualMemory [0xED478390]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwQueryKey [0xED484DC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwQueryValueKey [0xED484DF0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwReplaceKey [0xED4848A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwRequestWaitReplyPort [0xED477750]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwRestoreKey [0xED484B00]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwResumeThread [0xED476E80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSaveKey [0xED484DA0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSetContextThread [0xED4765D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSetSystemInformation [0xED476930]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSetValueKey [0xED4839C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwShutdownSystem [0xED477AC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSuspendProcess [0xED477030]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSuspendThread [0xED476CB0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSystemDebugControl [0xED476B10]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwTerminateProcess [0xED475AE0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwTerminateThread [0xED476400]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwUnloadDriver [0xED477DE0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwWriteVirtualMemory [0xED478540]

Code 746BA0B6 IoReportHalResourceUsage

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C7D 80504519 11 Bytes [71, 47, ED, 10, 4A, 47, ED, ...] {JNO 0x49; IN EAX, DX; ADC [EDX+0x47], CL; IN EAX, DX; LOOPNZ 0x56; INC EDI; IN EAX, DX}
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 12 Bytes [30, 70, 47, ED, B0, 6C, 47, ...] {XOR [EAX+0x47], DH; IN EAX, DX; MOV AL, 0x6c; INC EDI; IN EAX, DX; ADC [EBX+0x47], CH; IN EAX, DX}
.text win32k.sys!HT_ComputeRGBGammaTable + FFE81E15 BF800393 2 Bytes JMP BF80BFE7 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!HT_ComputeRGBGammaTable + FFE81E9B BF800419 1 Byte [2A]
.text win32k.sys!HT_ComputeRGBGammaTable + FFE81EA0 BF80041E 1 Byte [4E]
.text win32k.sys!HT_ComputeRGBGammaTable + FFE81EAF BF80042D 2 Bytes [F0, 36]
.text win32k.sys!HT_ComputeRGBGammaTable + FFE81EB4 BF800432 2 Bytes JMP BF803B15 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngAcquireSemaphore + 25 BF806214 55 Bytes CALL 0822D61C
.text win32k.sys!EngAcquireSemaphore + 5D BF80624C 8 Bytes [00, 83, A4, 01, 9C, 00, 10, ...] {ADD [EBX+0x9c01a4], AL; ADC [EAX], AL}
.text win32k.sys!EngAcquireSemaphore + 73 BF806262 82 Bytes CALL BF80C78A \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngAcquireSemaphore + C6 BF8062B5 132 Bytes [46, 04, 5F, 5E, 5D, C2, 08, ...]
.text win32k.sys!EngAcquireSemaphore + 14B BF80633A 16 Bytes [06, 05, 60, 01, 00, 00, 89, ...]
.text ...
.text win32k.sys!EngFreeUserMem + 38 BF8092BE 123 Bytes [FF, 35, FC, C3, 9A, BF, 6A, ...]
.text win32k.sys!EngFreeUserMem + B4 BF80933A 44 Bytes [10, 00, 00, 0F, 86, ED, 00, ...]
.text win32k.sys!EngFreeUserMem + E1 BF809367 68 Bytes [07, 83, F8, 09, 74, 09, 83, ...]
.text win32k.sys!EngFreeUserMem + 127 BF8093AD 14 Bytes [8B, 0D, 50, 01, 9A, BF, 03, ...]
.text win32k.sys!EngFreeUserMem + 136 BF8093BC 21 Bytes [00, 8B, 47, 04, 3D, FF, FF, ...]
.text ...
.text win32k.sys!EngDeleteSurface + 1 BF8138A5 2 Bytes [EC, 57] {IN AL, DX ; PUSH EDI}
.text win32k.sys!EngDeleteSurface + 4 BF8138A8 7 Bytes [7D, 08, F7, C7, 00, 00, 80]
.text win32k.sys!EngDeleteSurface + D BF8138B1 159 Bytes [C2, 56, 8B, F7, C1, EE, 10, ...]
.text win32k.sys!EngDeleteSurface + B0 BF813954 167 Bytes [90, 8B, FF, 55, 8B, EC, 33, ...]
.text win32k.sys!EngDeleteSurface + 158 BF8139FC 25 Bytes [D1, 89, 45, E4, 83, 4D, FC, ...]
.text ...
.text win32k.sys!EngNineGrid + 1 BF817010 145 Bytes [7A, 14, 52, FF, 75, 1C, 89, ...]
.text win32k.sys!EngNineGrid + 93 BF8170A2 16 Bytes [45, E0, 89, 43, 08, 8B, 45, ...] {INC EBP; LOOPNZ 0xffffffffffffff8c; INC EBX; OR [EBX+0x5e5ff045], CL; MOV [EBX+0x18], EAX; POP EBX; LEAVE ; RET }
.text win32k.sys!EngNineGrid + A7 BF8170B6 62 Bytes [90, 8B, FF, 55, 8B, EC, 83, ...]
.text win32k.sys!EngNineGrid + E6 BF8170F5 44 Bytes [75, EC, 8B, 70, 04, 89, 75, ...]
.text win32k.sys!EngNineGrid + 113 BF817122 29 Bytes [03, 8B, 4B, 14, C1, E1, 02, ...]
.text ...
.text win32k.sys!EngTransparentBlt + 77 BF81919D 26 Bytes [48, 10, A5, 8D, 43, F0, 33, ...]
.text win32k.sys!EngTransparentBlt + 92 BF8191B8 17 Bytes [47, 57, 56, 8D, 4D, D4, 51, ...] {INC EDI; PUSH EDI; PUSH ESI; LEA ECX, [EBP-0x2c]; PUSH ECX; LEA ECX, [EBP-0x10]; PUSH ECX; PUSH EAX; CALL 0xfffffffffffffd0a}
.text win32k.sys!EngTransparentBlt + A4 BF8191CA 117 Bytes [C6, 89, 45, 18, 0F, 84, A4, ...]
.text win32k.sys!EngTransparentBlt + 11B BF819241 7 Bytes [39, 75, 20, 89, BD, 54, FF]
.text win32k.sys!EngTransparentBlt + 124 BF81924A 63 Bytes [89, BD, 60, FF, FF, FF, 8B, ...]
.text ...
.text win32k.sys!EngCreateDeviceBitmap + D BF8196B7 3 Bytes [5D, C2, 04]
.text win32k.sys!EngCreateDeviceBitmap + 11 BF8196BB 6 Bytes [90, 90, 90, 90, 90, 8B]
.text win32k.sys!EngCreateDeviceBitmap + 18 BF8196C2 34 Bytes [55, 8B, EC, 56, FF, 35, E8, ...]
.text win32k.sys!EngCreateDeviceBitmap + 3B BF8196E5 32 Bytes [00, EB, F0, 8B, 48, 08, 3B, ...]
.text win32k.sys!EngCreateDeviceBitmap + 5E BF819708 107 Bytes [90, 90, 68, 47, 64, 72, 73, ...]
.text win32k.sys!EngAssociateSurface + 2 BF819774 11 Bytes [FF, FF, 85, C0, 75, 21, E8, ...]
.text win32k.sys!EngAssociateSurface + E BF819780 1 Byte [C0]
.text win32k.sys!EngAssociateSurface + E BF819780 30 Bytes [C0, 74, 41, 8B, 4E, 10, 89, ...]
.text win32k.sys!EngAssociateSurface + 2D BF81979F 16 Bytes [89, 7E, 1C, 8B, 87, 04, 03, ...]
.text win32k.sys!EngAssociateSurface + 3E BF8197B0 4 Bytes [48, 33, FF, 47] {DEC EAX; XOR EDI, EDI; INC EDI}
.text ...
.text win32k.sys!EngQueryPerformanceCounter + 4D BF8198F5 5 Bytes [14, 8B, 46, 48, A9]
.text win32k.sys!EngQueryPerformanceCounter + 53 BF8198FB 94 Bytes [00, 00, 01, 74, 0A, A8, 01, ...]
.text win32k.sys!EngQueryPerformanceCounter + B4 BF81995C 35 Bytes JMP 8052B3D6 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text win32k.sys!EngQueryPerformanceCounter + D8 BF819980 26 Bytes [76, 11, 56, FF, 35, 78, 98, ...]
.text win32k.sys!EngQueryPerformanceCounter + F3 BF81999B 199 Bytes CALL BF8360D3 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!BRUSHOBJ_pvGetRbrush + 1D BF81B447 207 Bytes [EC, 56, 8B, 75, 10, 57, 8B, ...]
.text win32k.sys!BRUSHOBJ_pvGetRbrush + ED BF81B517 11 Bytes [FE, FF, EB, A3, 8B, F0, E9, ...]
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 1 BF81B523 10 Bytes [08, 89, 4D, D8, 8B, 50, 04, ...]
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + C BF81B52E 89 Bytes [00, FF, 15, 74, CE, 98, BF, ...]
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 66 BF81B588 37 Bytes CALL C96BABC0
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 8C BF81B5AE 42 Bytes [83, 65, FC, 00, 8B, 75, 10, ...]
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + B7 BF81B5D9 85 Bytes [8B, 55, 08, 3B, D0, 0F, 83, ...]
.text ...
.text win32k.sys!EngMulDiv + 27 BF81F4D7 66 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
.text win32k.sys!EngMulDiv + 6A BF81F51A 72 Bytes [FF, 55, 8B, EC, 83, 7D, 14, ...]
.text win32k.sys!EngMulDiv + B3 BF81F563 1 Byte [47]
.text win32k.sys!EngMulDiv + B3 BF81F563 9 Bytes [47, 08, 89, 46, 08, 8B, 07, ...] {INC EDI; OR [ECX+0x78b0846], CL; MOV [ESI], EAX}
.text win32k.sys!EngMulDiv + BD BF81F56D 1 Byte [47]
.text ...
.text win32k.sys!EngSetLastError + 97 BF8210A9 3 Bytes CALL BF82101A \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngSetLastError + 9B BF8210AD 22 Bytes [85, C0, 74, D0, 8B, 30, E8, ...]
.text win32k.sys!EngSetLastError + B3 BF8210C5 3 Bytes [90, 90, 90] {NOP ; NOP ; NOP }
.text win32k.sys!EngSetLastError + B7 BF8210C9 7 Bytes [FF, 55, 8B, EC, 8B, 45, 08] {CALL [EBP-0x75]; IN AL, DX ; MOV EAX, [EBP+0x8]}
.text win32k.sys!EngSetLastError + C0 BF8210D2 23 Bytes [0C, 29, 08, 01, 48, 08, 8B, ...]
.text ...
.text win32k.sys!CLIPOBJ_cEnumStart BF828C20 24 Bytes [90, 90, 8B, FF, 55, 8B, EC, ...]
.text win32k.sys!CLIPOBJ_cEnumStart + 19 BF828C39 83 Bytes [8B, 75, 08, 8B, C7, 6B, C0, ...]
.text win32k.sys!CLIPOBJ_bEnum + 4B BF828C8D 1 Byte [00]
.text win32k.sys!CLIPOBJ_bEnum + 4B BF828C8D 82 Bytes [00, 00, FF, 49, 48, 0F, 84, ...]
.text win32k.sys!CLIPOBJ_bEnum + 9E BF828CE0 25 Bytes [72, 24, 4E, 89, 71, 48, 33, ...]
.text win32k.sys!CLIPOBJ_bEnum + B8 BF828CFA 154 Bytes [44, C7, 41, 68, 01, 00, 00, ...]
.text win32k.sys!CLIPOBJ_bEnum + 153 BF828D95 8 Bytes [8B, 41, 58, 89, 41, 50, E9, ...]
.text ...
.text win32k.sys!EngLpkInstalled + E BF82A1C3 23 Bytes [00, 00, 8B, 81, C8, 00, 00, ...]
.text win32k.sys!EngLpkInstalled + 27 BF82A1DC 12 Bytes [0F, B6, 55, 10, 56, 8B, 30, ...]
.text win32k.sys!EngLpkInstalled + 34 BF82A1E9 8 Bytes [C1, E2, 18, 0B, D6, 83, 7D, ...]
.text win32k.sys!EngLpkInstalled + 3D BF82A1F2 8 Bytes [89, 10, 8B, 45, 08, 89, 81, ...]
.text win32k.sys!EngLpkInstalled + 47 BF82A1FC 12 Bytes [00, 5E, 75, 14, 8B, 40, 34, ...]
.text ...
.text win32k.sys!EngBitBlt + C BF82BC91 45 Bytes [30, 57, 8D, 7B, F0, 89, 45, ...]
.text win32k.sys!EngBitBlt + 3A BF82BCBF 88 Bytes [47, 38, B9, AA, CC, 00, 00, ...]
.text win32k.sys!EngBitBlt + 93 BF82BD18 35 Bytes [F7, D8, 6A, 00, 1B, C0, 50, ...]
.text win32k.sys!EngBitBlt + B7 BF82BD3C 10 Bytes [EB, C5, 74, 3A, 85, C0, 74, ...]
.text win32k.sys!EngBitBlt + C2 BF82BD47 6 Bytes [00, 00, 0F, 84, C4, FD]
.text ...
.text win32k.sys!EngPaint BF82CB1C 77 Bytes [F0, CC, 99, BF, 8B, C2, 50, ...]
.text win32k.sys!EngPaint + 4F BF82CB6B 1 Byte [04]
.text win32k.sys!EngPaint + 4F BF82CB6B 27 Bytes [04, 00, C7, 45, 08, 08, 00, ...]
.text win32k.sys!EngPaint + 6B BF82CB87 31 Bytes [FF, 35, 18, B2, 9A, BF, E8, ...]
.text win32k.sys!EngPaint + 8B BF82CBA7 52 Bytes [85, C0, 74, 0B, 83, 4E, 08, ...]
.text ...
.text win32k.sys!EngUnlockSurface + 65 BF833AB6 8 Bytes [5D, C2, 04, 00, 21, 08, EB, ...] {POP EBP; RET 0x4; AND [EAX], ECX; JMP 0x0}
.text win32k.sys!EngUnlockSurface + 77 BF833AC8 64 Bytes [51, 83, 65, FC, 00, 56, FF, ...]
.text win32k.sys!EngLockSurface + 26 BF833B09 51 Bytes [55, 14, 53, 8B, 5D, 10, 56, ...]
.text win32k.sys!EngLockSurface + 5A BF833B3D 49 Bytes [52, 53, FF, 70, 08, FF, D1, ...]
.text win32k.sys!EngLockSurface + 8C BF833B6F 12 Bytes [45, 08, EB, E0, F6, 45, 11, ...] {INC EBP; OR BL, CH; LOOPNZ 0xfffffffffffffffb; INC EBP; ADC [EAX+0xcb840f], EAX}
.text win32k.sys!EngLockSurface + 99 BF833B7C 4 Bytes [00, 68, 87, 04]
.text win32k.sys!EngLockSurface + 9E BF833B81 13 Bytes CALL BF8037AA \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngCopyBits + A BF8368EB 11 Bytes [8B, 75, 08, 8B, 46, 0C, 33, ...] {MOV ESI, [EBP+0x8]; MOV EAX, [ESI+0xc]; XOR EDI, EDI; PUSH EDI; PUSH EDI; PUSH ESI}
.text win32k.sys!EngCopyBits + 16 BF8368F7 147 Bytes [4D, 0C, 89, 45, 0C, E8, 98, ...]
.text win32k.sys!EngCopyBits + AB BF83698C 118 Bytes [FF, A8, 61, 9A, BF, 74, 06, ...]
.text win32k.sys!EngCopyBits + 122 BF836A03 17 Bytes [8D, 85, 14, FE, FF, FF, 89, ...] {LEA EAX, [EBP-0x1ec]; MOV [EBP+0x14], EAX; MOV EDX, [EBP+0x18]; MOV EAX, [EDX]; MOV ECX, [EBP+0x14]}
.text win32k.sys!EngCopyBits + 134 BF836A15 23 Bytes [41, F4, 89, 45, EC, 0F, 8C, ...]
.text ...
.text win32k.sys!EngMapFontFileFD + 4 BF836EAE 60 Bytes [45, 08, 85, C0, 74, 17, 8D, ...]
.text win32k.sys!EngMapFontFileFD + 41 BF836EEB 116 Bytes [6A, 02, 68, 00, 00, 40, 00, ...]
.text win32k.sys!EngMapFontFileFD + B6 BF836F60 247 Bytes [39, 3B, 0F, 84, 6F, FF, FF, ...]
.text win32k.sys!EngMapFontFileFD + 1AE BF837058 9 Bytes [FF, 89, 7D, 14, EB, D9, 8B, ...] {DEC DWORD [ECX-0x2614eb83]; MOV ECX, [EBP-0x20]}
.text win32k.sys!EngMapFontFileFD + 1B8 BF837062 7 Bytes [15, 3C, CE, 98, BF, EB, 0B] {ADC EAX, 0xbf98ce3c; JMP 0x12}
.text ...
.text win32k.sys!EngUnmapFontFileFD + 7D BF837142 43 Bytes [00, 8B, 45, 10, 8B, 16, 8B, ...]
.text win32k.sys!EngUnmapFontFileFD + A9 BF83716E 27 Bytes [00, 0F, B6, C7, 0F, B6, 88, ...]
.text win32k.sys!EngUnmapFontFileFD + C5 BF83718A 4 Bytes JMP BF83748B \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnmapFontFileFD + CA BF83718F 13 Bytes JMP BF83724F \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnmapFontFileFD + D8 BF83719D 2 Bytes JMP BF83726B \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngCreateBitmap + 11 BF837E9D 52 Bytes [F6, C5, 20, 75, 19, 83, C0, ...]
.text win32k.sys!EngCreateBitmap + 46 BF837ED2 25 Bytes [55, 10, 8B, 4D, 0C, 8B, 45, ...]
.text win32k.sys!EngCreateBitmap + 60 BF837EEC 37 Bytes [EE, 5F, 5E, 5D, C2, 10, 00, ...]
.text win32k.sys!EngCreateBitmap + 86 BF837F12 12 Bytes [50, 83, C3, 28, 53, 8D, 45, ...]
.text win32k.sys!EngCreateBitmap + 93 BF837F1F 49 Bytes [FF, 8D, 47, 20, 50, 8D, 45, ...]
.text ...
.text win32k.sys!PATHOBJ_bEnum + 3D BF84B857 38 Bytes [0F, F6, 42, 08, 08, 75, 09, ...]
.text win32k.sys!PATHOBJ_bEnum + 64 BF84B87E 52 Bytes [F1, 8B, 46, 08, 85, C0, 74, ...]
.text win32k.sys!PATHOBJ_bEnum + 99 BF84B8B3 91 Bytes [49, 04, 89, 48, 30, EB, E1, ...]
.text win32k.sys!PATHOBJ_bEnum + F5 BF84B90F 4 Bytes [4D, 08, 8B, 01]
.text win32k.sys!PATHOBJ_bEnum + FA BF84B914 24 Bytes [40, 38, 83, E0, 43, 33, DB, ...]
.text ...
.text win32k.sys!EngComputeGlyphSet + 19 BF84F7F0 99 Bytes [85, C0, 89, 45, FC, 74, 0E, ...]
.text win32k.sys!EngComputeGlyphSet + 7D BF84F854 13 Bytes [66, 8B, 04, 79, 8A, 1C, 37, ...]
.text win32k.sys!EngMultiByteToWideChar + 8 BF84F862 140 Bytes [85, C0, 7C, 19, 66, 8B, 14, ...]
.text win32k.sys!EngMultiByteToWideChar + 95 BF84F8EF 21 Bytes [FF, 83, 45, FC, 02, 47, 3B, ...]
.text win32k.sys!EngMultiByteToWideChar + AB BF84F905 16 Bytes [74, 6E, 89, 45, F8, E9, 95, ...]
.text win32k.sys!EngMultiByteToWideChar + BC BF84F916 5 Bytes [55, 8B, EC, 51, 51] {PUSH EBP; MOV EBP, ESP; PUSH ECX; PUSH ECX}
.text win32k.sys!EngMultiByteToWideChar + C2 BF84F91C 35 Bytes [4D, 0C, 53, 8B, 5D, 18, 56, ...]
.text ...
.text win32k.sys!EngDeviceIoControl + 23 BF85A1AA 7 Bytes [00, C0, 74, 0C, 3D, 23, 00]
.text win32k.sys!EngDeviceIoControl + 2B BF85A1B2 173 Bytes [C0, 75, DE, 6A, 7A, 58, EB, ...]
.text win32k.sys!EngDeviceIoControl + D9 BF85A260 62 Bytes [7C, D3, 8B, 45, F8, 3B, 05, ...]
.text win32k.sys!EngDeviceIoControl + 118 BF85A29F 46 Bytes [FF, 15, F4, CE, 98, BF, 68, ...]
.text win32k.sys!EngDeviceIoControl + 147 BF85A2CE 10 Bytes [FF, 15, F4, CE, 98, BF, 8D, ...] {CALL [0xbf98cef4]; LEA EAX, [EBP-0x10]; PUSH EAX}
.text ...
.text win32k.sys!EngWaitForSingleObject + 17 BF85A5FB 58 Bytes [25, CC, D1, 98, BF, 90, 90, ...]
.text win32k.sys!EngUnicodeToMultiByteN + 19 BF85A636 21 Bytes JMP BF85ACC6 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnicodeToMultiByteN + 30 BF85A64D 22 Bytes [FF, 35, DC, C3, 99, BF, 8D, ...]
.text win32k.sys!EngUnicodeToMultiByteN + 47 BF85A664 71 Bytes [FF, 35, DC, C3, 99, BF, 8D, ...]
.text win32k.sys!EngUnicodeToMultiByteN + 8F BF85A6AC 12 Bytes [83, A4, 01, 00, 00, 89, 47, ...]
.text win32k.sys!EngUnicodeToMultiByteN + 9D BF85A6BA 17 Bytes [89, 47, 1C, 33, C0, 89, 47, ...] {MOV [EDI+0x1c], EAX; XOR EAX, EAX; MOV [EDI+0x8], EAX; MOV [EDI+0xc], EAX; MOV [EDI+0x10], EAX; MOV [EDI+0x14], EAX}
.text ...
.text win32k.sys!EngAllocMem + 34 BF85B657 30 Bytes [45, 08, 85, C0, 74, 11, 56, ...]
.text win32k.sys!EngAllocMem + 54 BF85B677 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP}
.text win32k.sys!EngFreeMem + 1 BF85B67B 7 Bytes [EC, 8B, 0D, 74, 6D, 9A, BF] {IN AL, DX ; MOV ECX, [0xbf9a6d74]}
.text win32k.sys!EngFreeMem + 9 BF85B683 1 Byte [C9]
.text win32k.sys!EngFreeMem + 9 BF85B683 54 Bytes CALL BF801935 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFreeMem + 40 BF85B6BA 50 Bytes [B0, 08, 06, 00, 00, 57, 83, ...]
.text win32k.sys!EngFreeMem + 73 BF85B6ED 62 Bytes [7D, FC, 00, 8B, F8, 74, 06, ...]
.text ...
.text win32k.sys!XFORMOBJ_iGetXform + 1 BF8696B9 21 Bytes [55, 38, 8D, 86, 00, 80, 00, ...]
.text win32k.sys!XFORMOBJ_iGetXform + 17 BF8696CF 1 Byte [CF]
.text win32k.sys!XFORMOBJ_iGetXform + 17 BF8696CF 4 Bytes CALL BF86856D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XFORMOBJ_iGetXform + 1E BF8696D6 25 Bytes [75, 10, 8B, 7D, 08, 88, 83, ...]
.text win32k.sys!XFORMOBJ_iGetXform + 38 BF8696F0 10 Bytes [80, 00, 00, 66, 89, 4B, 0C, ...] {ADD BYTE [EAX], 0x0; MOV [EBX+0xc], CX; SAR EDX, 0x10}
.text win32k.sys!FONTOBJ_pxoGetXform + 1 BF8696FB 32 Bytes [CF, 66, 89, 53, 0E, 89, 43, ...]
.text win32k.sys!FONTOBJ_pxoGetXform + 22 BF86971C 12 Bytes [FF, 8B, 4D, F4, 33, C0, 3B, ...]
.text win32k.sys!FONTOBJ_pxoGetXform + 2F BF869729 69 Bytes [00, 00, 0F, 85, 2C, FD, FF, ...]
.text win32k.sys!FONTOBJ_pxoGetXform + 75 BF86976F 60 Bytes [19, 01, 00, 00, 02, EB, C0, ...]
.text win32k.sys!FONTOBJ_pxoGetXform + B2 BF8697AC 33 Bytes [F0, 81, C6, 00, 80, 00, 00, ...]
.text ...
.text win32k.sys!STROBJ_vEnumStart + 4F BF86FA74 30 Bytes [5D, F4, 75, CC, 89, 5D, FC, ...]
.text win32k.sys!STROBJ_vEnumStart + 6E BF86FA93 3 Bytes [72, B7, 5F] {JB 0xffffffffffffffb9; POP EDI}
.text win32k.sys!STROBJ_vEnumStart + 72 BF86FA97 180 Bytes [1D, 90, 90, 90, 90, 90, 8B, ...]
.text win32k.sys!STROBJ_vEnumStart + 127 BF86FB4C 40 Bytes [FF, FF, 8B, 4D, 1C, 89, 8D, ...]
.text win32k.sys!STROBJ_vEnumStart + 150 BF86FB75 18 Bytes [75, 90, 68, F0, AA, 00, 00, ...] {JNZ 0xffffffffffffff92; PUSH 0xaaf0; PUSH DWORD [EBP+0x50]; PUSH DWORD [EBP+0x4c]; LEA EAX, [EBP-0x74]; PUSH EAX; PUSH EDX}
.text ...
.text win32k.sys!EngTextOut + 2 BF87015E 26 Bytes [8B, 45, 20, 89, 85, B0, FB, ...]
.text win32k.sys!EngTextOut + 1D BF870179 2 Bytes [75, 08] {JNZ 0xa}
.text win32k.sys!EngTextOut + 21 BF87017D 1 Byte [C8]
.text win32k.sys!EngTextOut + 25 BF870181 12 Bytes [33, C0, 57, 8B, 7D, 10, 89, ...] {XOR EAX, EAX; PUSH EDI; MOV EDI, [EBP+0x10]; MOV [EBP-0x410], EAX}
.text win32k.sys!EngTextOut + 33 BF87018F 1 Byte [F4]
.text ...
.text win32k.sys!XLATEOBJ_iXlate + 13 BF871545 25 Bytes [74, 0C, 8B, 4E, 2C, 81, 79, ...]
.text win32k.sys!XLATEOBJ_iXlate + 2D BF87155F 4 Bytes CALL BF878655 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XLATEOBJ_iXlate + 32 BF871564 48 Bytes [85, 7E, 38, 0F, 85, 6A, FF, ...]
.text win32k.sys!XLATEOBJ_iXlate + 63 BF871595 3 Bytes [C0, 74, 96]
.text win32k.sys!XLATEOBJ_iXlate + 67 BF871599 85 Bytes CALL BF947A1B \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngStretchBltROP + 3F BF873E73 11 Bytes [75, 2C, F7, DF, 56, FF, 75, ...]
.text win32k.sys!EngStretchBltROP + 4B BF873E7F 11 Bytes [20, 23, 7D, 10, FF, 75, 1C, ...]
.text win32k.sys!EngStretchBltROP + 57 BF873E8B 8 Bytes [14, 57, FF, 75, 0C, FF, 75, ...] {ADC AL, 0x57; PUSH DWORD [EBP+0xc]; PUSH DWORD [EBP+0x8]}
.text win32k.sys!EngStretchBltROP + 60 BF873E94 8 Bytes [55, 38, 5F, 5E, 5B, C9, C2, ...]
.text win32k.sys!EngStretchBltROP + 69 BF873E9D 24 Bytes CALL AA873EA7
.text ...
.text win32k.sys!EngStretchBlt + 68 BF875036 4 Bytes [00, 07, 00, 00] {ADD [EDI], AL; ADD [EAX], AL}
.text win32k.sys!EngStretchBlt + 6D BF87503B 5 Bytes [4E, 04, 3B, 4E, 0C]
.text win32k.sys!EngStretchBlt + 74 BF875042 72 Bytes [F4, 06, 00, 00, 8B, 4D, 24, ...]
.text win32k.sys!EngStretchBlt + BD BF87508B 63 Bytes [A5, 0F, 84, E4, 08, 00, 00, ...]
.text win32k.sys!EngStretchBlt + FD BF8750CB 60 Bytes [8B, 0E, 3B, C1, 0F, 8C, DD, ...]
.text ...
.text win32k.sys!EngCreatePalette + AF BF879316 38 Bytes JMP BF8794A2 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreatePalette + D6 BF87933D 9 Bytes CALL BF8F788E \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreatePalette + E0 BF879347 1 Byte [D5]
.text win32k.sys!EngCreatePalette + E5 BF87934C 23 Bytes CALL BF92E294 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreatePalette + FD BF879364 13 Bytes JMP BF879573 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngCreateSemaphore + 6E BF87F994 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP}
.text win32k.sys!EngCreateSemaphore + 72 BF87F998 15 Bytes [EC, 8B, 01, 5D, FF, A0, 9C, ...] {IN AL, DX ; MOV EAX, [ECX]; POP EBP; JMP [EAX+0x59c]; NOP ; NOP ; NOP ; NOP ; NOP }
.text win32k.sys!EngCreateSemaphore + 82 BF87F9A8 28 Bytes [FF, 55, 8B, EC, 8B, 45, 0C, ...]
.text win32k.sys!EngCreateSemaphore + 9F BF87F9C5 17 Bytes CALL BF801743 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateSemaphore + B4 BF87F9DA 13 Bytes [90, 8B, FF, 55, 8B, EC, 83, ...]
.text ...
.text win32k.sys!EngEraseSurface + 84 BF882F2F 63 Bytes [89, 85, 6C, FE, FF, FF, 83, ...]
.text win32k.sys!EngEraseSurface + C4 BF882F6F 10 Bytes [FF, 73, 2E, 8D, 4A, 04, 66, ...]
.text win32k.sys!EngEraseSurface + CF BF882F7A 32 Bytes [8D, 59, 04, 66, 0F, B6, 53, ...]
.text win32k.sys!EngEraseSurface + F0 BF882F9B 2 Bytes [95, 70]
.text win32k.sys!EngEraseSurface + F5 BF882FA0 16 Bytes [03, 56, 24, FF, 85, 78, FE, ...] {ADD EDX, [ESI+0x24]; INC DWORD [EBP-0x188]; CMP DWORD [EBP-0x188], 0x3}
.text ...
.text win32k.sys!EngCreateDeviceSurface + 20 BF888B65 240 Bytes [8B, 87, 68, 05, 00, 00, 53, ...]
.text win32k.sys!EngCreateDeviceSurface + 112 BF888C57 41 Bytes [89, 86, E4, 00, 00, 00, E8, ...]
.text win32k.sys!EngCreateDeviceSurface + 13C BF888C81 159 Bytes [00, 8B, 87, D0, 05, 00, 00, ...]
.text win32k.sys!EngCreateDeviceSurface + 1DC BF888D21 59 Bytes [07, 00, 00, 89, 86, F0, 01, ...]
.text win32k.sys!EngCreateDeviceSurface + 218 BF888D5D 24 Bytes [8B, 48, 04, FF, 15, 1C, D4, ...]
.text ...
.text win32k.sys!EngGetCurrentCodePage + 40 BF88C956 2 Bytes [0F, 85]
.text win32k.sys!EngGetCurrentCodePage + 43 BF88C959 44 Bytes CALL BF964621 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetCurrentCodePage + 72 BF88C988 47 Bytes [68, 70, 48, 99, BF, E8, 16, ...]
.text win32k.sys!EngGetCurrentCodePage + A4 BF88C9BA 17 Bytes [89, 5D, FC, 8B, 45, 0C, 83, ...]
.text win32k.sys!EngGetCurrentCodePage + B8 BF88C9CE 9 Bytes [8D, 85, 44, FF, FF, FF, 89, ...]
.text ...
.text win32k.sys!EngFntCacheLookUp + 2F BF89A34B 126 Bytes [10, 69, C0, 01, 01, 00, 00, ...]
.text win32k.sys!EngFntCacheLookUp + B0 BF89A3CC 17 Bytes [89, 1E, 89, 7E, 04, 83, 4E, ...]
.text win32k.sys!EngFntCacheLookUp + C2 BF89A3DE 50 Bytes [89, 7E, 0C, A1, 6C, 59, 9A, ...]
.text win32k.sys!EngFntCacheLookUp + F6 BF89A412 67 Bytes [8B, 75, FC, 3B, F7, 74, 86, ...]
.text win32k.sys!EngFntCacheLookUp + 13A BF89A456 12 Bytes [3B, 38, 74, 05, 8B, 50, 08, ...] {CMP EDI, [EAX]; JZ 0x9; MOV EDX, [EAX+0x8]; JMP 0xfffffffffffffff1; MOV [ESI], EAX; POP EDI}
.text ...
.text win32k.sys!EngFntCacheAlloc + 16 BF89A7F9 51 Bytes [75, 4E, 8B, 0D, 6C, 59, 9A, ...]
.text win32k.sys!EngFntCacheAlloc + 4A BF89A82D 3 Bytes CALL BF801923 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFntCacheAlloc + 4E BF89A831 90 Bytes [A1, 6C, 59, 9A, BF, F6, 40, ...]
.text win32k.sys!EngFntCacheAlloc + A9 BF89A88C 151 Bytes [8A, 68, 02, 56, 8A, 48, 03, ...]
.text win32k.sys!EngFntCacheAlloc + 142 BF89A925 3 Bytes [90, 90, 90] {NOP ; NOP ; NOP }
.text ...
.text win32k.sys!EngWideCharToMultiByte + D9 BF89BF6C 18 Bytes [00, 8D, 42, 24, 89, 45, E4, ...]
.text win32k.sys!EngWideCharToMultiByte + EC BF89BF7F 39 Bytes [8B, 48, 2C, 8B, 40, 30, 8D, ...]
.text win32k.sys!EngWideCharToMultiByte + 114 BF89BFA7 5 Bytes [3B, F1, 0F, 83, A4]
.text win32k.sys!EngWideCharToMultiByte + 11A BF89BFAD 43 Bytes [00, 00, 83, C3, 04, 89, 5D, ...]
.text win32k.sys!EngWideCharToMultiByte + 146 BF89BFD9 195 Bytes [4D, FC, 66, 83, F8, FF, 73, ...]
.text ...
.text win32k.sys!EngMultiByteToUnicodeN + 2 BF89DE81 22 Bytes [57, 8D, 45, FC, 50, 57, 68, ...]
.text win32k.sys!EngMultiByteToUnicodeN + 19 BF89DE98 27 Bytes [14, A0, 10, B0, 99, BF, 3C, ...]
.text win32k.sys!EngMultiByteToUnicodeN + 36 BF89DEB5 10 Bytes [00, 6A, FA, 6A, 01, E8, 23, ...] {ADD [EDX-0x6], CH; PUSH 0x1; CALL 0x2d}
.text win32k.sys!EngMultiByteToUnicodeN + 41 BF89DEC0 21 Bytes [75, FC, 57, 6A, FB, 6A, 01, ...]
.text win32k.sys!EngMultiByteToUnicodeN + 57 BF89DED6 10 Bytes [94, FC, 00, 00, 5F, C9, C3, ...] {XCHG ESP, EAX; CLD ; ADD [EAX], AL; POP EDI; LEAVE ; RET ; NOP ; NOP ; NOP }
.text ...
.text win32k.sys!EngFindImageProcAddress + 12 BF8A1AFD 27 Bytes [03, C1, 03, F9, 03, D9, 85, ...]
.text win32k.sys!EngFindImageProcAddress + 2E BF8A1B19 144 Bytes [F9, 2B, C1, 50, 8B, 45, 08, ...]
.text win32k.sys!EngFindImageProcAddress + BF BF8A1BAA 25 Bytes [0F, 39, 78, 1C, 75, 0A, FF, ...]
.text win32k.sys!EngFindImageProcAddress + DA BF8A1BC5 151 Bytes [75, DC, 5B, EB, 2E, 90, 90, ...]
.text win32k.sys!EngFindImageProcAddress + 172 BF8A1C5D 34 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
.text win32k.sys!EngLoadImage + 1F BF8A1C80 8 Bytes [90, 90, 90, 8B, FF, 55, 8B, ...] {NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
.text win32k.sys!EngLoadImage + 28 BF8A1C89 103 Bytes [45, 08, A3, 54, 59, 9A, BF, ...]
.text win32k.sys!EngLoadImage + 91 BF8A1CF2 17 Bytes [2C, 2B, F6, FF, 5D, C2, 04, ...]
.text win32k.sys!EngLoadImage + A3 BF8A1D04 124 Bytes [00, FF, 15, 74, CE, 98, BF, ...]
.text win32k.sys!EngLoadImage + 121 BF8A1D82 3 Bytes [8B, FF, 56] {MOV EDI, EDI; PUSH ESI}
.text ...
.text win32k.sys!EngQueryPerformanceFrequency + 15 BF8A3B2F 90 Bytes JMP BF8A474F \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngQueryPerformanceFrequency + 70 BF8A3B8A 9 Bytes [8B, F0, 89, 75, FC, E9, D3, ...]
.text win32k.sys!EngQueryPerformanceFrequency + 7A BF8A3B94 39 Bytes [8B, 48, 40, 89, 0D, 38, 59, ...]
.text win32k.sys!EngQueryPerformanceFrequency + A2 BF8A3BBC 110 Bytes [83, E0, 05, 09, 46, 54, A1, ...]
.text win32k.sys!EngQueryPerformanceFrequency + 112 BF8A3C2C 21 Bytes [0F, 85, 05, 0B, 00, 00, 89, ...]
.text ...
.text win32k.sys!EngSecureMem + 4 BF8A5B9A 29 Bytes [FE, AB, 6A, 00, AB, 8D, 46, ...]
.text win32k.sys!EngUnloadImage + 6 BF8A5BB8 5 Bytes [C2, 04, 00, 90, 90] {RET 0x4; NOP ; NOP }
.text win32k.sys!EngUnloadImage + E BF8A5BC0 6 Bytes [8B, FF, 55, 8B, EC, 83]
.text win32k.sys!EngCreateEvent + 5 BF8A5BC7 159 Bytes [38, 8B, 45, 08, 48, 75, 23, ...]
.text win32k.sys!EngQuerySystemAttribute + 61 BF8A5C67 64 Bytes [00, E0, 0F, 94, C1, 8B, C1, ...]
.text win32k.sys!EngQuerySystemAttribute + A2 BF8A5CA8 9 Bytes [8B, 46, 24, B9, 8F, 14, 96, ...]
.text win32k.sys!EngQuerySystemAttribute + AC BF8A5CB2 35 Bytes [74, 03, 89, 43, 58, 89, 4E, ...]
.text win32k.sys!EngQuerySystemAttribute + D0 BF8A5CD6 68 Bytes [90, 90, 90, 90, 90, FF, 25, ...]
.text win32k.sys!EngQuerySystemAttribute + 116 BF8A5D1C 26 Bytes [00, 8B, 51, 14, 89, 50, 10, ...]
.text ...
.text win32k.sys!EngFindResource + 38 BF8A7E5A 28 Bytes [FF, FF, 75, 18, 83, 65, 14, ...]
.text win32k.sys!EngFindResource + 55 BF8A7E77 33 Bytes [1B, C0, 23, C1, C9, C2, 14, ...]
.text win32k.sys!EngFindResource + 77 BF8A7E99 175 Bytes [55, 8B, EC, 83, EC, 0C, 53, ...]
.text win32k.sys!EngFindResource + 128 BF8A7F4A 45 Bytes [85, C0, 0F, 84, BF, F7, FF, ...]
.text win32k.sys!EngFindResource + 156 BF8A7F78 22 Bytes CALL BF8A808B \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngLoadModule + 7 BF8A87B8 58 Bytes CALL BF80EC34 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngLoadModule + 42 BF8A87F3 171 Bytes [FF, 75, 0C, 8D, 34, 07, 8D, ...]
.text win32k.sys!EngLoadModule + EE BF8A889F 106 Bytes [64, 6D, 9A, BF, 3B, F7, 75, ...]
.text win32k.sys!EngLoadModule + 159 BF8A890A 153 Bytes [7E, F8, 75, 0B, 8B, 46, F0, ...]
.text win32k.sys!EngFreeModule + 75 BF8A89A4 5 Bytes [00, 0F, 85, FB, ED] {ADD [EDI], CL; TEST EBX, EDI; IN EAX, DX}
.text win32k.sys!EngFreeModule + 7B BF8A89AA 407 Bytes [FF, 81, 7E, 08, 4C, 02, 00, ...]
.text win32k.sys!EngFreeModule + 214 BF8A8B43 11 Bytes [CC, 8D, 7D, E0, AB, AB, AB, ...]
.text win32k.sys!EngFreeModule + 220 BF8A8B4F 357 Bytes [9C, 50, 68, 38, 5C, 99, BF, ...]
.text win32k.sys!EngFreeModule + 386 BF8A8CB5 51 Bytes [25, 84, 57, 9A, BF, 00, 83, ...]
.text ...
.text win32k.sys!EngGetLastError + 1E BF8AC6EB 21 Bytes [7D, FC, 33, C0, 33, D2, 89, ...]
.text win32k.sys!EngGetLastError + 34 BF8AC701 55 Bytes [74, 93, 58, 8B, 55, 14, 8D, ...]
.text win32k.sys!EngGetLastError + 6C BF8AC739 1 Byte [0C]
.text win32k.sys!EngGetLastError + 6C BF8AC739 9 Bytes [0C, 89, 48, 04, 89, 10, 8B, ...]
.text win32k.sys!EngGetLastError + 76 BF8AC743 7 Bytes [31, 8B, 76, 14, 89, 70, 08]
.text ...
.text win32k.sys!EngGradientFill + 37 BF8AEBC7 16 Bytes [75, 04, 83, 65, 08, 00, FF, ...] {JNZ 0x6; AND DWORD [EBP+0x8], 0x0; PUSH DWORD [EBP+0x8]; LEA EAX, [EBP-0x18]; PUSH DWORD [EBP-0x4]; PUSH EAX}
.text win32k.sys!EngGradientFill + 48 BF8AEBD8 17 Bytes CALL BF818EBE \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGradientFill + 5A BF8AEBEA 24 Bytes [FF, 3B, FB, 8B, 75, 28, 0F, ...]
.text win32k.sys!EngGradientFill + 73 BF8AEC03 21 Bytes [FF, 50, FF, 75, 2C, FF, 75, ...]
.text win32k.sys!EngGradientFill + 89 BF8AEC19 5 Bytes [25, 00, 00, 00, 89] {AND EAX, 0x89000000}
.text ...
.text win32k.sys!EngModifySurface + 1B BF8B93D3 25 Bytes CALL BF8B9306 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngModifySurface + 35 BF8B93ED 3 Bytes [45, 14, FC] {INC EBP; ADC AL, 0xfc}
.text win32k.sys!EngModifySurface + 3B BF8B93F3 16 Bytes [0F, 85, 03, 01, 00, 00, 8B, ...] {JNZ 0x109; MOV ECX, [ESI+0x48]; MOV EDI, 0x400000; TEST EDI, ECX}
.text win32k.sys!EngModifySurface + 4C BF8B9404 5 Bytes [84, 2C, FF, FF, FF]
.text win32k.sys!EngModifySurface + 52 BF8B940A 31 Bytes [46, 1C, 85, C0, 75, 89, 80, ...]
.text ...
.text win32k.sys!EngAlphaBlend + 4 BF8B9EB5 63 Bytes [CA, F7, D9, 1B, C9, 8D, 42, ...]
.text win32k.sys!EngAlphaBlend + 45 BF8B9EF6 41 Bytes [8B, 75, 10, 89, 75, 20, 8B, ...]
.text win32k.sys!EngAlphaBlend + 6F BF8B9F20 121 Bytes [74, 04, 80, 49, 22, 04, F6, ...]
.text win32k.sys!EngAlphaBlend + E9 BF8B9F9A 15 Bytes [B0, 8B, 45, C0, 33, FF, 47, ...]
.text win32k.sys!EngAlphaBlend + F9 BF8B9FAA 22 Bytes [A8, 50, 8D, 45, EC, 50, FF, ...]
.text ...
.text win32k.sys!EngDeletePalette + 72 BF8C5772 157 Bytes [40, 00, FF, 15, E0, D0, 98, ...]
.text win32k.sys!EngDeletePalette + 111 BF8C5811 91 Bytes [4E, 38, 75, 33, FF, 76, 30, ...]
.text win32k.sys!EngDeletePalette + 16D BF8C586D 7 Bytes CALL BF8C38BA \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeletePalette + 175 BF8C5875 14 Bytes [D9, FF, FF, FF, 3B, 35, 38, ...]
.text win32k.sys!EngDeletePalette + 184 BF8C5884 3 Bytes CALL BE8C5889
.text ...
.text win32k.sys!PATHOBJ_vEnumStart + F BF8C6B26 37 Bytes [45, EC, 8B, 00, 8B, 00, 33, ...]
.text win32k.sys!PATHOBJ_vEnumStart + 36 BF8C6B4D 69 Bytes [90, 90, 90, 6A, 10, 68, 30, ...]
.text win32k.sys!PATHOBJ_vEnumStart + 7D BF8C6B94 1 Byte [14]
.text win32k.sys!PATHOBJ_vEnumStart + 80 BF8C6B97 1 Byte [10]
.text win32k.sys!PATHOBJ_vEnumStart + 83 BF8C6B9A 10 Bytes [0C, 56, FF, D1, 89, 45, E4, ...]
.text ...
.text win32k.sys!EngStrokePath + 16 BF8C894A 52 Bytes [46, 1C, 33, DB, 66, 39, 5E, ...]
.text win32k.sys!EngStrokePath + 4B BF8C897F 14 Bytes [1F, F6, 07, 02, 75, 1A, 8B, ...]
.text win32k.sys!EngStrokePath + 5A BF8C898E 21 Bytes CALL BF8C85D9 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngStrokePath + 70 BF8C89A4 34 Bytes [75, 18, 50, FF, 75, 0C, 56, ...]
.text win32k.sys!EngStrokePath + 93 BF8C89C7 7 Bytes [58, 14, 56, 8B, 75, 0C, 57] {POP EAX; ADC AL, 0x56; MOV ESI, [EBP+0xc]; PUSH EDI}
.text ...
.text win32k.sys!EngSort + 18 BF8D2F1B 7 Bytes [FF, 8B, 45, 14, 89, 85, 58] {DEC DWORD [EBX-0x7a76ebbb]; POP EAX}
.text win32k.sys!EngSort + 21 BF8D2F24 23 Bytes [FF, 8B, 45, 0C, 0F, AF, C3, ...]
.text win32k.sys!EngSort + 3A BF8D2F3D 5 Bytes [89, 9D, 54, FF, FF]
.text win32k.sys!EngSort + 40 BF8D2F43 16 Bytes CALL BF8D306D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngSort + 51 BF8D2F54 1 Byte [57]
.text ...
.text win32k.sys!EngLineTo + 4 BF8D49BF 152 Bytes [45, 08, 53, 56, 8B, F0, F7, ...]
.text win32k.sys!EngLineTo + 9D BF8D4A58 73 Bytes CALL BF9397FD \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngLineTo + E7 BF8D4AA2 3 Bytes [24, 8D, 4D] {AND AL, 0x8d; DEC EBP}
.text win32k.sys!EngLineTo + EB BF8D4AA6 12 Bytes CALL BF80578F \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngLineTo + F8 BF8D4AB3 1 Byte [FF]
.text ...
.text win32k.sys!EngDeleteSemaphore + 7 BF8DF9B0 3 Bytes JMP BF8C56F2 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeleteSemaphore + 15 BF8DF9BE 11 Bytes [56, 8B, F1, 8B, 4D, 08, 83, ...] {PUSH ESI; MOV ESI, ECX; MOV ECX, [EBP+0x8]; AND DWORD [ECX], 0x0; MOV EAX, [ESI]}
.text win32k.sys!EngDeleteSemaphore + 21 BF8DF9CA 13 Bytes [40, 68, 85, C0, 74, 17, 8B, ...] {INC EAX; PUSH 0x1774c085; MOV EAX, [EAX+0x10]; MOV [ECX], EAX; MOV EAX, [ESI]}
.text win32k.sys!EngDeleteSemaphore + 2F BF8DF9D8 25 Bytes CALL BF808FEC \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeleteSemaphore + 49 BF8DF9F2 127 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
.text ...
.text win32k.sys!PATHOBJ_bMoveTo + E BF8E3CD4 29 Bytes JMP BF8E40C7 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_bPolyLineTo + 10 BF8E3CF2 54 Bytes [89, 08, 8B, 56, 08, 89, 50, ...]
.text win32k.sys!PATHOBJ_bPolyLineTo + 47 BF8E3D29 124 Bytes [0C, 00, 90, 90, 90, 90, 90, ...]
.text win32k.sys!PATHOBJ_bPolyLineTo + C5 BF8E3DA7 16 Bytes [89, 01, 89, 41, 04, 5D, C2, ...]
.text win32k.sys!PATHOBJ_bPolyLineTo + D6 BF8E3DB8 191 Bytes [A8, 10, 74, 15, 6A, 03, 33, ...]
.text win32k.sys!PATHOBJ_bPolyLineTo + 196 BF8E3E78 78 Bytes [33, DB, 66, 39, 59, 6C, 0F, ...]
.text ...
.text win32k.sys!PATHOBJ_bCloseFigure + 13 BF8E4156 4 Bytes CALL BF8E4192 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_bCloseFigure + 19 BF8E415C 5 Bytes [0F, 84, E5, 03, 00]
.text win32k.sys!PATHOBJ_bCloseFigure + 1F BF8E4162 18 Bytes [8B, 45, 14, 85, C0, 8B, 4D, ...] {MOV EAX, [EBP+0x14]; TEST EAX, EAX; MOV ECX, [EBP+0x10]; JNZ 0xfffffffffffffb82; CMP DWORD [EBP+0x18], 0x0}
.text win32k.sys!PATHOBJ_bCloseFigure + 32 BF8E4175 110 Bytes [45, F8, 0F, 85, 6E, FB, FF, ...]
.text win32k.sys!PATHOBJ_bCloseFigure + A1 BF8E41E4 64 Bytes [FF, 75, 0C, 8B, CB, E8, 19, ...]
.text ...
.text win32k.sys!EngFillPath + 4 BF8E6D3E 56 Bytes CALL 809E33C6
.text win32k.sys!EngFillPath + 3D BF8E6D77 7 Bytes [10, C1, E0, 04, 89, 45, D8] {ADC CL, AL; LOOPNZ 0x8; MOV [EBP-0x28], EAX}
.text win32k.sys!EngFillPath + 45 BF8E6D7F 18 Bytes [45, CC, EB, 66, 90, 90, 90, ...]
.text win32k.sys!EngFillPath + 59 BF8E6D93 90 Bytes [53, 8B, 5D, 08, 8D, 43, F0, ...]
.text win32k.sys!EngFillPath + B4 BF8E6DEE 46 Bytes CALL BF8E7038 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!PATHOBJ_vGetBounds + 23 BF8E8B8D 24 Bytes [85, C0, 74, 10, 8D, 4E, 18, ...]
.text win32k.sys!PATHOBJ_vGetBounds + 3C BF8E8BA6 37 Bytes [33, 39, 48, 0C, 75, 2E, 39, ...]
.text win32k.sys!PATHOBJ_vGetBounds + 62 BF8E8BCC 80 Bytes [F8, A5, A5, A5, A5, 33, C9, ...]
.text win32k.sys!PATHOBJ_vGetBounds + B3 BF8E8C1D 305 Bytes [C2, 04, 00, 33, F6, 46, EB, ...]
.text win32k.sys!PATHOBJ_vGetBounds + 1E5 BF8E8D4F 30 Bytes JMP B60FD30A
.text ...
.text win32k.sys!FONTOBJ_pifi + 2 BF8FA8D2 23 Bytes [C2, 0C, 00, FF, 75, E4, E8, ...]
.text win32k.sys!FONTOBJ_pifi + 1A BF8FA8EA 46 Bytes [77, 18, 8B, C6, C1, E0, 03, ...]
.text win32k.sys!FONTOBJ_pifi + 49 BF8FA919 55 Bytes [EB, B2, 8B, 49, 0C, 83, F9, ...]
.text win32k.sys!FONTOBJ_pifi + 81 BF8FA951 3 Bytes [01, 00, 00]
.text win32k.sys!FONTOBJ_pifi + 85 BF8FA955 17 Bytes [41, 0C, 1B, C0, 40, EB, 14, ...] {INC ECX; OR AL, 0x1b; ROL BYTE [EAX-0x15], 0x14; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
.text ...
.text win32k.sys!HT_Get8BPPMaskPalette + 13 BF8FC1C1 30 Bytes [FF, FF, 90, 90, 90, 90, 90, ...]
.text win32k.sys!HT_Get8BPPMaskPalette + 32 BF8FC1E0 102 Bytes JMP BF8FC3E8 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!HT_Get8BPPMaskPalette + 99 BF8FC247 35 Bytes CALL BF833A2E \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!HT_Get8BPPMaskPalette + BD BF8FC26B 28 Bytes [EB, 10, 83, 7D, 20, 00, 74, ...]
.text win32k.sys!HT_Get8BPPMaskPalette + DA BF8FC288 13 Bytes [74, 08, FF, 75, D0, E8, 9F, ...]
.text ...
.text win32k.sys!HT_Get8BPPFormatPalette + 27 BF8FC594 81 Bytes [89, 45, 0C, 89, 45, 18, 89, ...]
.text win32k.sys!HT_Get8BPPFormatPalette + 79 BF8FC5E6 1 Byte [01]
.text win32k.sys!HT_Get8BPPFormatPalette + 79 BF8FC5E6 15 Bytes [01, 00, 00, 2B, DA, D1, EB, ...]
.text win32k.sys!HT_Get8BPPFormatPalette + 89 BF8FC5F6 75 Bytes [03, C3, 89, 45, F4, 8B, 7D, ...]
.text win32k.sys!HT_Get8BPPFormatPalette + D5 BF8FC642 121 Bytes [8B, 45, 18, 39, 45, 1C, 0F, ...]
.text ...
.text win32k.sys!STROBJ_bEnumPositionsOnly + F BF8FC81D 38 Bytes [4D, FC, B8, FF, 00, 00, 00, ...]
.text win32k.sys!STROBJ_bEnumPositionsOnly + 37 BF8FC845 279 Bytes [EB, 77, 33, C0, EB, 73, 90, ...]
.text win32k.sys!XFORMOBJ_bApplyXform + A1 BF8FC95E 96 Bytes [EC, 69, C0, FF, 00, 00, 00, ...]
.text win32k.sys!XFORMOBJ_bApplyXform + 102 BF8FC9BF 70 Bytes [00, 00, 89, 5D, E4, E9, 2D, ...]
.text win32k.sys!XFORMOBJ_bApplyXform + 149 BF8FCA06 18 Bytes [90, 90, 90, 90, 90, 6A, 1C, ...]
.text win32k.sys!XFORMOBJ_bApplyXform + 15C BF8FCA19 36 Bytes [47, 89, 7D, E4, FF, 15, 60, ...]
.text win32k.sys!XFORMOBJ_bApplyXform + 181 BF8FCA3E 36 Bytes [00, 00, 8B, BE, CC, 00, 00, ...]
.text ...
.text win32k.sys!FONTOBJ_vGetInfo + 6 BF8FCB1B 18 Bytes [AA, FE, FF, FF, 8B, 45, E0, ...]
.text win32k.sys!FONTOBJ_vGetInfo + 19 BF8FCB2E 44 Bytes [F7, FF, 83, A6, CC, 00, 00, ...]
.text win32k.sys!FONTOBJ_vGetInfo + 49 BF8FCB5E 35 Bytes [8B, FF, 55, 8B, EC, 8B, 55, ...]
.text win32k.sys!FONTOBJ_vGetInfo + 6E BF8FCB83 13 Bytes [00, EB, F1, 90, 90, 90, 90, ...] {ADD BL, CH; INT1 ; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
.text win32k.sys!FONTOBJ_vGetInfo + 7C BF8FCB91 8 Bytes [45, 08, F6, 40, 31, 14, 75, ...]
.text ...
.text win32k.sys!FONTOBJ_cGetGlyphs + 57 BF8FCE1A 105 Bytes [85, C0, 74, 31, 57, 53, FF, ...]
.text win32k.sys!FONTOBJ_cGetGlyphs + C1 BF8FCE84 22 Bytes JMP BF8FCF12 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!STROBJ_bGetAdvanceWidths + 10 BF8FCE9B 6 Bytes [45, 08, 56, 89, 45, 08]
.text win32k.sys!STROBJ_bGetAdvanceWidths + 18 BF8FCEA3 110 Bytes [45, E4, 50, 8D, 4D, 08, E8, ...]
.text win32k.sys!STROBJ_bGetAdvanceWidths + 89 BF8FCF14 23 Bytes [42, 0C, 8B, 06, 83, 78, 3C, ...]
.text win32k.sys!STROBJ_bGetAdvanceWidths + A1 BF8FCF2C 6 Bytes [4A, 04, 02, 5D, C2, 04]
.text win32k.sys!STROBJ_bGetAdvanceWidths + A9 BF8FCF34 28 Bytes [4A, 04, 01, EB, E5, 83, E9, ...]
.text ...
.text win32k.sys!BRUSHOBJ_hGetColorTransform + 1 BF8FD150 4 Bytes [00, 89, 45, F0]
.text win32k.sys!BRUSHOBJ_hGetColorTransform + 8 BF8FD157 30 Bytes [56, FF, 75, 0C, 89, 45, 14, ...]
.text win32k.sys!BRUSHOBJ_hGetColorTransform + 27 BF8FD176 82 Bytes [89, 08, 46, 83, 65, 14, 00, ...]
.text win32k.sys!BRUSHOBJ_hGetColorTransform + 7A BF8FD1C9 29 Bytes [01, 00, 00, 00, 89, 7D, F4, ...]
.text win32k.sys!BRUSHOBJ_hGetColorTransform + 98 BF8FD1E7 50 Bytes [5D, 0C, 0F, 85, 97, 00, 00, ...]
.text ...
.text win32k.sys!EngAllocUserMem + 35 BF8FDB12 4 Bytes [33, DB, 89, 5D]
.text win32k.sys!EngAllocUserMem + 3A BF8FDB17 82 Bytes [39, 5D, 08, 74, A7, 6A, 04, ...]
.text win32k.sys!EngAllocUserMem + 8D BF8FDB6A 18 Bytes [7D, D0, 8B, 45, 08, 89, 45, ...]
.text win32k.sys!EngAllocUserMem + A0 BF8FDB7D 26 Bytes [FF, 8D, 45, E7, 50, 6A, 0C, ...]
.text win32k.sys!EngAllocUserMem + BB BF8FDB98 17 Bytes [24, 38, 5D, E7, 74, 1F, 8D, ...]
.text ...
.text win32k.sys!EngMarkBandingSurface + 2 BF8FE0A6 14 Bytes CALL BF8FD64F \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMarkBandingSurface + 11 BF8FE0B5 241 Bytes [14, 00, 00, 00, 85, C0, 74, ...]
.text win32k.sys!EngMarkBandingSurface + 103 BF8FE1A7 6 Bytes [15, 50, CE, 98, BF, 6A]
.text win32k.sys!EngMarkBandingSurface + 10A BF8FE1AE 33 Bytes [8D, 45, FC, 50, 6A, 1C, 8D, ...]
.text win32k.sys!EngMarkBandingSurface + 12C BF8FE1D0 57 Bytes [8B, 08, 89, 0F, 8B, 40, 04, ...]
.text ...
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + 18 BF8FE9BE 74 Bytes [30, 01, 89, 48, 08, 74, 20, ...]
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + 63 BF8FEA09 207 Bytes [15, 60, CE, 98, BF, 50, FF, ...]
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + 134 BF8FEADA 11 Bytes [3B, FA, 7C, 06, 7E, 0C, 8B, ...]
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + 140 BF8FEAE6 29 Bytes [EB, E2, 8B, F9, EB, 2E, 33, ...]
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + 15F BF8FEB05 2 Bytes CALL BF902066 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngStrokeAndFillPath + 13 BF9003AD 36 Bytes JMP BF90046C \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngStrokeAndFillPath + 38 BF9003D2 3 Bytes [8B, 4D, 28] {MOV ECX, [EBP+0x28]}
.text win32k.sys!EngStrokeAndFillPath + 3C BF9003D6 63 Bytes [55, 20, 53, 56, 8B, 75, 08, ...]
.text win32k.sys!EngStrokeAndFillPath + 7C BF900416 27 Bytes [0E, 8B, D1, 23, D7, 8B, C2, ...]
.text win32k.sys!EngStrokeAndFillPath + 99 BF900433 1 Byte [2C]
.text ...
.text win32k.sys!STROBJ_bEnum + 4F BF9008A7 12 Bytes [34, 85, C9, 57, 8B, F8, 74, ...]
.text win32k.sys!STROBJ_bEnum + 5C BF9008B4 52 Bytes [00, 00, 85, C0, 74, 8E, 8B, ...]
.text win32k.sys!STROBJ_bEnum + 91 BF9008E9 215 Bytes [F6, 40, 30, 01, 75, 06, 5D, ...]
.text win32k.sys!STROBJ_bEnum + 169 BF9009C1 6 Bytes [FD, FF, 85, C0, 74, 34]
.text win32k.sys!STROBJ_bEnum + 170 BF9009C8 6 Bytes [15, 50, CE, 98, BF, 6A]
.text ...
.text win32k.sys!EngCreateDriverObj + 1E BF907D1D 57 Bytes JMP BF907C66 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateDriverObj + 58 BF907D57 79 Bytes [80, 04, 03, 00, 00, 89, 46, ...]
.text win32k.sys!EngCreateDriverObj + A8 BF907DA7 2 Bytes [90, 90] {NOP ; NOP }
.text win32k.sys!EngCreateDriverObj + AD BF907DAC 17 Bytes [8B, 45, EC, 8B, 00, 8B, 00, ...] {MOV EAX, [EBP-0x14]; MOV EAX, [EAX]; MOV EAX, [EAX]; XOR ECX, ECX; CMP EAX, 0xe0000001; SETZ CL}
.text win32k.sys!EngCreateDriverObj + BF BF907DBE 42 Bytes [C1, C3, 90, 90, 90, 90, 90, ...]
.text ...
.text win32k.sys!EngLockDriverObj + 20 BF907ED9 4 Bytes [33, C0, EB, F4] {XOR EAX, EAX; JMP 0xfffffffffffffff8}
.text win32k.sys!EngDeleteDriverObj BF907EDE 84 Bytes [90, 90, 90, 90, 8B, FF, 55, ...]
.text win32k.sys!EngDeleteDriverObj + 55 BF907F33 7 Bytes [8D, 46, 10, 50, FF, 56, 14] {LEA EAX, [ESI+0x10]; PUSH EAX; CALL [ESI+0x14]}
.text win32k.sys!EngDeleteDriverObj + 5E BF907F3C 33 Bytes [8B, 45, FC, 8B, 48, 28, E8, ...]
.text win32k.sys!EngDeleteDriverObj + 80 BF907F5E 53 Bytes CALL BF805FF0 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeleteDriverObj + B8 BF907F96 39 Bytes [8B, 45, EC, 8B, 00, 8B, 00, ...]
.text ...
.text win32k.sys!EngGetCurrentProcessId + 13 BF908547 27 Bytes [8B, FF, 55, 8B, EC, A1, 80, ...]
.text win32k.sys!EngGetCurrentProcessId + 30 BF908564 3 Bytes [90, 90, 90] {NOP ; NOP ; NOP }
.text win32k.sys!EngGetCurrentProcessId + 34 BF908568 15 Bytes [FF, 55, 8B, EC, 5D, EB, 05, ...] {CALL [EBP-0x75]; IN AL, DX ; POP EBP; JMP 0xc; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP}
.text win32k.sys!EngGetCurrentProcessId + 44 BF908578 47 Bytes [EC, 8B, 4D, 08, 33, C0, 39, ...]
.text win32k.sys!EngGetCurrentProcessId + 75 BF9085A9 36 Bytes [0C, 48, 75, 0C, 39, 75, 10, ...]
.text ...
.text win32k.sys!PATHOBJ_bEnumClipLines + 66 BF90C944 1 Byte [45]
.text win32k.sys!PATHOBJ_bEnumClipLines + 66 BF90C944 152 Bytes [45, CC, 50, 6A, 2C, 8D, 45, ...]
.text win32k.sys!PATHOBJ_bEnumClipLines + FF BF90C9DD 92 Bytes [C0, 40, C3, 90, 90, 90, 90, ...]
.text win32k.sys!PATHOBJ_bEnumClipLines + 15C BF90CA3A 90 Bytes [55, 0C, 83, C0, 0C, 8B, 08, ...]
.text win32k.sys!PATHOBJ_bEnumClipLines + 1B7 BF90CA95 105 Bytes [EC, 8B, 4D, 08, 8B, 41, 2C, ...]
.text ...
.text win32k.sys!EngMapFontFile + 2 BF90D263 65 Bytes [53, 56, 8B, F1, 8B, 46, 58, ...]
.text win32k.sys!EngMapFontFile + 44 BF90D2A5 28 Bytes [57, 66, 89, 86, D4, 00, 00, ...]
.text win32k.sys!EngMapFontFile + 61 BF90D2C2 84 Bytes [00, 68, 18, 1A, 99, BF, E8, ...]
.text win32k.sys!EngMapFontFile + B6 BF90D317 4 Bytes [EB, 07, 83, A5]
.text win32k.sys!EngMapFontFile + BB BF90D31C 21 Bytes [FD, FF, FF, 00, 8B, 78, 04, ...]
.text ...
.text win32k.sys!EngUnmapFontFile + 6C BF90E0CD 3 Bytes [90, 90, 90] {NOP ; NOP ; NOP }
.text win32k.sys!EngUnmapFontFile + 70 BF90E0D1 16 Bytes [FF, 55, 8B, EC, A1, D8, BB, ...]
.text win32k.sys!EngUnmapFontFile + 81 BF90E0E2 144 Bytes [FA, FF, 6A, 01, FF, 75, 08, ...]
.text win32k.sys!EngUnmapFontFile + 112 BF90E173 17 Bytes CALL BF800B23 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnmapFontFile + 124 BF90E185 163 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]


other half it was too long for one post

.text ...
.text win32k.sys!PALOBJ_cGetColors + 1C BF90E490 31 Bytes [76, 78, FF, 76, 2C, E8, 91, ...]
.text win32k.sys!PALOBJ_cGetColors + 3E BF90E4B2 2 Bytes [90, 90] {NOP ; NOP }
.text win32k.sys!PALOBJ_cGetColors + 41 BF90E4B5 151 Bytes [FF, 55, 8B, EC, 8B, 45, 0C, ...]
.text win32k.sys!PALOBJ_cGetColors + D9 BF90E54D 12 Bytes [A1, 58, AE, 9A, BF, 8B, 4E, ...]
.text win32k.sys!PALOBJ_cGetColors + E6 BF90E55A 32 Bytes [00, 8D, 4F, 0C, 8B, 01, EB, ...]
.text ...
.text win32k.sys!EngCreateClip + 2B BF910FFB 49 Bytes [0F, AF, C8, 83, F9, 04, 7E, ...]
.text win32k.sys!EngCreateClip + 5E BF91102E 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP}
.text win32k.sys!EngCreateClip + 62 BF911032 4 Bytes [EC, 8B, 45, 08] {IN AL, DX ; MOV EAX, [EBP+0x8]}
.text win32k.sys!EngCreateClip + 67 BF911037 35 Bytes [0F, B7, 70, 02, 57, 33, FF, ...]
.text win32k.sys!EngCreateClip + 8B BF91105B 18 Bytes [74, 11, 47, 83, C2, 04, 3B, ...]
.text ...
.text win32k.sys!EngSetPointerTag + 4A BF91636F 21 Bytes [50, 8D, 45, F4, 50, E8, EF, ...]
.text win32k.sys!EngSetPointerTag + 60 BF916385 32 Bytes [75, F4, 68, B4, 00, 00, 00, ...]
.text win32k.sys!EngSetPointerTag + 81 BF9163A6 10 Bytes [55, 8B, EC, 8B, 45, 08, 85, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x8]; TEST EAX, EAX; JNZ 0x17}
.text win32k.sys!EngSetPointerTag + 8C BF9163B1 63 Bytes [15, 60, CE, 98, BF, 50, FF, ...]
.text win32k.sys!EngSetPointerTag + CC BF9163F1 35 Bytes [C0, 74, 19, 50, FF, 15, 8C, ...]
.text ...
.text win32k.sys!XFORMOBJ_iGetFloatObjXform + 8 BF9338E2 96 Bytes CALL BF80F0A0 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FLOATOBJ_SetLong BF933943 5 Bytes [90, 90, 90, 90, 8B]
.text win32k.sys!FLOATOBJ_SetLong + 6 BF933949 9 Bytes [55, 8B, EC, 51, 51, 8D, 45, ...] {PUSH EBP; MOV EBP, ESP; PUSH ECX; PUSH ECX; LEA EAX, [EBP-0x8]; PUSH EAX}
.text win32k.sys!FLOATOBJ_SetLong + 10 BF933953 36 Bytes CALL BF80F09F \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FLOATOBJ_GetLong + D BF933979 16 Bytes [0C, FF, 75, 08, FF, 75, 08, ...] {OR AL, 0xff; JNZ 0xc; PUSH DWORD [EBP+0x8]; CALL 0xffffffffffedb9d0; POP EBP; RET 0x8}
.text win32k.sys!FLOATOBJ_AddFloat BF93398B 3 Bytes [90, 90, 90] {NOP ; NOP ; NOP }
.text win32k.sys!FLOATOBJ_AddFloat + 4 BF93398F 22 Bytes [FF, 55, 8B, EC, 8B, 4D, 08, ...]
.text win32k.sys!FLOATOBJ_AddFloat + 1B BF9339A6 67 Bytes [55, 8B, EC, 51, 51, 33, C9, ...]
.text win32k.sys!FLOATOBJ_Add + 9 BF9339EA 106 Bytes [55, 8B, EC, 51, 51, 83, 7D, ...]
.text win32k.sys!FLOATOBJ_Sub + 2 BF933A55 65 Bytes [FF, 75, 08, 8D, 4D, F8, E8, ...]
.text win32k.sys!FLOATOBJ_MulLong BF933A9A 36 Bytes [90, 8B, FF, 55, 8B, EC, FF, ...]
.text win32k.sys!FLOATOBJ_MulLong + 25 BF933ABF 9 Bytes CALL BF804852 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FLOATOBJ_Mul + 4 BF933AC9 27 Bytes [C6, 5E, 5D, C2, 04, 00, 90, ...]
.text win32k.sys!FLOATOBJ_DivFloat + 4 BF933AE5 123 Bytes [45, 0C, 8D, 70, 10, 3B, F0, ...]
.text win32k.sys!FLOATOBJ_Neg + E BF933B61 31 Bytes [ED, FF, 83, 66, 04, 00, 33, ...]
.text win32k.sys!FLOATOBJ_EqualLong + 18 BF933B81 126 Bytes [00, 90, 90, 90, 90, 90, 8B, ...]
.text win32k.sys!FLOATOBJ_LessThanLong + B BF933C00 101 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text win32k.sys!FLOATOBJ_LessThan + 6 BF933C66 9 Bytes [74, 53, 8D, 45, E4, 50, 8D, ...]
.text win32k.sys!FLOATOBJ_LessThan + 10 BF933C70 10 Bytes [FF, FF, 50, 8D, 4F, 30, E8, ...]
.text win32k.sys!FLOATOBJ_LessThan + 1B BF933C7B 125 Bytes [85, C0, 74, 3C, 8D, 45, F0, ...]
.text win32k.sys!FLOATOBJ_LessThan + 99 BF933CF9 76 Bytes [8B, 30, 8D, 34, B5, 0C, 00, ...]
.text win32k.sys!FLOATOBJ_LessThan + E6 BF933D46 15 Bytes [75, 5A, 89, 50, 0C, EB, 55, ...] {JNZ 0x5c; MOV [EAX+0xc], EDX; JMP 0x5c; CMP EDX, [EAX+0x8]; JL 0x5c; MOV EAX, [ECX+0x44]}
.text ...
.text win32k.sys!EngGetCurrentThreadId + A BF933F99 35 Bytes [90, 8B, FF, 55, 8B, EC, 83, ...]
.text win32k.sys!EngGetCurrentThreadId + 2E BF933FBD 69 Bytes [CE, 98, BF, 3B, C6, 7D, 04, ...]
.text win32k.sys!EngDebugPrint + 19 BF934004 54 Bytes [14, FF, 30, FF, 75, 10, FF, ...]
.text win32k.sys!EngDebugPrint + 53 BF93403E 89 Bytes [8B, FF, 55, 8B, EC, 56, E8, ...]
.text win32k.sys!EngProbeForRead + 3A BF934098 136 Bytes CALL BF8048E0 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngAllocSectionMem + 84 BF934121 166 Bytes [FF, 55, 8B, EC, 5D, E9, 3E, ...]
.text win32k.sys!EngMapSection + 69 BF9341C8 7 Bytes [EC, A1, 80, 57, 9A, BF, 5D] {IN AL, DX ; MOV EAX, [0xbf9a5780]; POP EBP}
.text win32k.sys!EngMapSection + 71 BF9341D0 46 Bytes [60, 3C, 90, 90, 90, 90, 90, ...]
.text win32k.sys!EngMapSection + A1 BF934200 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP}
.text win32k.sys!EngInitializeSafeSemaphore + 1 BF934204 43 Bytes [EC, A1, 80, 57, 9A, BF, 5D, ...]
.text win32k.sys!EngInitializeSafeSemaphore + 2D BF934230 6 Bytes [EC, A1, 80, 57, 9A, BF] {IN AL, DX ; MOV EAX, [0xbf9a5780]}
.text win32k.sys!EngInitializeSafeSemaphore + 34 BF934237 6 Bytes [FF, A0, 9C, 01, 00, 00] {JMP [EAX+0x19c]}
.text win32k.sys!EngDeleteSafeSemaphore BF93423F 3 Bytes [90, 90, 90] {NOP ; NOP ; NOP }
.text win32k.sys!EngDeleteSafeSemaphore + 4 BF934243 13 Bytes [FF, 55, 8B, EC, A1, 80, 57, ...]
.text win32k.sys!EngDeleteSafeSemaphore + 12 BF934251 8 Bytes [00, 00, 90, 90, 90, 90, 90, ...]
.text win32k.sys!EngDeleteSafeSemaphore + 1B BF93425A 16 Bytes [55, 8B, EC, A1, 80, 57, 9A, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [0xbf9a5780]; POP EBP; JMP [EAX+0x104]; NOP }
.text win32k.sys!EngDeleteSafeSemaphore + 2F BF93426E 23 Bytes [8B, FF, 55, 8B, EC, A1, 80, ...]
.text ...
.text win32k.sys!HeapVidMemAllocAligned + 1 BF934753 2 Bytes [45, 10]
.text win32k.sys!HeapVidMemAllocAligned + 4 BF934756 24 Bytes [00, 89, 06, 83, 45, 10, 04, ...]
.text win32k.sys!VidMemFree + 7 BF93476F 11 Bytes [EB, 11, 90, 90, 90, 90, 90, ...] {JMP 0x13; NOP ; NOP ; NOP ; NOP ; NOP ; XOR EAX, EAX; INC EAX; RET }
.text win32k.sys!EngAllocPrivateUserMem BF93477E 18 Bytes CALL BF8F9506 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFreePrivateUserMem BF934794 37 Bytes [90, 8B, FF, 55, 8B, EC, 56, ...]
.text win32k.sys!EngDxIoctl + 10 BF9347BA 7 Bytes [8D, 4D, 08, E8, 9B, FE, FF]
.text win32k.sys!EngLockDirectDrawSurface + 2 BF9347C2 4 Bytes [46, 83, 7D, 08]
.text win32k.sys!EngLockDirectDrawSurface + 7 BF9347C7 75 Bytes [74, 08, 8B, 4D, 08, E8, 51, ...]
.text win32k.sys!EngUnlockDirectDrawSurface + 3D BF934813 13 Bytes [00, 00, 0F, B6, 45, 31, 0F, ...] {ADD [EAX], AL; MOVZX EAX, BYTE [EBP+0x31]; MOVZX EAX, BYTE [EAX-0x406632f8]}
.text win32k.sys!EngUnlockDirectDrawSurface + 4B BF934821 48 Bytes [4D, 30, 53, 81, E1, FF, 00, ...]
.text win32k.sys!EngUnlockDirectDrawSurface + 7C BF934852 81 Bytes [D6, F7, DA, 1B, D2, 8D, 46, ...]
.text win32k.sys!EngUnlockDirectDrawSurface + CE BF9348A4 91 Bytes [1C, FF, 75, 18, FF, 75, 14, ...]
.text win32k.sys!EngUnlockDirectDrawSurface + 12A BF934900 11 Bytes [75, D8, 8B, 73, 20, 03, F7, ...]
.text ...
.text win32k.sys!EngGetType1FontList + 1 BF9352CA 17 Bytes [4D, F4, 66, 89, 48, 0C, 66, ...]
.text win32k.sys!EngGetType1FontList + 13 BF9352DC 20 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text win32k.sys!EngGetType1FontList + 28 BF9352F1 6 Bytes [8B, 40, 04, 83, 89, A8]
.text win32k.sys!EngGetType1FontList + 2F BF9352F8 7 Bytes [00, 00, 04, 89, 81, B0, 00]
.text win32k.sys!EngGetType1FontList + 38 BF935301 63 Bytes [5D, C2, 04, 00, 90, 90, 90, ...]
.text ...
.text win32k.sys!EngQueryLocalTime BF9353FB 60 Bytes [90, 90, 90, 90, 8B, FF, 56, ...]
.text win32k.sys!EngQueryLocalTime + 3D BF935438 63 Bytes [FF, 55, 8B, EC, 56, 8B, F1, ...]
.text win32k.sys!EngQueryLocalTime + 7D BF935478 32 Bytes [FF, 55, 8B, EC, 51, 8B, 45, ...]
.text win32k.sys!EngQueryLocalTime + 9E BF935499 14 Bytes [7D, 0C, FF, 36, 8B, CF, E8, ...]
.text win32k.sys!EngQueryLocalTime + AD BF9354A8 10 Bytes [74, 46, 8B, 4D, FC, 39, 48, ...] {JZ 0x48; MOV ECX, [EBP-0x4]; CMP [EAX+0x1c], ECX; JZ 0x16}
.text ...
.text win32k.sys!EngCheckAbort + E7 BF93576F 4 Bytes [20, 85, C9, 74]
.text win32k.sys!EngCheckAbort + EC BF935774 36 Bytes [89, 31, 8B, 7D, 24, 85, FF, ...]
.text win32k.sys!EngCheckAbort + 111 BF935799 73 Bytes JMP BF935834 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCheckAbort + 15B BF9357E3 131 Bytes [5D, D8, FF, 75, E0, FF, 15, ...]
.text win32k.sys!EngCheckAbort + 1DF BF935867 4 Bytes [FF, 8D, 4E, 08]
.text ...
.text win32k.sys!EngDeleteEvent + 1 BF936E8D 199 Bytes [7D, 0C, 33, C0, 3B, D8, 66, ...]
.text win32k.sys!EngMapEvent + A5 BF936F55 16 Bytes [00, 00, 39, 70, 18, 74, 12, ...]
.text win32k.sys!EngUnmapEvent + C BF936F66 57 Bytes JMP BF936FF5 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngSetEvent + 18 BF936FA0 36 Bytes [00, 89, 75, D8, C7, 45, E0, ...]
.text win32k.sys!EngReadStateEvent + 7 BF936FC5 18 Bytes [EC, 50, FF, 75, FC, FF, 15, ...] {IN AL, DX ; PUSH EAX; PUSH DWORD [EBP-0x4]; CALL [0xbf98d324]; TEST EAX, EAX; JL 0x20; MOV ECX, [EBP-0x44]}
.text win32k.sys!EngReadStateEvent + 1A BF936FD8 31 Bytes [45, 0C, 89, 08, 8B, 4D, C0, ...]
.text win32k.sys!EngReadStateEvent + 3A BF936FF8 28 Bytes [33, F6, 46, 8B, C6, 5E, C9, ...]
.text win32k.sys!EngReadStateEvent + 57 BF937015 35 Bytes [FF, 75, 0C, 50, FF, 70, 0C, ...]
.text win32k.sys!EngReadStateEvent + 7B BF937039 15 Bytes [45, FC, 8B, 45, 0C, 56, 8B, ...] {INC EBP; CLD ; MOV EAX, [EBP+0xc]; PUSH ESI; MOV ESI, [0xbf98ce80]; MOV [EBP-0x38], EAX}
.text ...
.text win32k.sys!EngGetFilePath + 1 BF93709E 263 Bytes [F8, 3B, FB, 74, 54, FF, 75, ...]
.text win32k.sys!EngGetFileChangeTime + DD BF9371A6 14 Bytes [30, 40, 3B, C2, 7C, DD, 8B, ...] {XOR [EAX+0x3b], AL; RET 0xdd7c; MOV EAX, EDX; POP EDI; POP ESI; POP EBP; RET 0x14}
.text win32k.sys!EngGetFileChangeTime + EF BF9371B8 54 Bytes [90, 8B, FF, 55, 8B, EC, 83, ...]
.text win32k.sys!EngGetFileChangeTime + 126 BF9371EF 52 Bytes [C7, 45, EC, 40, 00, 00, 00, ...]
.text win32k.sys!EngGetFileChangeTime + 15C BF937225 145 Bytes [14, 8B, 45, 0C, 8B, 70, 04, ...]
.text win32k.sys!EngGetFileChangeTime + 1EE BF9372B7 69 Bytes [75, 24, FF, 75, 20, FF, 75, ...]
.text ...
.text win32k.sys!EngDeleteFile + 63 BF9373AA 17 Bytes [FF, 75, 1C, FF, 75, 18, FF, ...] {PUSH DWORD [EBP+0x1c]; PUSH DWORD [EBP+0x18]; PUSH DWORD [EBP+0x10]; CALL [EBP+0x8]; MOV ECX, [EBP+0x20]; NEG ESI}
.text win32k.sys!EngDeleteFile + 75 BF9373BC 1 Byte [D7]
.text win32k.sys!EngDeleteFile + 75 BF9373BC 102 Bytes [D7, 56, F7, DA, 8B, D8, E8, ...]
.text win32k.sys!EngDeleteFile + DC BF937423 72 Bytes [45, F4, 8B, 4D, FC, 8B, 55, ...]
.text win32k.sys!EngDeleteFile + 127 BF93746E 1 Byte [0C]
.text ...
.text win32k.sys!EngControlSprites + 8 BF938507 17 Bytes [73, CE, EB, EC, 90, 90, 90, ...] {JAE 0xffffffffffffffd0; JMP 0xfffffffffffffff0; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; SUB ESP, 0x18}
.text win32k.sys!EngControlSprites + 1A BF938519 54 Bytes [45, 10, 53, 56, 33, DB, 33, ...]
.text win32k.sys!EngControlSprites + 51 BF938550 56 Bytes [8B, F0, EB, 02, 33, F6, 3B, ...]
.text win32k.sys!EngControlSprites + 8A BF938589 78 Bytes [45, 10, 6A, 00, FF, 70, 24, ...]
.text win32k.sys!EngControlSprites + DA BF9385D9 172 Bytes [8B, 5D, F8, 6A, 00, 8D, 45, ...]
.text ...
.text win32k.sys!EngMovePointer + 5A BF938EB9 23 Bytes [FB, 8B, C7, 75, F1, 6A, 02, ...]
.text win32k.sys!EngMovePointer + 72 BF938ED1 16 Bytes JMP BF938FC6 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMovePointer + 83 BF938EE2 11 Bytes [C3, 74, 20, 8D, 8E, BC, 01, ...] {RET ; JZ 0x23; LEA ECX, [ESI+0x1bc]; CMP [ECX], EBX}
.text win32k.sys!EngMovePointer + 8F BF938EEE 80 Bytes [02, 89, 01, FF, 86, C4, 01, ...]
.text win32k.sys!EngMovePointer + E0 BF938F3F 118 Bytes [74, 75, 8B, BE, C0, 01, 00, ...]
.text ...
.text win32k.sys!EngSetPointerShape + 9 BF938FEA 5 Bytes [10, 8B, 48, 08, 56]
.text win32k.sys!EngSetPointerShape + F BF938FF0 115 Bytes [70, 04, 2B, CB, 89, 55, B0, ...]
.text win32k.sys!EngSetPointerShape + 83 BF939064 15 Bytes [8D, 75, BC, 89, 4D, 08, 89, ...] {LEA ESI, [EBP-0x44]; MOV [EBP+0x8], ECX; MOV [EBP+0xc], EAX; MOV [EBP-0x8], EAX; MOV EDX, [ESI-0x4]}
.text win32k.sys!EngSetPointerShape + 93 BF939074 27 Bytes [4E, F4, 2B, 11, 89, 55, F0, ...]
.text win32k.sys!EngSetPointerShape + B0 BF939091 29 Bytes [02, 53, 53, 53, 53, 8D, 45, ...]
.text ...
.text win32k.sys!EngQueryPalette + 14 BF939696 6 Bytes [EC, 83, EC, 38, 53, 56] {IN AL, DX ; SUB ESP, 0x38; PUSH EBX; PUSH ESI}
.text win32k.sys!EngQueryPalette + 1B BF93969D 64 Bytes [75, 08, 8D, 45, C8, 89, 45, ...]
.text win32k.sys!EngQueryPalette + 5C BF9396DE 38 Bytes [D8, FF, 75, 28, 8B, 06, FF, ...]
.text win32k.sys!EngQueryPalette + 83 BF939705 66 Bytes [F0, 74, 27, FF, 75, FC, FF, ...]
.text win32k.sys!EngQueryPalette + C6 BF939748 64 Bytes [08, 33, D2, 8D, 45, A4, 89, ...]
.text ...
.text win32k.sys!EngDeletePath + 2 BF9399E5 166 Bytes [8D, 7B, 1C, 8D, 75, 0C, A5, ...]
.text win32k.sys!EngDeletePath + A9 BF939A8C 164 Bytes CALL BF802A00 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!WNDOBJ_vSetConsumer + 14 BF939B31 12 Bytes [CB, EB, 21, 8B, 41, 0C, EB, ...]
.text win32k.sys!WNDOBJ_vSetConsumer + 21 BF939B3E 10 Bytes [88, 00, 00, 00, 0F, 84, CE, ...] {MOV [EAX], AL; ADD [EAX], AL; JZ 0x1d8}
.text win32k.sys!WNDOBJ_vSetConsumer + 2C BF939B49 2 Bytes [80, 80]
.text win32k.sys!WNDOBJ_vSetConsumer + 31 BF939B4E 20 Bytes [3B, C6, 75, E7, 8B, 49, 04, ...]
.text win32k.sys!WNDOBJ_vSetConsumer + 46 BF939B63 115 Bytes [45, 10, 39, 43, 14, 74, 07, ...]
.text ...
.text win32k.sys!EngCreateWnd + 1 BF939C68 110 Bytes [43, 18, 25, FF, FF, FF, 08, ...]
.text win32k.sys!EngCreateWnd + 71 BF939CD8 9 Bytes [00, 80, 4D, 17, 10, 89, 9F, ...] {ADD [EAX-0x76efe8b3], AL; LAHF ; TEST [EAX], AL}
.text win32k.sys!EngCreateWnd + 7C BF939CE3 29 Bytes [8B, 4D, 08, 89, 45, DC, E8, ...]
.text win32k.sys!EngCreateWnd + 9A BF939D01 12 Bytes CALL BF9399CB \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateWnd + A7 BF939D0E 78 Bytes [85, FF, 75, 27, 33, C0, EB, ...]
.text ...
.text win32k.sys!EngDeleteWnd + 16 BF93A0A5 14 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] {NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; SUB ESP, 0x28; PUSH EBX}
.text win32k.sys!EngDeleteWnd + 25 BF93A0B4 98 Bytes [8B, 75, 0C, 57, 33, FF, 3B, ...]
.text win32k.sys!EngDeleteWnd + 88 BF93A117 10 Bytes [D0, 00, 00, 00, 8B, 83, 84, ...] {ROL BYTE [EAX], 0x1; ADD [EAX], AL; MOV EAX, [EBX+0x84]}
.text win32k.sys!EngDeleteWnd + 93 BF93A122 13 Bytes [48, 10, 8B, 41, 1C, 3B, C7, ...]
.text win32k.sys!EngDeleteWnd + A1 BF93A130 10 Bytes [00, 75, 3C, 8B, 88, 78, 05, ...]
.text ...
.text win32k.sys!EngDitherColor + 1 BF93ADD4 2 Bytes [45, 10]
.text win32k.sys!EngDitherColor + 4 BF93ADD7 21 Bytes [4D, 0C, 8D, 14, 08, 8B, 45, ...]
.text win32k.sys!EngDitherColor + 1A BF93ADED 43 Bytes [3B, C2, 73, 0A, 40, 40, 66, ...]
.text win32k.sys!EngDitherColor + 46 BF93AE19 28 Bytes [08, 8B, F9, 8B, 04, 06, 85, ...]
.text win32k.sys!EngDitherColor + 63 BF93AE36 23 Bytes [83, F8, FF, 75, E1, 33, C0, ...]
.text ...
.text win32k.sys!EngEnumForms + 7F BF93B6E6 18 Bytes [75, FC, 75, 0E, 6A, 57, E8, ...] {JNZ 0xfffffffffffffffe; JNZ 0x12; PUSH 0x57; CALL 0xffffffffffee58f1; XOR EAX, EAX; JMP 0xf2}
.text win32k.sys!EngEnumForms + 92 BF93B6F9 68 Bytes [75, 0C, 74, 0D, FF, 75, 0C, ...]
.text win32k.sys!EngEnumForms + D7 BF93B73E 70 Bytes JMP D00F4445
.text win32k.sys!EngGetPrinter + 2E BF93B785 78 Bytes [FF, 85, C0, 89, 45, FC, 74, ...]
.text win32k.sys!EngGetPrinter + 7E BF93B7D5 45 Bytes [FC, 5F, 5B, 5E, C9, C2, 18, ...]
.text win32k.sys!EngGetPrinter + AC BF93B803 14 Bytes [39, 75, 0C, 89, 30, 74, 0D, ...]
.text win32k.sys!EngGetPrinter + BB BF93B812 38 Bytes [59, 8D, 74, 00, 02, 53, 57, ...]
.text win32k.sys!EngGetPrinter + E2 BF93B839 12 Bytes [4D, 10, 89, 3B, 89, 43, 0C, ...] {DEC EBP; ADC [ECX+0xc43893b], CL; MOV [EBX+0x8], ECX; JZ 0x22}
.text ...
.text win32k.sys!EngGetForm + 16 BF93B885 1 Byte [53]
.text win32k.sys!EngGetForm + 16 BF93B885 127 Bytes CALL BF93B097 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetForm + 96 BF93B905 28 Bytes [14, 83, E1, 03, F3, A4, E8, ...]
.text win32k.sys!EngGetForm + B3 BF93B922 1 Byte [1B]
.text win32k.sys!EngGetForm + B6 BF93B925 25 Bytes [10, 03, 75, 19, 8B, 46, 1C, ...]
.text ...
.text win32k.sys!EngGetPrinterData + 4 BF93BB09 41 Bytes [C8, 83, E1, 03, F3, A4, 89, ...]
.text win32k.sys!EngGetPrinterData + 2E BF93BB33 208 Bytes [53, FF, 75, 08, 89, 43, 0C, ...]
.text win32k.sys!EngGetPrinterData + FF BF93BC04 8 Bytes [C7, 3B, C7, 0F, 84, D1, 00, ...]
.text win32k.sys!EngGetPrinterData + 108 BF93BC0D 87 Bytes [89, 7D, FC, 8D, 0C, 16, 3B, ...]
.text win32k.sys!EngSetPrinterData + 53 BF93BC65 2 Bytes [00, 00] {ADD [EAX], AL}
.text win32k.sys!EngSetPrinterData + 56 BF93BC68 200 Bytes [07, 89, 43, 6C, C7, 43, 1C, ...]
.text win32k.sys!EngWritePrinter + 39 BF93BD31 27 Bytes [8B, 75, FC, 3B, F3, 74, 68, ...]
.text win32k.sys!EngWritePrinter + 56 BF93BD4E 21 Bytes CALL BF80EC34 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngWritePrinter + 6C BF93BD64 21 Bytes [8B, 45, 08, 89, 7E, 74, 89, ...]
.text win32k.sys!EngWritePrinter + 82 BF93BD7A 34 Bytes [8B, 06, 59, 8D, 4D, FC, 89, ...]
.text win32k.sys!EngWritePrinter + A5 BF93BD9D 24 Bytes [0B, F7, FF, 8D, 4D, FC, E8, ...]
.text ...
.text win32k.sys!EngFileIoControl + 27 BF93BFA5 11 Bytes [00, 00, C7, 45, DC, 04, 02, ...]
.text win32k.sys!EngFileIoControl + 33 BF93BFB1 69 Bytes [00, 00, C7, 45, DC, 00, 02, ...]
.text win32k.sys!EngGetTickCount + 41 BF93BFF7 11 Bytes [00, C7, 45, DC, 10, 08, 34, ...]
.text win32k.sys!EngGetTickCount + 4D BF93C003 176 Bytes [FC, 8B, 5D, 0C, F6, C3, 03, ...]
.text win32k.sys!EngGetTickCount + FF BF93C0B5 4 Bytes [00, 3B, 9A, B4]
.text win32k.sys!EngGetTickCount + 105 BF93C0BB 1 Byte [00]
.text win32k.sys!EngGetTickCount + 105 BF93C0BB 32 Bytes [00, 75, 0E, 8B, 98, A8, 00, ...]
.text ...
.text win32k.sys!EngHangNotification BF93E82C 32 Bytes [90, 8B, FF, 55, 8B, EC, 51, ...]
.text win32k.sys!EngHangNotification + 21 BF93E84D 8 Bytes [8B, 06, 75, 1B, 8B, 88, 74, ...]
.text win32k.sys!EngHangNotification + 2A BF93E856 1 Byte [00]
.text win32k.sys!EngHangNotification + 2A BF93E856 189 Bytes [00, F6, 41, 57, 20, 74, 15, ...]
.text win32k.sys!EngHangNotification + E8 BF93E914 72 Bytes [03, 00, 00, 89, 45, F8, FF, ...]
.text ...
.text win32k.sys!EngFntCacheFault + 20 BF93F2DE 31 Bytes CALL BF89A9AB \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFntCacheFault + 41 BF93F2FF 8 Bytes [00, 83, 25, 74, 59, 9A, BF, ...]
.text win32k.sys!EngFntCacheFault + 4A BF93F308 3 Bytes CALL BF801923 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFntCacheFault + 4E BF93F30C 12 Bytes CALL BF86D606 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFntCacheFault + 5C BF93F31A 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP}
.text ...
.text win32k.sys!EngMapModule + 17 BF93F528 6 Bytes [0F, 00, 8D, 45, E4, 50]
.text win32k.sys!EngUnmapFile + 2 BF93F52F 41 Bytes [15, 1C, CF, 98, BF, 85, C0, ...]
.text win32k.sys!EngUnmapFile + 2C BF93F559 23 Bytes [15, 68, CE, 98, BF, 50, FF, ...]
.text win32k.sys!EngUnmapFile + 44 BF93F571 33 Bytes [45, E0, 89, 45, C4, 89, 45, ...]
.text win32k.sys!EngUnmapFile + 66 BF93F593 48 Bytes [00, 8B, 0D, 40, C3, 9A, BF, ...]
.text win32k.sys!EngUnmapFile + 97 BF93F5C4 7 Bytes [31, 89, 3A, C7, 45, D0, 01]
.text ...
.text win32k.sys!EngLoadModuleForWrite BF93FC35 5 Bytes [90, 90, 8B, FF, 55] {NOP ; NOP ; MOV EDI, EDI; PUSH EBP}
.text win32k.sys!EngLoadModuleForWrite + 6 BF93FC3B 27 Bytes [EC, 8B, 45, 08, 8B, 80, 58, ...]
.text win32k.sys!EngMapFile + 1 BF93FC57 20 Bytes [80, 00, 03, 00, 00, 8B, 40, ...]
.text win32k.sys!EngMapFile + 16 BF93FC6C 28 Bytes [FF, 55, 8B, EC, 8B, 4D, 18, ...]
.text win32k.sys!EngMapFile + 33 BF93FC89 19 Bytes [80, 8C, 05, 00, 00, 89, 01, ...] {OR BYTE [EBP+EAX+0x1890000], 0x33; ROL BYTE [EAX+0x5d], 0xc2; SBB [EAX], AL; NOP ; NOP ; NOP ; NOP ; NOP }
.text win32k.sys!EngMapFile + 47 BF93FC9D 218 Bytes [FF, 55, 8B, EC, 83, EC, 10, ...]
.text win32k.sys!EngMapFile + 122 BF93FD78 102 Bytes [02, 00, 00, 8B, 03, 89, 88, ...]
.text win32k.sys!EngGetPrinterDataFileName + 12 BF93FDDF 8 Bytes [89, 88, 70, 05, 00, 00, 8B, ...] {MOV [EAX+0x570], ECX; MOV EAX, [EBX]}
.text win32k.sys!EngGetDriverName + 4 BF93FDE8 9 Bytes [8A, 74, 05, 00, 00, 89, 88, ...]
.text win32k.sys!EngGetDriverName + E BF93FDF2 15 Bytes [00, 8B, 8A, 78, 05, 00, 00, ...]
.text win32k.sys!EngQueryDeviceAttribute + 1 BF93FE02 51 Bytes [8A, 7C, 05, 00, 00, 33, FF, ...]
.text win32k.sys!EngQueryDeviceAttribute + 35 BF93FE36 100 Bytes [55, 08, EB, 02, 33, C0, 8B, ...]
.text win32k.sys!EngQueryDeviceAttribute + 9A BF93FE9B 4 Bytes [8B, 8A, 3C, 02]
.text win32k.sys!EngQueryDeviceAttribute + 9F BF93FEA0 14 Bytes [00, 89, 88, 3C, 02, 00, 00, ...]
.text win32k.sys!EngQueryDeviceAttribute + AE BF93FEAF 8 Bytes [89, 88, 68, 05, 00, 00, B8, ...]
.text ...
.text win32k.sys!EngPlgBlt + 48 BF94243E 28 Bytes [FF, FF, 8B, BC, C5, 6C, FF, ...]
.text win32k.sys!EngPlgBlt + 65 BF94245B 52 Bytes [FF, FF, 7E, 02, 8B, C2, 8B, ...]
.text win32k.sys!EngPlgBlt + 9A BF942490 200 Bytes [C1, F8, 04, 89, 55, EC, 8B, ...]
.text win32k.sys!EngPlgBlt + 163 BF942559 11 Bytes JMP BF942716 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngPlgBlt + 16F BF942565 29 Bytes [4D, EC, C1, E2, 04, 29, 95, ...]
.text ...
.text win32k.sys!STROBJ_fxCharacterExtra + 6 BF944BD2 64 Bytes [C1, 74, 35, 4A, 74, 2B, 4A, ...]
.text win32k.sys!STROBJ_fxBreakExtra + 29 BF944C13 69 Bytes [C2, 0C, 00, 90, 90, 90, 90, ...]
.text win32k.sys!STROBJ_fxBreakExtra + 6F BF944C59 120 Bytes [89, 75, FC, 74, 3C, 89, 7D, ...]
.text win32k.sys!STROBJ_fxBreakExtra + E8 BF944CD2 11 Bytes [D1, F9, 03, 48, 04, 85, D2, ...] {SAR ECX, 0x1; ADD ECX, [EAX+0x4]; TEST EDX, EDX; PUSH EDI; MOV EDI, [EAX+0x2c]}
.text win32k.sys!STROBJ_fxBreakExtra + F4 BF944CDE 32 Bytes [75, EC, 8D, 3C, 7B, 74, 5C, ...]
.text win32k.sys!STROBJ_fxBreakExtra + 115 BF944CFF 47 Bytes [F6, C2, 01, 74, 0D, 0F, B6, ...]
.text ...
.text win32k.sys!FONTOBJ_pfdg + 6 BF946185 97 Bytes [C6, 5E, C9, C2, 08, 00, 90, ...]
.text win32k.sys!FONTOBJ_pvTrueTypeFontFile + 20 BF9461E7 14 Bytes CALL C87722F1
.text win32k.sys!FONTOBJ_pvTrueTypeFontFile + 2F BF9461F6 6 Bytes [C2, C3, 90, 90, 90, 90] {RET 0x90c3; NOP ; NOP ; NOP }
.text win32k.sys!FONTOBJ_pvTrueTypeFontFile + 36 BF9461FD 59 Bytes [8B, FF, 55, 8B, EC, 53, 8B, ...]
.text win32k.sys!FONTOBJ_pvTrueTypeFontFile + 72 BF946239 5 Bytes [55, 8B, EC, 8B, 55]
.text win32k.sys!FONTOBJ_pvTrueTypeFontFile + 78 BF94623F 31 Bytes [53, 8B, D9, 8B, 03, 8B, 48, ...]
.text win32k.sys!FONTOBJ_pjOpenTypeTablePointer + 1A BF94625F 37 Bytes [08, F3, A5, 8B, CB, E8, B8, ...]
.text win32k.sys!FONTOBJ_pwszFontFilePaths + 6 BF946285 47 Bytes [75, 10, 03, F2, 3B, F0, 89, ...]
.text win32k.sys!FONTOBJ_pwszFontFilePaths + 36 BF9462B5 196 Bytes [88, 65, 0D, 8D, 75, 0C, 66, ...]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + B4 BF94637A 31 Bytes [F1, 57, 32, C9, 88, 45, FF, ...]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + D4 BF94639A 106 Bytes [5D, F8, 89, 1C, 17, 75, 09, ...]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + 13F BF946405 111 Bytes [06, 8B, 48, 50, 3B, C8, 74, ...]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + 1AF BF946475 73 Bytes [8B, FF, 55, 8B, EC, 8B, 41, ...]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + 1F9 BF9464BF 27 Bytes [45, 10, 53, 8B, 18, 3B, DA, ...]
.text ...
.text win32k.sys!XLATEOBJ_cGetPalette + 1 BF947850 4 Bytes [49, 34, EB, 03]
.text win32k.sys!XLATEOBJ_cGetPalette + 6 BF947855 87 Bytes [49, 30, 8A, 44, 01, 04, 5D, ...]
.text win32k.sys!XLATEOBJ_cGetPalette + 5E BF9478AD 15 Bytes [49, 30, 8A, 44, 01, 04, 5D, ...] {DEC ECX; XOR [EDX+0x5d040144], CL; RET 0xc; NOP ; NOP ; NOP ; NOP ; NOP }
.text win32k.sys!XLATEOBJ_cGetPalette + 6E BF9478BD 2 Bytes [FF, 55]
.text win32k.sys!XLATEOBJ_cGetPalette + 71 BF9478C0 18 Bytes [EC, 8B, 45, 10, 8B, 4D, 0C, ...] {IN AL, DX ; MOV EAX, [EBP+0x10]; MOV ECX, [EBP+0xc]; AND EAX, 0x7fff; MOV AL, [ECX+EAX]; MOV ECX, [EBP+0x8]}
.text win32k.sys!XLATEOBJ_hGetColorTransform + 1 BF9478D3 65 Bytes [51, 38, F6, C6, 08, 74, 27, ...]
.text win32k.sys!XLATEOBJ_hGetColorTransform + 43 BF947915 16 Bytes [CA, 81, E1, E0, 07, 00, 00, ...]
.text win32k.sys!XLATEOBJ_hGetColorTransform + 54 BF947926 4 Bytes [C1, E0, 02, 0B]
.text win32k.sys!XLATEOBJ_hGetColorTransform + 59 BF94792B 119 Bytes JMP 40A35AB3
.text win32k.sys!XLATEOBJ_hGetColorTransform + D1 BF9479A3 1 Byte [E8]
.text ...
.text win32k.sys!EngDeleteClip + 32 BF97709E 36 Bytes [FF, FF, 5D, C2, 18, 00, 90, ...]
.text win32k.sys!EngDeleteClip + 57 BF9770C3 17 Bytes [90, 90, 90, 90, 8D, 81, C0, ...] {NOP ; NOP ; NOP ; NOP ; LEA EAX, [ECX+0xc0]; CMP DWORD [EAX], 0x0; JZ 0x20; MOV ECX, [EAX]}
.text win32k.sys!EngDeleteClip + 69 BF9770D5 268 Bytes [51, 0C, 3B, 51, 18, 76, 07, ...]
.text win32k.sys!EngDeleteClip + 176 BF9771E2 189 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text win32k.sys!EngDeleteClip + 234 BF9772A0 26 Bytes [50, 8B, 45, 30, F7, D8, 1B, ...]
.text ...
.text win32k.sys!HT_ComputeRGBGammaTable + 13 BF97E591 9 Bytes [EB, 07, 6A, 10, EB, 02, 6A, ...] {JMP 0x9; PUSH 0x10; JMP 0x8; PUSH 0x2; POP EBX}
.text win32k.sys!HT_ComputeRGBGammaTable + 1D BF97E59B 143 Bytes [7E, 04, 00, 74, 08, 0F, B7, ...]
.text win32k.sys!HT_ComputeRGBGammaTable + AD BF97E62B 9 Bytes [74, 1B, 3C, FD, 75, 41, C7, ...]
.text win32k.sys!HT_ComputeRGBGammaTable + B7 BF97E635 31 Bytes [7C, 00, 00, C7, 45, F0, E0, ...]
.text win32k.sys!HT_ComputeRGBGammaTable + D7 BF97E655 31 Bytes [00, EB, E7, C7, 45, EC, 00, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2224] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Tall Emu\Online Armor\oacat.exe[2536] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 007D0001
.text C:\Program Files\Tall Emu\Online Armor\oacat.exe[2536] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Tall Emu\Online Armor\oacat.exe[2536] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 5F040F5A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F76AF3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F76AF410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F76AF6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F76AF700] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F76AF6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F76AF410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F76AF3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\win32k.sys[Dxapi.sys!_DxApiGetVersion@0] [805D30EA] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[HAL.dll!ExAcquireFastMutex] [805D3176] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[HAL.dll!ExReleaseFastMutex] [8053792C] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[HAL.dll!KeQueryPerformanceCounter] [80535B7E] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdDdiWatchdogDpcCallback] 00630069
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdResumeDeferredWatch] 002D0065
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdSuspendDeferredWatch] 00780030
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdAllocateDeferredWatchdog] 00780025
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdStartDeferredWatch] 0025002D
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdStopDeferredWatch] 00240078
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdFreeDeferredWatchdog] 00000000
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdExitMonitoredSection] 00650053
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdEnterMonitoredSection] 00760072
IAT \SystemRoot\System32\drivers\dxgthk.sys[WIN32K.SYS!EngDebugPrint] [BF933E26] \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [F76AF700] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [F76AF3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [F76AF410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [F76AF6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F76AF6C0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F76AF700] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F76AF3B0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F76AF410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

Device \Driver\ubohci \Device\UBOHCI0 UB1394.SYS (FireAPI® 1394 Class Driver (XP)/Unibrain S.A.)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ubohci \Device\C1394 UB1394.SYS (FireAPI® 1394 Class Driver (XP)/Unibrain S.A.)
Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT@EventMessageFile C:\WINDOWS\system32\esent.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT@CategoryMessageFile C:\WINDOWS\system32\esent.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 416516
Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 2512
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12778285-2ED9-4AFE-8169-CC087C479957}@DhcpRetryTime 282
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DD642A67-E28C-40A9-8030-9F1D2257CCC7}@LeaseObtainedTime 1244119099
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DD642A67-E28C-40A9-8030-9F1D2257CCC7}@T1 1244248699
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DD642A67-E28C-40A9-8030-9F1D2257CCC7}@T2 1244345899
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DD642A67-E28C-40A9-8030-9F1D2257CCC7}@LeaseTerminatesTime 1244378299
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DD642A67-E28C-40A9-8030-9F1D2257CCC7}@DhcpRetryTime 129598
Reg HKLM\SYSTEM\CurrentControlSet\Services\{DD642A67-E28C-40A9-8030-9F1D2257CCC7}\Parameters\Tcpip@LeaseObtainedTime 1244119099
Reg HKLM\SYSTEM\CurrentControlSet\Services\{DD642A67-E28C-40A9-8030-9F1D2257CCC7}\Parameters\Tcpip@T1 1244248699
Reg HKLM\SYSTEM\CurrentControlSet\Services\{DD642A67-E28C-40A9-8030-9F1D2257CCC7}\Parameters\Tcpip@T2 1244345899
Reg HKLM\SYSTEM\CurrentControlSet\Services\{DD642A67-E28C-40A9-8030-9F1D2257CCC7}\Parameters\Tcpip@LeaseTerminatesTime 1244378299
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0xEA 0xA4 0x47 0x18 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0xB4 0x80 0x6A 0xFE ...
Reg HKLM\SOFTWARE\Classes\CLSID\{93e6e9bd-f9cf-4ae4-ada7-eea9926b48e5}@Model 204
Reg HKLM\SOFTWARE\Classes\CLSID\{93e6e9bd-f9cf-4ae4-ada7-eea9926b48e5}@Therad 29
Reg HKLM\SOFTWARE\Classes\CLSID\{e423eca4-9c18-47a7-b6fb-515e406fd7a1}@Model 271
Reg HKLM\SOFTWARE\Classes\CLSID\{e423eca4-9c18-47a7-b6fb-515e406fd7a1}@Therad 21
Reg HKLM\SOFTWARE\Classes\CLSID\{e423eca4-9c18-47a7-b6fb-515e406fd7a1}@MData 0x2B 0x8F 0x78 0x29 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F5F7521C-F4FE-3D98-F635-1C792DD7D7FA}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F5F7521C-F4FE-3D98-F635-1C792DD7D7FA}@naknkhmegpegmlkeffimcggaflcf 0x6A 0x61 0x6F 0x6E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F5F7521C-F4FE-3D98-F635-1C792DD7D7FA}@maenajbcgicijgnljclllanbgl 0x6A 0x61 0x6F 0x6E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F5F7521C-F4FE-3D98-F635-1C792DD7D7FA}@naolclbiegfcceckhchdnibcbdli 0x62 0x61 0x69 0x6E ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Dee\Application Data\OpenOffice.org2\user\registry\data\org\openoffice\Office\UI\CalcWindowState.xcu 2401 bytes
File C:\Documents and Settings\Dee\Application Data\OpenOffice.org2\user\registry\data\org\openoffice\Office\UI\DrawWindowState.xcu 1882 bytes
File C:\Documents and Settings\Dee\Application Data\OpenOffice.org2\user\registry\data\org\openoffice\Office\UI\ImpressWindowState.xcu 2405 bytes
File C:\Documents and Settings\Dee\Application Data\OpenOffice.org2\user\registry\data\org\openoffice\Office\UI\MathWindowState.xcu 1882 bytes
File C:\Documents and Settings\Dee\Application Data\OpenOffice.org2\user\registry\data\org\openoffice\Office\UI\WriterWebWindowState.xcu 1887 bytes
File C:\Documents and Settings\Dee\Application Data\OpenOffice.org2\user\registry\data\org\openoffice\Office\UI\WriterWindowState.xcu 3977 bytes
File C:\Documents and Settings\Dee\Application Data\OpenOffice.org2\user\store\.templdir.cache 4921 bytes
File C:\Documents and Settings\Dee\Application Data\OpenOffice.org2\user\uno_packages\cache 0 bytes
File C:\Documents and Settings\Dee\Application Data\OpenOffice.org2\user\wordbook\standard.dic 11 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\mail 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\mail\accounts.ini 726 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\mail\index.ini 12401 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\mail\indexer 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\mail\indexer\indexer.ax 7680 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\mail\indexer\indexer.bx 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\mail\indexer\message_id 1024 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\mail\lexicon 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\mail\lexicon\lexicon.ax 7680 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\mail\lexicon\lexicon.bx 512 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\mail\omailbase.dat 1024 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\opssl6.dat 8918 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\browser.js 122856 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\cookies4.dat 266 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\cookies4.dat.sbsd.bak 183 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\download.dat 12 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\global.dat 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\keyboard 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\menu 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\mouse 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\opcacrt6.dat 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\opcert6.dat 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\Opera6.adr 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\Opera6.adr.sbsd.bak 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\opera6.ini 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\opicacrt6.dat 0 bytes
File C:\Documents and Settings\Dee\Application Data\Opera\Opera\profile\oprand.dat 0 bytes
File C:\Documents and Settings\Default User\Application Data\ATI 0 bytes
File C:\Documents and Settings\Default User\Application Data\desktop.ini 62 bytes
File C:\Documents and Settings\Default User\Application Data\Identities 0 bytes
File C:\Documents and Settings\Default User\Application Data\Identities\{DC40B654-6026-4B52-AAF7-9998CE175EAF} 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Address Book 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Address Book\Administrator.wab 176594 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Address Book\Administrator.wab~ 176594 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\CLR Security Config 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\CLR Security Config\v1.1.4322 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config 21768 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch 75632 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Credentials 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Crypto 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\brndlog.bak 10389 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt 10389 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\Desktop.htt 2564 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini 119 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk 779 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf 79 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Media Player 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-740334261-15124919-2615503680-500 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-740334261-15124919-2615503680-500\9b9beb76-10c0-46f6-a29e-207126ac2a6e 388 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-740334261-15124919-2615503680-500\Preferred 24 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\Documents and Settings\Default User\Application Data\SampleView 0 bytes
File C:\Documents and Settings\Default User\Favorites\Desktop.ini 122 bytes
File C:\Documents and Settings\Default User\Favorites\Links 0 bytes
File C:\Documents and Settings\Default User\Favorites\Links\Customize Links.url 119 bytes
File C:\Documents and Settings\Default User\Favorites\Links\Free Hotmail.url 113 bytes
File C:\Documents and Settings\Default User\Favorites\Links\Windows Marketplace.url 169 bytes
File C:\Documents and Settings\Default User\Favorites\Links\Windows Media.url 118 bytes
File C:\Documents and Settings\Default User\Favorites\Links\Windows.url 113 bytes
File C:\Documents and Settings\Default User\Favorites\MSN.com.url 119 bytes
File C:\Documents and Settings\Default User\Favorites\Radio Station Guide.url 197 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\ApplicationHistory 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini 2832 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\ApplicationHistory\SL1F5.tmp.72abe929.ini 1055 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\ApplicationHistory\SLC0.tmp.7041d376.ini 790 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\ATI 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\AtStart.txt 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\DSwitch.txt 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\fusioncache.dat 136 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\IconCache.db 2693248 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\CD Burning 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Credentials 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Media Player 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb 720896 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 262144 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG 1024 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\10.0 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.DTD 498 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML 12784 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD 498 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML 12784 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\QSwitch.txt 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060} 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}\1033.MST 3584 bytes
File C:\Documents and Settings\Default User\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}\J2SE Runtime Environment 5.0 Update 6.msi 12125696 bytes
File C:\Documents and Settings\Default User\Local Settings\desktop.ini 62 bytes
File C:\Documents and Settings\Default User\Local Settings\History 0 bytes
File C:\Documents and Settings\Default User\Local Settings\History\desktop.ini 113 bytes
File C:\Documents and Settings\Default User\Local Settings\History\History.IE5 0 bytes
File C:\Documents and Settings\Default User\Local Settings\History\History.IE5\desktop.ini 113 bytes
File C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat 32768 bytes
File C:\Documents and Settings\Default User\Local Settings\Temp 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\36UG8QNG 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\36UG8QNG\desktop.ini 67 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\36UG8QNG\WindowsUpdateAgent20-x86[1].exe 4483584 bytes executable
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\76QUYX80 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\76QUYX80\desktop.ini 67 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\76QUYX80\MUAuth[1].cab 7699 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini 67 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\I0JQBJL6 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\I0JQBJL6\desktop.ini 67 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\I0JQBJL6\MUAuth[1].cab 10334 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat 32768 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\RZCDDSUU 0 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\RZCDDSUU\desktop.ini 67 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\RZCDDSUU\wuredist[1].cab 9905 bytes
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\desktop.ini 67 bytes
File C:\Documents and Settings\Default User\My Documents\desktop.ini 84 bytes
File C:\Documents and Settings\Default User\My Documents\My Music 0 bytes
File C:\Documents and Settings\Default User\My Documents\My Music\Desktop.ini 189 bytes
File C:\Documents and Settings\Default User\My Documents\My Music\Sample Music.lnk 638 bytes
File C:\Documents and Settings\Default User\My Documents\My Pictures 0 bytes
File C:\Documents and Settings\Default User\My Documents\My Pictures\Desktop.ini 191 bytes
File C:\Documents and Settings\Default User\My Documents\My Pictures\Sample Pictures.lnk 668 bytes
File C:\Documents and Settings\Default User\Recent\Desktop.ini 150 bytes
File C:\Documents and Settings\Default User\SendTo\Compressed (zipped) Folder.ZFSendToTarget 0 bytes
File C:\Documents and Settings\Default User\SendTo\Desktop (create shortcut).DeskLink 0 bytes
File C:\Documents and Settings\Default User\SendTo\desktop.ini 181 bytes
File C:\Documents and Settings\Default User\SendTo\Mail Recipient.MAPIMail 0 bytes
File C:\Documents and Settings\Default User\SendTo\My Documents.mydocs 0 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories 0 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Accessibility 0 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Accessibility\desktop.ini 348 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk 0 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk 1532 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk 1501 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk 1539 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Address Book.lnk 774 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Command Prompt.lnk 1555 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\desktop.ini 542 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Entertainment 0 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Entertainment\desktop.ini 84 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Notepad.lnk 1519 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk 386 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Synchronize.lnk 1519 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Tour Windows XP.lnk 1527 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Windows Explorer.lnk 0 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\desktop.ini 0 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Internet Explorer.lnk 0 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Outlook Express.lnk 0 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Remote Assistance.lnk 0 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Software Setup.lnk 0 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Startup 0 bytes
File C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini 84 bytes
File C:\Start Menu\Programs\Xceed Components\.NET components 0 bytes
File C:\SwSetup\Adobe 0 bytes
File C:\SwSetup\Adobe\0x0409.ini 5495 bytes
File C:\SwSetup\Adobe\Abcpy.ini 1730 bytes
File C:\SwSetup\Adobe\AdbeRdr7.0.5_enu_oem3343.exe 290816 bytes executable
File C:\SwSetup\Adobe\Adobe Reader 7.0.5.msi 3038720 bytes
File C:\SwSetup\Adobe\Adobe Reader 7.0.5.mst 6656 bytes
File C:\SwSetup\Adobe\Adobe Reader 7.0.50.cab 0 bytes
File C:\SwSetup\Adobe\AEITAddInRdr.dll 0 bytes
File C:\SwSetup\Adobe\instmsiw.exe 1816064 bytes executable
File C:\SwSetup\Adobe\MD5_FLATFILES_ADOAR_A2_705_US.txt 0 bytes
File C:\SwSetup\Adobe\Rdr70.itw 16384 bytes
File C:\SwSetup\Adobe\ReadMe.htm 13094 bytes
File C:\SwSetup\Adobe\setup.exe 225280 bytes executable
File C:\SwSetup\Adobe\Setup.ini 1212 bytes
File C:\SwSetup\Adobe\US.cva 4072 bytes
File C:\SwSetup\Adobe\Data1.cab 30292321 bytes
File C:\SwSetup\AMDUpdate 0 bytes
File C:\SwSetup\AMDUpdate\AMD.cva 7356 bytes
File C:\SwSetup\AMDUpdate\Files 0 bytes
File C:\SwSetup\AMDUpdate\Files\AmdK8.cat 7803 bytes
File C:\SwSetup\AMDUpdate\Files\amdk8.inf 5334 bytes
File C:\SwSetup\AMDUpdate\Files\AmdK8.sys 36864 bytes executable
File C:\SwSetup\AMDUpdate\setup.exe 2960384 bytes executable
File C:\SwSetup\AppInstl 0 bytes
File C:\SwSetup\AppInstl\AppInst.ico 14062 bytes
File C:\SwSetup\AppInstl\AppList.TXT 2827 bytes
File C:\SwSetup\AppInstl\Cat.Ini 11241 bytes
File C:\SwSetup\AppInstl\COMP.INI 43811 bytes
File C:\SwSetup\AppInstl\hpqInsAp.dll 45056 bytes executable
File C:\SwSetup\AppInstl\hpqnt.dll 77824 bytes executable
File C:\SwSetup\AppInstl\hpqUIDll.dll 249856 bytes executable
File C:\SwSetup\AppInstl\images 0 bytes
File C:\SwSetup\AppInstl\images\hp_software_on_state.gif 2897 bytes
File C:\SwSetup\AppInstl\images\hp_software_over_state.gif 3327 bytes
File C:\SwSetup\AppInstl\lang.Ini 2736 bytes
File C:\SwSetup\AppInstl\Setup.exe 172032 bytes executable
File C:\SwSetup\AppInstl\setup.exe.manifest 672 bytes
File C:\SwSetup\AppInstl\US 0 bytes
File C:\SwSetup\AppInstl\US\Disk1 0 bytes
File C:\SwSetup\AppInstl\US\Disk1\data1.cab 1701346 bytes
File C:\SwSetup\AppInstl\US\Disk1\data1.hdr 33968 bytes
File C:\SwSetup\AppInstl\US\Disk1\data2.cab 6750 bytes
File C:\SwSetup\AppInstl\US\Disk1\engine32.cab 418296 bytes
File C:\SwSetup\AppInstl\US\Disk1\layout.bin 493 bytes
File C:\SwSetup\AppInstl\US\Disk1\setup.boot 405649 bytes
File C:\SwSetup\AppInstl\US\Disk1\setup.exe 102912 bytes executable
File C:\SwSetup\AppInstl\US\Disk1\setup.ini 736 bytes
File C:\SwSetup\AppInstl\US\Disk1\setup.inx 168105 bytes
File C:\SwSetup\AppInstl\US\Disk1\setup.iss 519 bytes
File C:\SwSetup\AppInstl\US\Disk1\vssver.scc 48 bytes
File C:\SwSetup\audio 0 bytes
File C:\SwSetup\audio\mixer.ini 18181 bytes
File C:\SwSetup\audio\ADIHdAud.inf 82112 bytes
File C:\SwSetup\audio\ADIHdAud.PNF 83284 bytes
File C:\SwSetup\audio\ADIHdAud.sys 178176 bytes executable
File C:\SwSetup\audio\ADIHDAudio_H2.CVA 3879 bytes
File C:\SwSetup\audio\AEAUDIO.sys 152960 bytes executable
File C:\SwSetup\audio\AEEnable.exe 40960 bytes executable
File C:\SwSetup\audio\comp.ini 18 bytes
File C:\SwSetup\audio\CPApp.ico 23742 bytes
File C:\SwSetup\audio\data.tag 72 bytes
File C:\SwSetup\audio\data1.cab 1918256 bytes
File C:\SwSetup\audio\data1.hdr 66794 bytes
File C:\SwSetup\audio\data2.cab 512 bytes
File C:\SwSetup\audio\DevSetup.exe 35328 bytes executable
File C:\SwSetup\audio\engine32.cab 460264 bytes
File C:\SwSetup\audio\INFCACHE.1 5800 bytes
File C:\SwSetup\audio\layout.bin 1287 bytes
File C:\SwSetup\audio\license.txt 5208 bytes
File C:\SwSetup\audio\platform.cfg 2024 bytes
File C:\SwSetup\audio\PostProc.dll 24576 bytes executable
File C:\SwSetup\audio\setup.exe 111104 bytes executable
File C:\SwSetup\audio\setup.ibt 437812 bytes
File C:\SwSetup\audio\setup.ini 721 bytes
File C:\SwSetup\audio\setup.inx 366222 bytes
File C:\SwSetup\audio\setup.iss 630 bytes
File C:\SwSetup\audio\SMax3CP.ico 1078 bytes
File C:\SwSetup\audio\SMax4PNP.exe 925696 bytes
File C:\SwSetup\audio\SMAXWDM 0 bytes
File C:\SwSetup\audio\SMAXWDM\W2K_XP 0 bytes
File C:\SwSetup\audio\SMAXWDM\W2K_XP\ADIHdAud.inf 82112 bytes
File C:\SwSetup\audio\SMAXWDM\W2K_XP\ADIHdAud.sys 178176 bytes executable
File C:\SwSetup\audio\SMAXWDM\W2K_XP\AEAUDIO.sys 152960 bytes executable
File C:\SwSetup\audio\SMAXWDM\W2K_XP\mixer.ini 18181 bytes
File C:\SwSetup\audio\SMAXWDM\W2K_XP\PostProc.dll 24576 bytes executable
File C:\SwSetup\audio\SMAXWDM\W2K_XP\SMax4PNP.exe 925696 bytes
File C:\SwSetup\audio\SMAXWDM\W2K_XP\SMWDMIF.dll 290816 bytes
File C:\SwSetup\audio\SMAXWDM\W2K_XP\smx.cat 11200 bytes
File C:\SwSetup\audio\SMWDMIF.dll 290816 bytes
File C:\SwSetup\audio\smx.cat 11200 bytes
File C:\SwSetup\audio\SM_Comn 0 bytes
File C:\SwSetup\audio\SM_Comn\Help 0 bytes
File C:\SwSetup\audio\SM_Comn\Help\Arabic 0 bytes
File C:\SwSetup\audio\SM_Comn\Help\Arabic\cpsimp.chm 11269 bytes
File C:\SwSetup\audio\SM_Comn\Help\Arabic\digaudmb.chm 11284 bytes
File C:\SwSetup\audio\SM_Comn\Help\Arabic\EQ.chm 11416 bytes
File C:\SwSetup\audio\SM_Comn\Help\Arabic\micro.chm 11924 bytes
File C:\SwSetup\audio\SM_Comn\Help\Arabic\pnp.chm 13257 bytes
File C:\SwSetup\audio\SM_Comn\Help\Arabic\power.chm 17018 bytes
File C:\SwSetup\audio\SM_Comn\Help\Arabic\sensa.chm 11626 bytes
File C:\SwSetup\audio\SM_Comn\Help\Arabic\smax.chm 11348 bytes
File C:\SwSetup\audio\SM_Comn\Help\Arabic\smax4hlp.chm 21486 bytes
File C:\SwSetup\audio\SM_Comn\Help\Arabic\SPDIF.chm 11006 bytes
File C:\SwSetup\audio\SM_Comn\Help\Brazil 0 bytes
File C:\SwSetup\audio\SM_Comn\Help\Brazil\cpsimp.chm 11557 bytes
File C:\SwSetup\audio\SM_Comn\Help\Brazil\digaudmb.chm 11575 bytes
File C:\SwSetup\audio\SM_Comn\Help\Brazil\EQ.chm 11980 bytes
File C:\SwSetup\audio\SM_Comn\Help\Brazil\micro.chm 12320 bytes
File C:\SwSetup\audio\SM_Comn\Help\Brazil\pnp.chm 13721 bytes
File C:\SwSetup\audio\SM_Comn\Help\Brazil\power.chm 17594 bytes
File C:\SwSetup\audio\SM_Comn\Help\Brazil\sensa.chm 12181 bytes
File C:\SwSetup\audio\SM_Comn\Help\Brazil\smax.chm 11653 bytes
File C:\SwSetup\audio\SM_Comn\Help\Brazil\smax4hlp.chm 21998 bytes
File C:\SwSetup\audio\SM_Comn\Help\Brazil\SPDIF.chm 11312 bytes
File C:\SwSetup\audio\SM_Comn\Help\Danish 0 bytes
File C:\SwSetup\audio\SM_Comn\Help\Danish\cpsimp.chm 11515 bytes
File C:\SwSetup\audio\SM_Comn\Help\Danish\digaudmb.chm 11464 bytes
File C:\SwSetup\audio\SM_Comn\Help\Danish\EQ.chm 11724 bytes
File C:\SwSetup\audio\SM_Comn\Help\Danish\micro.chm 12295 bytes
File C:\SwSetup\audio\SM_Comn\Help\Danish\pnp.chm 13479 bytes
File C:\SwSetup\audio\SM_Comn\Help\Danish\power.chm 17477 bytes
File C:\SwSetup\audio\SM_Comn\Help\Danish\sensa.chm 11990 bytes
File C:\SwSetup\audio\SM_Comn\Help\Danish\smax.chm 11524 bytes
File C:\SwSetup\audio\SM_Comn\Help\Danish\smax4hlp.chm 21758 bytes
File C:\SwSetup\audio\SM_Comn\Help\Danish\SPDIF.chm 11246 bytes
File C:\SwSetup\audio\SM_Comn\Help\Dutch 0 bytes
File C:\SwSetup\audio\SM_Comn\Help\Dutch\cpsimp.chm 11525 bytes
File C:\SwSetup\audio\SM_Comn\Help\Dutch\digaudmb.chm 11458 bytes
File C:\SwSetup\audio\SM_Comn\Help\Dutch\EQ.chm 11776 bytes
File C:\SwSetup\audio\SM_Comn\Help\Dutch\micro.chm 13601 bytes
File C:\SwSetup\audio\SM_Comn\Help\Dutch\pnp.chm 13623 bytes
File C:\SwSetup\audio\SM_Comn\Help\Dutch\power.chm 17535 bytes
File C:\SwSetup\audio\SM_Comn\Help\Dutch\sensa.chm 0 bytes
File C:\SwSetup\audio\SM_Comn\Help\Dutch\smax.chm 11512 bytes
File C:\SwSetup\audio\SM_Comn\Help\Dutch\smax4hlp.chm 21648 bytes
File C:\SwSetup\audio\SM_Comn\Help\Dutch\SPDIF.chm 0 bytes
File C:\SwSetup\audio\SM_Comn\Help\English 0 bytes
File C:\SwSetup\audio\SM_Comn\Help\English\cpsimp.chm 11479 bytes
File C:\SwSetup\audio\SM_Comn\Help\English\digaudmb.chm 11439 bytes
File C:\SwSetup\audio\SM_Comn\Help\English\EQ.chm 11638 bytes
File C:\SwSetup\audio\SM_Comn\Help\English\micro.chm 12162 bytes
File C:\SwSetup\audio\SM_Comn\Help\English\pnp.chm 13345 bytes
File C:\SwSetup\audio\SM_Comn\Help\English\power.chm 17356 bytes
File C:\SwSetup\audio\SM_Comn\Help\English\sensa.chm 11868 bytes
File C:\SwSetup\audio\SM_Comn\Help\English\smax.chm 11403 bytes
File C:\SwSetup\audio\SM_Comn\Help\English\smax4hlp.chm 20346 bytes
File C:\SwSetup\audio\SM_Comn\Help\English\SPDIF.chm 11200 bytes
File C:\SwSetup\audio\SM_Comn\Help\Finnish 0 bytes
File C:\SwSetup\audio\SM_Comn\Help\Finnish\cpsimp.chm 11531 bytes
File C:\SwSetup\audio\SM_Comn\Help\Finnish\digaudmb.chm 11517 bytes
File C:\SwSetup\audio\SM_Comn\Help\Finnish\EQ.chm 11748 bytes
File C:\SwSetup\audio\SM_Comn\Help\Finnish\micro.chm 12346 bytes
File C:\SwSetup\audio\SM_Comn\Help\Finnish\pnp.chm 13549 bytes
File C:\SwSetup\audio\SM_Comn\Help\Finnish\power.chm 17509 bytes
File C:\SwSetup\audio\SM_Comn\Help\Finnish\sensa.chm 12045 bytes
File C:\SwSetup\audio\SM_Comn\Help\Finnish\smax.chm 11575 bytes
File C:\SwSetup\audio\SM_Comn\Help\Finnish\smax4hlp.chm 21698 bytes
File C:\SwSetup\audio\SM_Comn\Help\Finnish\SPDIF.chm 11324 bytes
File C:\SwSetup\audio\SM_Comn\Help\French 0 bytes
File C:\SwSetup\audio\SM_Comn\Help\French\cpsimp.chm 11619 bytes
File C:\SwSetup\audio\SM_Comn\Help\French\digaudmb.chm 11498 bytes
File C:\SwSetup\audio\SM_Comn\Help\French\EQ.chm 11792 bytes
File C:\SwSetup\audio\SM_Comn\Help\French\micro.chm 12493 bytes
File C:\SwSetup\audio\SM_Comn\Help\French\pnp.chm 13761 bytes
File C:\SwSetup\audio\SM_Comn\Help\French\power.chm 17706 bytes
File C:\SwSetup\audio\SM_Comn\Help\French\sensa.chm 12302 bytes
File C:\SwSetup\audio\SM_Comn\Help\French\smax.chm 11570 bytes
File C:\SwSetup\audio\SM_Comn\Help\French\smax4hlp.chm 22204 bytes
File C:\SwSetup\audio\SM_Comn\Help\French\SPDIF.chm 11300 bytes
File C:\SwSetup\audio\SM_Comn\Help\German 0 bytes
File C:\SwSetup\audio\SM_Comn\Res 0 bytes
File C:\SwSetup\audio\SM_Comn\Sys 0 bytes
File C:\SwSetup\audio\SM_Micro 0 bytes
File C:\SwSetup\audio\SM_Panel 0 bytes
File C:\SwSetup\audio\SM_Power 0 bytes
File C:\SwSetup\audio\Sys 0 bytes
File C:\SwSetup\audio\win256_3.bmp 0 bytes
File C:\SwSetup\BIOSCFG 0 bytes
File C:\SwSetup\BrandIT 0 bytes
File C:\SwSetup\Btooth 0 bytes
File C:\SwSetup\credman 0 bytes
File C:\SwSetup\Default 0 bytes
File C:\SwSetup\DNetSP1 0 bytes
File C:\SwSetup\DotNet1 0 bytes
File C:\SwSetup\DotNetLg 0 bytes
File C:\SwSetup\DVD 0 bytes
File C:\SwSetup\ESPtools 0 bytes
File C:\SwSetup\ESUXP 0 bytes
File C:\SwSetup\GB18030 0 bytes
File C:\SwSetup\GGLTB 0 bytes
File C:\SwSetup\Guides 0 bytes
File C:\SwSetup\HighSD 0 bytes

---- EOF - GMER 1.0.15 ----

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:02 AM

Posted 13 June 2009 - 03:42 PM

Hi tiaz,

Not seeing a lot, let's run a tool that targets gumblar and see what it finds.

Firstly, let's clear out your large temp files.

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Close your browser.
Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.

Okay, now

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 tiaz

tiaz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 13 June 2009 - 05:26 PM

I'm really loathed to use malwarebytes as last time I did it seemed to wreck my whole pc.
Spent all day trying to go back to a back up as It damaged an important windows file (cant remember its name now sorry)- I couldnt even open my outlook express after to get my mail. Is there any other alternative? If not I think I will have to leave it as is as pc seems to be working fine so all may be ok anyhow...
Thanks

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:02 AM

Posted 13 June 2009 - 07:50 PM

Hi tiaz,

MBAM is a really safe tool so if anything damaged the system file it was probably the malware that MBAM was run to remove.

However, if you are happy to leave it (and I haven't seen any evidence to suggest otherwise) then I will leave you with the final instructions and I will leave this thread open for five days in case you need to come back. You can PM me as well.

It is optional but you can try and run SReng which will attempt to fix files which have been damaged by infections.

Please download sreng2.zip and save it to your Desktop.
  • Create a new folder on your hard drive called Sreng2 (C:\Sreng2) and extract (unzip) the file there. (click here if you're not sure how to do this. Vista users refer to this link.)
  • Open the folder and double-click on SREngLdr.EXE to launch it.
  • Select System Repair from the left pane.
  • Click on Windows Shell/IE.
  • Put a check mark in the box next to Enable using Folder Options
  • Click Repair.
  • The Status should now show Ok.
  • Exit SREng and reboot the computer.

Please reactivate your antivirus, antispyware and firewall programs.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Happy surfing, tiaz!

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#15 tiaz

tiaz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 14 June 2009 - 06:43 AM

All done.
Thank you so much for your help :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users