Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing several infections please


  • This topic is locked This topic is locked
32 replies to this topic

#1 dannyyoung

dannyyoung

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 13 September 2009 - 02:20 PM

Hi everyone - I have posted this in the Am I Infected? What Do I Do? forum, but then I noticed that HJT logs should be posted here, so I hope I don't get into trouble with the Moderators for posting this twice - if so apologies in advance for doing so:

Hi there and thanks for reading. My laptop used to have Norton 360, I let it expire for a couple of days and now I seem to have a number of different infections. I have read some other threads here and tried different methods of cleaning up but no success so thought it best to post. I've also got a problem with my desktop PC but for this post I will just focus on the laptop - one step at a time!

I no longer want to use Norton 360 so have uninstalled it and am now running AVG Free. Firstly, when I run AVG, there are a number of different infections that are found - I clean the machine, reboot and then after a while they all appear again. Here are the details:

Virus found Win32/Cryptor - there are lots of these found during the scan in different C:\WINDOWS\system32\svchost.exe (xxx) where xxx represents different numbers.
Trojan horse FakeAlert.MN

I tried to install SuperSpywareFree and Malwarebytes Anti-Malware but when I double click the icons, I am asked if I want to run the programs then nothing happens. When I run Task Manager I can see the processes running, but the programs do not actually install, they just seem to sit invisibly in the background. I also get the same problems when I try to install these programs in Safe Mode. I also downloaded Spybot - Search & Destroy but although that has installed, it will not run - again the process shows in Task Manager but nothing actually happens.

I also get an error saying Google Installer has encountered a problem and needs to close, and then it tells me there is an error in windows/system32/service.exe, status code 1073741819 and says it will restart in 60 seconds. As well as this another error comes up saying Serices and Controller app has encountered a problem and needs to close.

The errors are quite random, for example I just used the power switch to reboot my laptop because it froze, and when I powered on again the process appeared as normal, I get the Windows XP screen then I had a mouse pointer on a black screen and a constant stream of "beeps" - like the check when you first boot a laptop or PC up - I had to manually shut down again using the power switch.

Then when I switched the PC on again, I had the standard HP logo, then a kind of weird overlay where you get the screen saying We are sorry but Windows did not shut down properly - but it was blended in with the logo almost like a ghost image - very strange!

I have managed to run a HiJack This Log which brings up the following:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:13:02, on 13/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Input Director\IDWinService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Input Director\InputDirectorSessionHelper.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1858\port88.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [12CFG214-K641-24SF-N84P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1858\port88.exe
O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm302YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://cdnrep.reimage.com
O16 - DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} (ReiEngine Class) - http://cdnrep.reimage.com/reix1214.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213699945235
O17 - HKLM\System\CCS\Services\Tcpip\..\{5628D3CA-710D-4701-938E-43F3CE86C914}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Input Director Service (InputDirector) - Unknown owner - C:\Program Files\Input Director\IDWinService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 14077 bytes

If anyone can please help - this is driving me crazy!

Thanks again for reading...

BC AdBot (Login to Remove)

 


#2 dannyyoung

dannyyoung
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 14 September 2009 - 02:14 AM

Hi there and thanks for reading. My laptop used to have Norton 360, I let it expire for a couple of days and now I seem to have a number of different infections. I have read some other threads here and tried different methods of cleaning up but no success so thought it best to post. I've also got a problem with my desktop PC but for this post I will just focus on the laptop - one step at a time!

I no longer want to use Norton 360 so have uninstalled it and am now running AVG Free. Firstly, when I run AVG, there are a number of different infections that are found - I clean the machine, reboot and then after a while they all appear again. Here are the details:

Virus found Win32/Cryptor - there are lots of these found during the scan in different C:\WINDOWS\system32\svchost.exe (xxx) where xxx represents different numbers.
Trojan horse FakeAlert.MN

I tried to install SuperSpywareFree and Malwarebytes Anti-Malware but when I double click the icons, I am asked if I want to run the programs then nothing happens. When I run Task Manager I can see the processes running, but the programs do not actually install, they just seem to sit invisibly in the background. I also get the same problems when I try to install these programs in Safe Mode. I also downloaded Spybot - Search & Destroy but although that has installed, it will not run - again the process shows in Task Manager but nothing actually happens.

I also get an error saying Google Installer has encountered a problem and needs to close, and then it tells me there is an error in windows/system32/service.exe, status code 1073741819 and says it will restart in 60 seconds. As well as this another error comes up saying Serices and Controller app has encountered a problem and needs to close.

The errors are quite random, for example I just used the power switch to reboot my laptop because it froze, and when I powered on again the process appeared as normal, I get the Windows XP screen then I had a mouse pointer on a black screen and a constant stream of "beeps" - like the check when you first boot a laptop or PC up - I had to manually shut down again using the power switch.

Then when I switched the PC on again, I had the standard HP logo, then a kind of weird overlay where you get the screen saying We are sorry but Windows did not shut down properly - but it was blended in with the logo almost like a ghost image - very strange.

Having now read the posting rules, here is the DDS.txt log:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 7:47:10.71 on 14/09/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1179 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Input Director\IDWinService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Input Director\InputDirectorSessionHelper.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1858\port88.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\BOINC\boinc.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=laptop
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.skybroadband.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mWinlogon: Taskman=c:\recycler\s-1-5-21-6061000912-4339382104-637806562-7859\wnzip32.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [12CFG214-K641-24SF-N84P] c:\recycler\s-1-5-21-0243936033-3052116371-381863308-1858\port88.exe
uRun: [12CFG214-K641-12SF-N85P] c:\recycler\s-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm302YYGB
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: reimage.com\cdnrep
DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} - hxxp://cdnrep.reimage.com/reix1214.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213699945235
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {5628D3CA-710D-4701-938E-43F3CE86C914} = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-6-17 40840]
R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-13 335240]
R1 avgmfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-13 27784]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-13 108552]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-6-17 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-6-17 81288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-13 297752]
R2 InputDirector;Input Director Service;c:\program files\input director\IDWinService.exe [2008-9-10 32768]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-9-15 47640]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-10-5 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-10-5 1079176]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-1-4 603904]
R3 echondgo;Indigo Service;c:\windows\system32\drivers\echondgo.sys [2008-6-17 133760]
S3 cpuz128;cpuz128;\??\c:\docume~1\owner\locals~1\temp\cpuz_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz_x32.sys [?]
S3 SeratoUsb;SeratoUsb driver;c:\windows\system32\drivers\SeratoUsb.sys [2008-9-21 35712]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-09-13 12:50 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-09-13 12:45 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-13 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-13 12:45 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-09-13 12:23 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-13 12:23 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-13 12:23 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-13 12:22 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-13 12:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-09-13 12:22 <DIR> --d----- c:\program files\AVG
2009-09-13 12:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-13 12:15 <DIR> --d----- c:\docume~1\owner\applic~1\AVG8
2009-09-13 09:30 81,792 a------- c:\windows\system32\drivers\bcf8db15.sys
2009-09-13 09:30 19,967 a------- C:\xubdc.exe
2009-08-29 12:45 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-08-29 12:45 <DIR> --d----- c:\program files\Roxio

==================== Find3M ====================

2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-02-12 16:49 256 a------- c:\documents and settings\owner\pool.bin

============= FINISH: 7:49:29.73 ===============

I have also attached the attach.txt and ark.txt files. Any help or advice would be very much appreciated - thanks again for reading.

Merged topics. ~ OB

Attached Files


Edited by Orange Blossom, 14 September 2009 - 10:02 PM.


#3 dannyyoung

dannyyoung
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 28 September 2009 - 08:15 AM

Just wanted to bump this up as nothing heard - can anyone help please?

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:14 PM

Posted 28 September 2009 - 08:51 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#5 dannyyoung

dannyyoung
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 29 September 2009 - 02:43 AM

Thanks for your reply. Here is the info.log file:

info.txt logfile of random's system information tool 1.06 2009-09-29 08:36:40

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Audition 3.0-->msiexec /I {53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Amazing Slow Downer (remove only)-->"C:\Program Files\Roni Music\Amazing Slow Downer\uninstall.exe"
Apple Mobile Device Support-->MsiExec.exe /I{8355F970-601D-442D-A79B-1D7DB4F24CAD}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI Parental Control & Encoder-->MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
AVG Free 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BeatportDownloader-->msiexec /qb /x {5310C7A5-A385-6E26-66E9-C0F0CA5A7E45}
BeatportDownloader-->MsiExec.exe /I{5310C7A5-A385-6E26-66E9-C0F0CA5A7E45}
BlackBerry Desktop Software 5.0-->MsiExec.exe /i{EE59E3BD-6B7D-4BBB-B9CD-20EA7AEF1E10}
BlackBerry Desktop Software 5.0-->MsiExec.exe /I{EE59E3BD-6B7D-4BBB-B9CD-20EA7AEF1E10}
BlackBerry® Media Sync-->MsiExec.exe /X{689E0AB3-50B2-4E5A-9DCE-6DA9F5BE1314}
BOINC-->MsiExec.exe /I{467A0A77-B08B-432C-9973-4A2F05F31C59}
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Broadcom 802.11 Driver-->C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Citrix Presentation Server Client-->MsiExec.exe /I{2624B680-02BC-4CBC-839C-DA20DF6EF6EC}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant AC-97 Audio-->CIAunwdm.exe
Conexant Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_3082103C\HXFSETUP.EXE -U -Ihpm30825.inf
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
doPDF 6.2 printer-->"C:\Program Files\Softland\doPDF 6\unins000.exe"
Driver Updater Pro-->"C:\Documents and Settings\All Users\Application Data\{CC51AE54-B346-4954-ADDB-30BD4F138CF2}\DriverUpdaterPro.exe" REMOVE=TRUE MODIFY=FALSE
Driver Updater Pro-->C:\Documents and Settings\All Users\Application Data\{CC51AE54-B346-4954-ADDB-30BD4F138CF2}\DriverUpdaterPro.exe
DVD Flick-->"C:\Program Files\DVD Flick\unins000.exe"
Echo Indigo-->C:\Program Files\Echo Digital Audio\Indigo\uninst.exe
ffdshow [rev 2033] [2008-07-05]-->"C:\Program Files\ffdshow\unins000.exe"
Free YouTube to Mp3 Converter version 3.1-->"C:\Program Files\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe"
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_E582EA556D8DE101.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GSpot Codec Information Appliance-->C:\Program Files\GSpot\Uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
HP Image Zone 4.7-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone Express-->MsiExec.exe /X{85BCA736-A0F4-448E-9BC1-6EA08693E10B}
HP Product Assistant-->MsiExec.exe /I{36FDBE6E-6684-462B-AE98-9A39A1B200CC}
HP PSC & OfficeJet 4.7-->"C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Update-->MsiExec.exe /X{FE57DE70-95DE-4B64-9266-84DA811053DB}
HP Wireless Assistant-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe" -l0x9
Input Director v1.2 -->"C:\Program Files\Input Director\uninstall.exe"
iTunes-->MsiExec.exe /I{5D601655-6D54-4384-B52C-17EC5385FBBD}
J2SE Runtime Environment 5.0-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ 6 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
JGoodies JDiskReport 1.3.0-->"C:\Program Files\JGoodies\JDiskReport 1.3.0\uninstall.exe"
Junk Mail filter update-->MsiExec.exe /I{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}
LADSPA_plugins-win-0.4.15-->"C:\Program Files\Audacity\Plug-Ins\unins000.exe"
LogMeIn-->MsiExec.exe /I{E256842C-AD14-4BDC-87B2-B3A4A7037837}
Magic ISO Maker v5.5 (build 0273)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Live Add-in 1.3-->MsiExec.exe /I{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}
Microsoft Office Outlook Connector-->MsiExec.exe /I{95120000-0120-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91E30409-6000-11D3-8CFE-0150048383C9}
Microsoft Outlook Web Access S/MIME-->MsiExec.exe /X{6CF08AD2-00C5-4A63-B74B-2EFFFAFEBE1A}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows XP Video Decoder Checkup Utility-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DECCHECK.inf,Uninstall
mIRC-->C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
MobileMe Control Panel-->MsiExec.exe /I{DDBB28C8-B2AA-45A1-8DCE-059A798509FB}
Mozilla Firefox (3.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Native Instruments Traktor DJ Studio 3-->C:\PROGRA~1\NATIVE~1\TRAKTO~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\TRAKTO~1\INSTALL.LOG
Nero 8 Ultra Edition HD-->MsiExec.exe /X{5FCCD531-1B38-4A94-924C-127F722F1033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Network Stumbler 0.4.0 (remove only)-->"C:\Program Files\Network Stumbler\uninst.exe"
Ogg Codecs 0.81.15562-->C:\Program Files\Xiph.Org\Ogg Codecs\uninst.exe
OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
Quick Launch Buttons 5.10 A2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
REALTEK Gigabit and Fast Ethernet NIC Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
REAPER-->"C:\Program Files\REAPER\Uninstall.exe"
Reason 4.0.1-->"C:\Program Files\Propellerhead\Reason\Uninstall Reason\unins000.exe"
ReBirth ModPacker-->C:\PROGRA~1\PROPEL~1\MODPAC~1\UNWISE.EXE C:\PROGRA~1\PROPEL~1\MODPAC~1\INSTALL.LOG
ReBirth RB-338 2.0-->C:\PROGRA~1\PROPEL~1\REBIRT~1.0\UNWISE.EXE C:\PROGRA~1\PROPEL~1\REBIRT~1.0\INSTALL.LOG
ReCycle 2.1.2-->"C:\Program Files\Propellerhead\ReCycle\unins000.exe"
Reimage real-time monitor-->C:\Program Files\Reimage\rei_agent.exe /uninstall
Roxio Media Manager-->MsiExec.exe /X{4D612FB2-1AE7-4E46-9377-35BB2F06A787}
Scratch LIVE 1.8.2 (18221)-->MsiExec.exe /I{93A10228-4F64-4A31-B7B9-BC6AA7753BB8}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
SimpleCast (remove only)-->"C:\Program Files\SpacialAudio\SimpleCast\uninstall.exe"
Sky Broadband-->MsiExec.exe /I{14C35072-D7D0-4B29-B5BF-C94E426D77E9}
SopCast 3.0.3-->C:\Program Files\SopCast\uninst.exe
Spotify-->"C:\Program Files\Spotify\uninstall.exe"
Spyware Doctor 6.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
Symantec Technical Support Advanced Chat Controls-->MsiExec.exe /X{48FF6DE6-0619-4562-B4B1-21F161FE0DE0}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515 drivers.-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C569D686-A444-4AF0-A437-15CBB2816E34}
TomTom HOME 2.6.2.1586-->C:\Program Files\TomTom HOME 2\Uninstall TomTom HOME.exe
TomTom HOME Visual Studio Merge Modules-->MsiExec.exe /I{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}
TuneUp Utilities 2009-->MsiExec.exe /I{55A29068-F2CE-456C-9148-C869879E2357}
TVUPlayer 2.4.1.0-->C:\Program Files\TVUPlayer\uninst.exe
Uninstall 1.0.0.1-->"C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB971180)-->"C:\WINDOWS\ie8updates\KB971180-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Vuze-->C:\Program Files\Vuze\uninstall.exe
WebEx-->C:\PROGRA~1\MOZILL~1\plugins\atcliun.exe
Win2PDF 3.40.1-->"C:\WINDOWS\system32\spool\drivers\w32x86\3\Win2PDF\unins000.exe"
Win2PDF Font Helper 1.21 (GPL Ghostscript 8.62)-->"C:\Program Files\Win2PDF Font Helper\unins000.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Mail-->MsiExec.exe /I{63C1109E-D977-49ED-BCE3-D00D0BF187D6}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Rights Management Client Backwards Compatibility SP2-->MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2-->MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WMPTagSupportExtender-->MsiExec.exe /I{7AEBFFF0-15A1-48A9-88F3-06604486C7C9}
Xvid 1.1.3 final uninstall-->"C:\Program Files\Xvid\unins000.exe"

======Hosts File======

127.255.255.255 serial.alcohol-soft.com

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: LAPTOP
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.

Record Number: 17054
Source Name: Service Control Manager
Time Written: 20090629135807.000000+060
Event Type: error
User:

Computer Name: LAPTOP
Event Code: 1002
Message: The IP address lease 192.168.0.5 for the Network Card with network address 00904BEB7971 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Record Number: 17053
Source Name: Dhcp
Time Written: 20090629135605.000000+060
Event Type: error
User:

Computer Name: LAPTOP
Event Code: 257
Message: Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Record Number: 17042
Source Name: PlugPlayManager
Time Written: 20090628225435.000000+060
Event Type: warning
User:

Computer Name: LAPTOP
Event Code: 257
Message: Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Record Number: 17040
Source Name: PlugPlayManager
Time Written: 20090628225405.000000+060
Event Type: warning
User:

Computer Name: LAPTOP
Event Code: 257
Message: Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Record Number: 17037
Source Name: PlugPlayManager
Time Written: 20090628225335.000000+060
Event Type: warning
User:

=====Application event log=====

Computer Name: LAPTOP
Event Code: 1000
Message: Faulting application superantispyware.exe, version 4.28.0.1010, faulting module superantispyware.exe, version 4.28.0.1010, fault address 0x00004387.

Record Number: 11
Source Name: Application Error
Time Written: 20090913195244.000000+060
Event Type: error
User:

Computer Name: LAPTOP
Event Code: 1000
Message: Faulting application superantispyware.exe, version 4.28.0.1010, faulting module superantispyware.exe, version 4.28.0.1010, fault address 0x00004387.

Record Number: 9
Source Name: Application Error
Time Written: 20090913195148.000000+060
Event Type: error
User:

Computer Name: LAPTOP
Event Code: 1000
Message: Faulting application googleupdate.exe, version 1.2.131.7, faulting module googleupdate.exe, version 1.2.131.7, fault address 0x00006eef.

Record Number: 8
Source Name: Application Error
Time Written: 20090913195125.000000+060
Event Type: error
User:

Computer Name: LAPTOP
Event Code: 1000
Message: Faulting application superantispyware.exe, version 4.28.0.1010, faulting module superantispyware.exe, version 4.28.0.1010, fault address 0x00004387.

Record Number: 2
Source Name: Application Error
Time Written: 20090913194827.000000+060
Event Type: error
User:

Computer Name: LAPTOP
Event Code: 1000
Message: Faulting application superantispyware.exe, version 4.28.0.1010, faulting module superantispyware.exe, version 4.28.0.1010, fault address 0x00004387.

Record Number: 1
Source Name: Application Error
Time Written: 20090913193904.000000+060
Event Type: error
User:

=====Security event log=====

Computer Name: LAPTOP
Event Code: 576
Message: Special privileges assigned to new logon:

User Name: NETWORK SERVICE

Domain: NT AUTHORITY

Logon ID: (0x0,0x3E4)

Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege

Record Number: 13081
Source Name: Security
Time Written: 20090819195004.000000+060
Event Type: audit success
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: LAPTOP
Event Code: 528
Message: Successful Logon:

User Name: NETWORK SERVICE

Domain: NT AUTHORITY

Logon ID: (0x0,0x3E4)

Logon Type: 5

Logon Process: Advapi

Authentication Package: Negotiate

Workstation Name:

Logon GUID: -

Record Number: 13080
Source Name: Security
Time Written: 20090819195004.000000+060
Event Type: audit success
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: LAPTOP
Event Code: 576
Message: Special privileges assigned to new logon:

User Name: NETWORK SERVICE

Domain: NT AUTHORITY

Logon ID: (0x0,0x3E4)

Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege

Record Number: 13079
Source Name: Security
Time Written: 20090819195003.000000+060
Event Type: audit success
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: LAPTOP
Event Code: 528
Message: Successful Logon:

User Name: NETWORK SERVICE

Domain: NT AUTHORITY

Logon ID: (0x0,0x3E4)

Logon Type: 5

Logon Process: Advapi

Authentication Package: Negotiate

Workstation Name:

Logon GUID: -

Record Number: 13078
Source Name: Security
Time Written: 20090819195003.000000+060
Event Type: audit success
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: LAPTOP
Event Code: 515
Message: A trusted logon process has registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.




Logon Process Name: Secondary Logon Service

Record Number: 13077
Source Name: Security
Time Written: 20090819194855.000000+060
Event Type: audit success
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Roxio Shared\DLLShared\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 1, GenuineIntel
"PROCESSOR_REVISION"=0401
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

And here is the log.txt file:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-09-29 08:36:25
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 29 GB (38%) free of 76 GB
Total RAM: 2046 MB (67% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:36:37, on 29/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Input Director\IDWinService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Input Director\InputDirectorSessionHelper.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Documents and Settings\Owner\Desktop\RSIT (1).exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [12CFG214-K641-24SF-N84P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1858\port88.exe
O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm302YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://cdnrep.reimage.com
O16 - DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} (ReiEngine Class) - http://cdnrep.reimage.com/reix1214.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213699945235
O17 - HKLM\System\CCS\Services\Tcpip\..\{5628D3CA-710D-4701-938E-43F3CE86C914}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Input Director Service (InputDirector) - Unknown owner - C:\Program Files\Input Director\IDWinService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 13605 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1532298954-839522115-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1532298954-839522115-1003UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-06-17 308856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ca2f312-6f6e-4b53-a66e-4e65e497c8c0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-09-13 1111320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-14 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
AVG Security Toolbar BHO - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aa58ed58-01dd-4d91-8333-cf10577473f7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-09-13 256112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{af69de43-7d58-4638-b6fa-ce66b5ad205d}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll [2009-09-13 761840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c84d72fe-e17d-4195-bb24-76c02e2e7c4e}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll [2009-09-13 458736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-14 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-14 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-09-13 256112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-11-04 98394]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-09-15 1015808]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2004-10-22 229438]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-12-03 290816]
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2004-12-08 790528]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2007-03-01 153136]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-08-25 1168264]
"SynTPStart"=C:\Program Files\Synaptics\SynTP\SynTPStart.exe [2007-09-15 102400]
"boincmgr"=C:\Program Files\BOINC\boincmgr.exe [2008-12-09 4289280]
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-07-24 63048]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-06-17 185896]
"BlackBerryAutoUpdate"=C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [2009-07-01 623960]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-05-13 177472]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-06-05 292136]
""= []
"RoxWatchTray"=C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2009-04-11 236016]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-09-13 2007832]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-06-17 68856]
"Google Update"=C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-13 133104]
"TomTomHOME.exe"=C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [2009-04-08 251240]
"ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2008-10-24 206112]
"12CFG214-K641-24SF-N84P"=C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1858\port88.exe []
"12CFG214-K641-12SF-N85P"=C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-05-13 177472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2006-07-25 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [2009-07-01 623960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-13 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe [2007-12-13 1688872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-07-24 63048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe /m=2 /w []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Plugin]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2007-12-03 2213160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2009-05-26 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReimageAgent]
C:\Program Files\Reimage\rei_agent.exe [2009-01-12 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2009-04-11 236016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-14 136600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-06-17 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-06-17 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
C:\Program Files\TomTom HOME 2\HOMERunner.exe [2008-09-26 206184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-07-25 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-09-13 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2008-10-16 87352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Input Director\InputDirector.exe"="C:\Program Files\Input Director\InputDirector.exe:*:Enabled:Input Director"
"C:\Program Files\Input Director\InputDirectorSessionHelper.exe"="C:\Program Files\Input Director\InputDirectorSessionHelper.exe:*:Enabled:Input Director Session Helper"
"C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\SopCast\adv\SopAdver.exe"="C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\Program Files\SopCast\SopCast.exe"="C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\Program Files\TVUPlayer\TVUPlayer.exe"="C:\Program Files\TVUPlayer\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Spotify\spotify.exe"="C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Documents and Settings\Owner\Local Settings\Temp\439.exe"="C:\Documents and Settings\Owner\Local Settings\Temp\439.exe:*:Disabled:439"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Input Director\InputDirector.exe"="C:\Program Files\Input Director\InputDirector.exe:*:Enabled:Input Director"
"C:\Program Files\Input Director\InputDirectorSessionHelper.exe"="C:\Program Files\Input Director\InputDirectorSessionHelper.exe:*:Enabled:Input Director Session Helper"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======List of files/folders created in the last 1 months======

2009-09-29 08:36:25 ----D---- C:\rsit
2009-09-28 17:25:31 ----A---- C:\WINDOWS\system32\UACimpsmswibr.dll.XXX
2009-09-14 07:51:05 ----A---- C:\RootRepeal report 09-14-09 (07-51-05).txt
2009-09-13 16:36:12 ----A---- C:\Documents and Settings\All Users\Application Data\N360BUOptions.ini
2009-09-13 13:39:00 ----A---- C:\WINDOWS\ntbtlog.txt
2009-09-13 12:50:37 ----HD---- C:\$AVG8.VAULT$
2009-09-13 12:45:32 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-09-13 12:45:32 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-13 12:23:36 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-09-13 12:22:35 ----D---- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
2009-09-13 12:22:17 ----D---- C:\Program Files\AVG
2009-09-13 12:22:16 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-09-13 12:21:39 ----SHD---- C:\Config.Msi
2009-09-13 12:15:43 ----D---- C:\Documents and Settings\Owner\Application Data\AVG8
2009-09-13 09:32:05 ----A---- C:\WINDOWS\system32\UACwegfgpjniu.dll.XXX
2009-09-13 09:31:50 ----A---- C:\WINDOWS\system32\UACrqjlkroxfq.dll.XXX
2009-09-13 09:31:32 ----A---- C:\WINDOWS\system32\uacinit.dll
2009-09-13 09:30:37 ----A---- C:\xubdc.exe

======List of files/folders modified in the last 1 months======

2009-09-29 08:36:06 ----D---- C:\Documents and Settings\All Users\Application Data\BOINC
2009-09-29 08:35:51 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-09-29 08:35:49 ----D---- C:\WINDOWS\Temp
2009-09-29 08:34:08 ----D---- C:\WINDOWS\system32
2009-09-29 08:34:04 ----D---- C:\WINDOWS\system32\drivers
2009-09-29 08:32:25 ----SD---- C:\WINDOWS\Tasks
2009-09-28 23:33:00 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-28 23:20:06 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-28 14:29:40 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-09-14 07:45:51 ----D---- C:\WINDOWS
2009-09-13 16:44:09 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-09-13 16:42:09 ----D---- C:\Program Files
2009-09-13 16:42:06 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-09-13 16:41:57 ----SHD---- C:\WINDOWS\Installer
2009-09-13 16:40:31 ----HD---- C:\WINDOWS\inf
2009-09-13 16:39:12 ----D---- C:\Program Files\Common Files
2009-09-13 16:25:59 ----D---- C:\WINDOWS\system32\Restore
2009-09-13 14:02:14 ----SHD---- C:\System Volume Information
2009-09-13 13:39:44 ----D---- C:\Documents and Settings
2009-09-13 12:41:00 ----A---- C:\WINDOWS\win.ini
2009-09-13 10:10:16 ----D---- C:\WINDOWS\Prefetch
2009-09-13 09:31:18 ----RSHDC---- C:\WINDOWS\system32\dllcache

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgldx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-09-13 335240]
R1 avgmfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-09-13 27784]
R1 avgtdix;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-09-13 108552]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2008-08-25 66952]
R1 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2008-08-25 81288]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-07-25 1681408]
R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2008-10-23 1391104]
R3 CAMCAUD;Conexant AMC 3D Environmental Audio; C:\WINDOWS\system32\drivers\camcaud.sys [2004-11-17 293120]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camchal.sys [2004-11-17 280192]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 echondgo;Indigo Service; C:\WINDOWS\system32\drivers\echondgo.sys [2007-10-06 133760]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-12-15 1038208]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-12-15 207232]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-07-24 10144]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2009-01-09 27136]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2008-02-25 105088]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2007-09-15 213696]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2004-11-08 85504]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 BlueletAudio;Bluetooth Audio Service; C:\WINDOWS\system32\DRIVERS\blueletaudio.sys []
S3 BlueletSCOAudio;Bluetooth SCO Audio Service; C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys []
S3 BT;Bluetooth PAN Network Adapter; C:\WINDOWS\system32\DRIVERS\btnetdrv.sys []
S3 Btcsrusb;Bluetooth USB For Bluetooth Service; C:\WINDOWS\System32\Drivers\btcusb.sys []
S3 cpuz128;cpuz128; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\cpuz_x32.sys []
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-12-14 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-12-14 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-12-14 21744]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\NSNDIS5.SYS []
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys []
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SeratoUsb;SeratoUsb driver; C:\WINDOWS\System32\Drivers\SeratoUsb.sys [2006-03-16 35712]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-06-05 39424]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 VComm;Virtual Serial port driver; C:\WINDOWS\system32\DRIVERS\VComm.sys []
S3 VcommMgr;Bluetooth VComm Manager Service; C:\WINDOWS\System32\Drivers\VcommMgr.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-07-25 401408]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-09-13 297752]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 InputDirector;Input Director Service; C:\Program Files\Input Director\IDWinService.exe [2008-09-10 32768]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-14 152984]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-12-03 869672]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2007-08-09 73728]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-10-09 1079176]
R2 TomTomHOMEService;TomTomHOMEService; C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe [2009-04-08 92008]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service; C:\WINDOWS\System32\TUProgSt.exe [2009-01-04 603904]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\shared\hpqwmi.exe [2004-11-18 98304]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-04 182768]
S2 Roxio Upnp Server 9;Roxio Upnp Server 9; C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe [2007-12-06 362992]
S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2009-04-11 313840]
S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2009-04-11 170480]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2009-02-16 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2007-12-13 447784]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Roxio UPnP Renderer 9;Roxio UPnP Renderer 9; C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe [2007-12-06 88560]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2009-04-11 1108464]
S3 Symantec RemoteAssist;Symantec RemoteAssist; C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [2008-02-01 394704]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\WINDOWS\System32\TuneUpDefragService.exe [2009-01-04 360192]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-10-16 116032]
S4 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2008-07-24 63040]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Thanks again!

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:14 PM

Posted 29 September 2009 - 08:42 AM

Hi,

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Please post back here with the following logs:
  • MBAM log
  • Gmer log
  • New Rsit log
Thanks

unite.jpg


#7 dannyyoung

dannyyoung
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 29 September 2009 - 01:22 PM

OK. Blimey that GMER scan takes ages! Here are the next round of logs - MBAM first:

Malwarebytes' Anti-Malware 1.41
Database version: 2871
Windows 5.1.2600 Service Pack 3

29/09/2009 15:15:56
mbam-log-2009-09-29 (15-15-56).txt

Scan type: Quick Scan
Objects scanned: 111520
Time elapsed: 8 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg214-k641-24sf-n84p (Worm.AutoRun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg214-k641-12sf-n85p (Worm.AutoRun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1858 (Worm.Autorun) -> Quarantined and deleted successfully.

Files Infected:
C:\xubdc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1858\port88.exe.XXX (Trojan.Slenugga) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACwegfgpjniu.dll.XXX (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACqptsnitnop.sys.XXX (Trojan.TDSS.T) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACde40.tmp.XXX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\232.exe.XXX (Trojan.Slenugga) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\UACa7d9.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\988.exe.XXX (Trojan.Slenugga) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\439.exe.XXX (Trojan.Ranky) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M1FF93PU\lmqz[1].exe.XXX (Trojan.Slenugga) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1858\Desktop.ini (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACqrxoyuypbg.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

#8 dannyyoung

dannyyoung
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 29 September 2009 - 01:25 PM

Next the GMER log:

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-29 19:12:47
Windows 5.1.2600 Service Pack 3
Running: g70d7m8u.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\bcf8db15.sys ZwCreateEvent [0xED15FA15] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\drivers\bcf8db15.sys ZwCreateKey [0xED15DA05] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xED400794] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xED400F1E] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0xED4041F0] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteValueKey [0xED40442A] <-- ROOTKIT !!!
SSDT spca.sys ZwEnumerateKey [0xF72A6CA2] <-- ROOTKIT !!!
SSDT spca.sys ZwEnumerateValueKey [0xF72A7030] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\drivers\bcf8db15.sys ZwOpenKey [0xED15DAC5] <-- ROOTKIT !!!
SSDT spca.sys ZwQueryKey [0xF72A7108] <-- ROOTKIT !!!
SSDT spca.sys ZwQueryValueKey [0xF72A6F88] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xED40512A] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwSetValueKey [0xED40483C] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xED3FFD0A] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xED3FF384] <-- ROOTKIT !!!

INT 0x62 ? 8AB44BF8
INT 0x83 ? 8A96BBF8
INT 0x94 ? 8A96BBF8
INT 0xA4 ? 8A96BBF8
INT 0xB4 ? 8A96BBF8

---- Kernel code sections - GMER 1.0.15 ----

? spca.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F67EC8AC 5 Bytes JMP 8A96B1D8
? C:\WINDOWS\System32\drivers\bcf8db15.sys The system cannot find the file specified.
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AF0001
.text C:\WINDOWS\system32\svchost.exe[196] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[196] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[348] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\System32\alg.exe[348] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E30001
.text C:\WINDOWS\System32\alg.exe[348] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\alg.exe[348] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[356] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[356] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F00001
.text C:\WINDOWS\system32\svchost.exe[356] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[356] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[564] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00900001
.text C:\WINDOWS\system32\Ati2evxx.exe[612] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[612] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[780] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[780] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FE0001
.text C:\WINDOWS\system32\spoolsv.exe[780] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\spoolsv.exe[780] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[860] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\HPZipm12.exe[860] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B70001
.text C:\WINDOWS\system32\HPZipm12.exe[860] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\HPZipm12.exe[860] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00ED0001
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[984] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01080001
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1068] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]

continued....

#9 dannyyoung

dannyyoung
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 29 September 2009 - 01:27 PM

continued...


.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003E0001
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Documents and Settings\Owner\Desktop\g70d7m8u.exe[1092] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00840001
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1232] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1264] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\csrss.exe[1264] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02DC0001
.text C:\WINDOWS\system32\csrss.exe[1264] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\csrss.exe[1264] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1268] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\Explorer.EXE[1268] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CC0001
.text C:\WINDOWS\Explorer.EXE[1268] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\Explorer.EXE[1268] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\IDWinService.exe[1356] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\Input Director\IDWinService.exe[1356] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AA0001
.text C:\Program Files\Input Director\IDWinService.exe[1356] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Input Director\IDWinService.exe[1356] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A20001
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Input Director\InputDirectorSessionHelper.exe[1360] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E70001
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1376] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1464] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1464] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01220001
.text C:\WINDOWS\system32\winlogon.exe[1464] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\winlogon.exe[1464] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1540] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\services.exe[1540] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00060001
.text C:\WINDOWS\system32\services.exe[1540] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\services.exe[1540] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1552] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\lsass.exe[1552] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D30001
.text C:\WINDOWS\system32\lsass.exe[1552] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\lsass.exe[1552] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msiexec.exe[1600] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\msiexec.exe[1600] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CA0001
.text C:\WINDOWS\system32\msiexec.exe[1600] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\msiexec.exe[1600] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 070D0001
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1780] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01090001
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1792] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FD0001
.text C:\WINDOWS\system32\svchost.exe[1804] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1804] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C90001
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1824] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E90001
.text C:\WINDOWS\system32\svchost.exe[1888] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1888] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 03310001
.text C:\WINDOWS\System32\svchost.exe[1928] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[1928] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2012] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00650001
.text C:\WINDOWS\system32\svchost.exe[2012] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[2012] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01230001
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2032] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe[2124] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006B0001
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\HPQ\shared\hpqwmi.exe[2328] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01540001
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2404] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boinc.exe[2768] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\BOINC\boinc.exe[2768] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01080001
.text C:\Program Files\BOINC\boinc.exe[2768] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\BOINC\boinc.exe[2768] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]

continued....

continued...


.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01280001
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2864] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01360001
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe[2912] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01490001
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2952] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 03C00001
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3012] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044A81D C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3012] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3012] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BOINC\boincmgr.exe[3124] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\BOINC\boincmgr.exe[3124] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01A00001
.text C:\Program Files\BOINC\boincmgr.exe[3124] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\BOINC\boincmgr.exe[3124] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 011B0001
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[3164] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01240001
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3216] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01220001
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3232] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F20001
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[3296] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01270001
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3300] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[3492] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[3492] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EC0001
.text C:\WINDOWS\system32\svchost.exe[3492] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[3492] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02FB0001
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[3520] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[3624] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01BE0001
.text C:\Program Files\iPod\bin\iPodService.exe[3624] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\iPod\bin\iPodService.exe[3624] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00740001
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[3628] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[3700] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044A809 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B30001
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[3732] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01B20001
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3748] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[3908] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[3908] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CD0001
.text C:\WINDOWS\system32\ctfmon.exe[3908] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\ctfmon.exe[3908] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\System32\TUProgSt.exe[3972] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006E0001
.text C:\WINDOWS\System32\TUProgSt.exe[3972] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\TUProgSt.exe[3972] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 013D0001
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4084] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F728A046] spca.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F728A142] spca.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F728A0C4] spca.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F728A7CE] spca.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F728A6A4] spca.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7295D7A] spca.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs bcf8db15.sys
Device \FileSystem\Ntfs \Ntfs 8ABB21F8
Device \FileSystem\Fastfat \FatCdrom 8A08A500

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip bcf8db15.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

Device \Driver\NetBT \Device\NetBT_Tcpip_{5628D3CA-710D-4701-938E-43F3CE86C914} 8A2A31F8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

Device \Driver\usbuhci \Device\USBPDO-0 8A9561F8
Device \Driver\usbuhci \Device\USBPDO-1 8A9561F8
Device \Driver\usbuhci \Device\USBPDO-2 8A9561F8
Device \Driver\usbuhci \Device\USBPDO-3 8A9561F8
Device \Driver\usbehci \Device\USBPDO-4 8A9291F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp bcf8db15.sys

Device \Driver\avgtdix \Device\AvgTdi bcf8db15.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8ABB41F8
Device \Driver\Cdrom \Device\CdRom0 8A8CC1F8
Device \Driver\USBSTOR \Device\00000090 8A7BA500
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A2A31F8
Device \Driver\USBSTOR \Device\00000091 8A7BA500
Device \Driver\NetBT \Device\NetbiosSmb 8A2A31F8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp bcf8db15.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp bcf8db15.sys

Device \Driver\usbuhci \Device\USBFDO-0 8A9561F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B881F828-C410-4D51-9AB4-0B6346D9B5C8} 8A2A31F8
Device \Driver\usbuhci \Device\USBFDO-1 8A9561F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A1241F8
Device \Driver\usbuhci \Device\USBFDO-2 8A9561F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A1241F8
Device \Driver\usbuhci \Device\USBFDO-3 8A9561F8
Device \Driver\usbehci \Device\USBFDO-4 8A9291F8
Device \Driver\Ftdisk \Device\FtControl 8ABB41F8
Device \Driver\imagedrv \Device\Scsi\imagedrv1 8ABB31F8
Device \FileSystem\Fastfat \Fat 8A08A500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8A77D500

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\drivers\bcf8db15.sys (*** hidden *** ) [SYSTEM] bcf8db15 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\bcf8db15@ImagePath \SystemRoot\System32\drivers\bcf8db15.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\bcf8db15@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\bcf8db15@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\bcf8db15@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\bcf8db15@kadfmmqr 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\bcf8db15@F96ZK6nPB Y29tcC1hbnkuYml6
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\bcf8db15@ImagePath \SystemRoot\System32\drivers\bcf8db15.sys
Reg HKLM\SYSTEM\ControlSet003\Services\bcf8db15@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\bcf8db15@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\bcf8db15@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\bcf8db15@kadfmmqr 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys@imagepath \systemroot\system32\drivers\UACqptsnitnop.sys
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACqptsnitnop.sys
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACavyqjwpyqb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACimpsmswibr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACqrxoyuypbg.dat
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACrqjlkroxfq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\uacd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACwegfgpjniu.dll
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset004\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset004\Services\bcf8db15@ImagePath \SystemRoot\System32\drivers\bcf8db15.sys
Reg HKLM\SYSTEM\controlset004\Services\bcf8db15@Type 1
Reg HKLM\SYSTEM\controlset004\Services\bcf8db15@Start 1
Reg HKLM\SYSTEM\controlset004\Services\bcf8db15@ErrorControl 1
Reg HKLM\SYSTEM\controlset004\Services\bcf8db15@kadfmmqr 1
Reg HKLM\SYSTEM\controlset004\Services\bcf8db15@F96ZK6nPB Y29tcC1hbnkuYml6
Reg HKLM\SYSTEM\controlset004\Services\MRxDAV\EncryptedDirectories@
Reg HKLM\SYSTEM\controlset004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

---- EOF - GMER 1.0.15 ----



And finally the new RSIT log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-09-29 19:13:03
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 29 GB (38%) free of 76 GB
Total RAM: 2046 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:13:06, on 29/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Input Director\IDWinService.exe
C:\Program Files\Input Director\InputDirectorSessionHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\BOINC\boinc.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Documents and Settings\Owner\Desktop\RSIT (1).exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://cdnrep.reimage.com
O16 - DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} (ReiEngine Class) - http://cdnrep.reimage.com/reix1214.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213699945235
O17 - HKLM\System\CCS\Services\Tcpip\..\{5628D3CA-710D-4701-938E-43F3CE86C914}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Input Director Service (InputDirector) - Unknown owner - C:\Program Files\Input Director\IDWinService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 13008 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1532298954-839522115-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1532298954-839522115-1003UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-06-17 308856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ca2f312-6f6e-4b53-a66e-4e65e497c8c0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-09-13 1111320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-14 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
AVG Security Toolbar BHO - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aa58ed58-01dd-4d91-8333-cf10577473f7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-09-13 256112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{af69de43-7d58-4638-b6fa-ce66b5ad205d}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll [2009-09-29 762864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c84d72fe-e17d-4195-bb24-76c02e2e7c4e}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll [2009-09-13 458736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-14 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-14 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-09-13 256112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-11-04 98394]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-09-15 1015808]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2004-10-22 229438]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-12-03 290816]
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2004-12-08 790528]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2007-03-01 153136]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-08-25 1168264]
"SynTPStart"=C:\Program Files\Synaptics\SynTP\SynTPStart.exe [2007-09-15 102400]
"boincmgr"=C:\Program Files\BOINC\boincmgr.exe [2008-12-09 4289280]
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-07-24 63048]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-06-17 185896]
"BlackBerryAutoUpdate"=C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [2009-07-01 623960]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-05-13 177472]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-06-05 292136]
""= []
"RoxWatchTray"=C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2009-04-11 236016]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-09-13 2007832]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-06-17 68856]
"Google Update"=C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-13 133104]
"TomTomHOME.exe"=C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [2009-04-08 251240]
"ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-05-13 177472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2006-07-25 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [2009-07-01 623960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-13 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe [2007-12-13 1688872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-07-24 63048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe /m=2 /w []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Plugin]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2007-12-03 2213160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2009-05-26 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReimageAgent]
C:\Program Files\Reimage\rei_agent.exe [2009-01-12 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2009-04-11 236016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-14 136600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-06-17 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-06-17 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
C:\Program Files\TomTom HOME 2\HOMERunner.exe [2008-09-26 206184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-07-25 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-09-13 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2008-10-16 87352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Input Director\InputDirector.exe"="C:\Program Files\Input Director\InputDirector.exe:*:Enabled:Input Director"
"C:\Program Files\Input Director\InputDirectorSessionHelper.exe"="C:\Program Files\Input Director\InputDirectorSessionHelper.exe:*:Enabled:Input Director Session Helper"
"C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\SopCast\adv\SopAdver.exe"="C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\Program Files\SopCast\SopCast.exe"="C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\Program Files\TVUPlayer\TVUPlayer.exe"="C:\Program Files\TVUPlayer\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Spotify\spotify.exe"="C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Documents and Settings\Owner\Local Settings\Temp\439.exe"="C:\Documents and Settings\Owner\Local Settings\Temp\439.exe:*:Disabled:439"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Input Director\InputDirector.exe"="C:\Program Files\Input Director\InputDirector.exe:*:Enabled:Input Director"
"C:\Program Files\Input Director\InputDirectorSessionHelper.exe"="C:\Program Files\Input Director\InputDirectorSessionHelper.exe:*:Enabled:Input Director Session Helper"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======List of files/folders created in the last 1 months======

2009-09-29 08:40:43 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-09-29 08:40:35 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-09-29 08:40:35 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-09-29 08:36:25 ----D---- C:\rsit
2009-09-28 17:25:31 ----A---- C:\WINDOWS\system32\UACimpsmswibr.dll.XXX
2009-09-14 07:51:05 ----A---- C:\RootRepeal report 09-14-09 (07-51-05).txt
2009-09-13 16:36:12 ----A---- C:\Documents and Settings\All Users\Application Data\N360BUOptions.ini
2009-09-13 13:39:00 ----A---- C:\WINDOWS\ntbtlog.txt
2009-09-13 12:50:37 ----HD---- C:\$AVG8.VAULT$
2009-09-13 12:45:32 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-09-13 12:45:32 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-13 12:23:36 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-09-13 12:22:35 ----D---- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
2009-09-13 12:22:17 ----D---- C:\Program Files\AVG
2009-09-13 12:22:16 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-09-13 12:21:39 ----SHD---- C:\Config.Msi
2009-09-13 12:15:43 ----D---- C:\Documents and Settings\Owner\Application Data\AVG8
2009-09-13 09:31:50 ----A---- C:\WINDOWS\system32\UACrqjlkroxfq.dll.XXX

======List of files/folders modified in the last 1 months======

2009-09-29 19:12:30 ----D---- C:\Documents and Settings\All Users\Application Data\BOINC
2009-09-29 15:30:22 ----SD---- C:\WINDOWS\Tasks
2009-09-29 15:30:18 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-09-29 15:21:39 ----D---- C:\WINDOWS\system32\drivers
2009-09-29 15:21:38 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-09-29 15:21:29 ----D---- C:\WINDOWS\Temp
2009-09-29 15:17:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-29 15:15:56 ----RSHD---- C:\RECYCLER
2009-09-29 15:15:56 ----D---- C:\WINDOWS\system32
2009-09-29 08:40:35 ----D---- C:\Program Files
2009-09-28 23:33:00 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-14 07:45:51 ----D---- C:\WINDOWS
2009-09-13 16:44:09 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-09-13 16:42:06 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-09-13 16:41:57 ----SHD---- C:\WINDOWS\Installer
2009-09-13 16:40:31 ----HD---- C:\WINDOWS\inf
2009-09-13 16:39:12 ----D---- C:\Program Files\Common Files
2009-09-13 16:25:59 ----D---- C:\WINDOWS\system32\Restore
2009-09-13 14:02:14 ----SHD---- C:\System Volume Information
2009-09-13 13:39:44 ----D---- C:\Documents and Settings
2009-09-13 12:41:00 ----A---- C:\WINDOWS\win.ini
2009-09-13 10:10:16 ----D---- C:\WINDOWS\Prefetch
2009-09-13 09:31:18 ----RSHDC---- C:\WINDOWS\system32\dllcache

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgldx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-09-13 335240]
R1 avgmfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-09-13 27784]
R1 avgtdix;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-09-13 108552]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2008-08-25 66952]
R1 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2008-08-25 81288]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-07-25 1681408]
R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2008-10-23 1391104]
R3 CAMCAUD;Conexant AMC 3D Environmental Audio; C:\WINDOWS\system32\drivers\camcaud.sys [2004-11-17 293120]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camchal.sys [2004-11-17 280192]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 echondgo;Indigo Service; C:\WINDOWS\system32\drivers\echondgo.sys [2007-10-06 133760]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-12-15 1038208]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-12-15 207232]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-07-24 10144]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2009-01-09 27136]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2008-02-25 105088]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2007-09-15 213696]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2004-11-08 85504]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 BlueletAudio;Bluetooth Audio Service; C:\WINDOWS\system32\DRIVERS\blueletaudio.sys []
S3 BlueletSCOAudio;Bluetooth SCO Audio Service; C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys []
S3 BT;Bluetooth PAN Network Adapter; C:\WINDOWS\system32\DRIVERS\btnetdrv.sys []
S3 Btcsrusb;Bluetooth USB For Bluetooth Service; C:\WINDOWS\System32\Drivers\btcusb.sys []
S3 cpuz128;cpuz128; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\cpuz_x32.sys []
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-12-14 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-12-14 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-12-14 21744]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\NSNDIS5.SYS []
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys []
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SeratoUsb;SeratoUsb driver; C:\WINDOWS\System32\Drivers\SeratoUsb.sys [2006-03-16 35712]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-06-05 39424]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 uxtdapow;uxtdapow; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\uxtdapow.sys []
S3 VComm;Virtual Serial port driver; C:\WINDOWS\system32\DRIVERS\VComm.sys []
S3 VcommMgr;Bluetooth VComm Manager Service; C:\WINDOWS\System32\Drivers\VcommMgr.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-07-25 401408]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-09-13 297752]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 InputDirector;Input Director Service; C:\Program Files\Input Director\IDWinService.exe [2008-09-10 32768]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-14 152984]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-12-03 869672]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2007-08-09 73728]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-10-09 1079176]
R2 TomTomHOMEService;TomTomHOMEService; C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe [2009-04-08 92008]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service; C:\WINDOWS\System32\TUProgSt.exe [2009-01-04 603904]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\shared\hpqwmi.exe [2004-11-18 98304]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-04 182768]
S2 Roxio Upnp Server 9;Roxio Upnp Server 9; C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe [2007-12-06 362992]
S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2009-04-11 313840]
S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2009-04-11 170480]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2009-02-16 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2007-12-13 447784]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Roxio UPnP Renderer 9;Roxio UPnP Renderer 9; C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe [2007-12-06 88560]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2009-04-11 1108464]
S3 Symantec RemoteAssist;Symantec RemoteAssist; C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [2008-02-01 394704]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\WINDOWS\System32\TuneUpDefragService.exe [2009-01-04 360192]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-10-16 116032]
S4 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2008-07-24 63040]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Thanks, it finally feels like progress is being made! :(

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:14 PM

Posted 29 September 2009 - 06:01 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#11 dannyyoung

dannyyoung
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 30 September 2009 - 01:35 AM

OK all done - here is the combofix log:

ComboFix 09-09-29.02 - Owner 30/09/2009 7:15.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1395 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-6061000912-4339382104-637806562-7859
c:\windows\Installer\e9fed.msi
c:\windows\system32\drivers\bcf8db15.sys
c:\windows\system32\oem46.inf
c:\windows\system32\UACimpsmswibr.dll.XXX
c:\windows\system32\UACrqjlkroxfq.dll.XXX

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_bcf8db15


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-29 07:40 . 2009-09-29 07:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-29 07:40 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-29 07:40 . 2009-09-29 07:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-29 07:40 . 2009-09-29 07:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-29 07:40 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-29 07:36 . 2009-09-29 07:36 -------- d-----w- C:\rsit
2009-09-28 22:20 . 2009-09-28 22:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-13 12:41 . 2009-09-13 12:41 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-13 12:40 . 2009-09-13 12:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-13 11:50 . 2009-09-28 16:27 -------- d-----w- C:\$AVG8.VAULT$
2009-09-13 11:45 . 2009-09-13 11:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-13 11:45 . 2009-09-13 11:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-13 11:45 . 2009-09-13 11:45 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-09-13 11:40 . 2009-09-13 11:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-13 11:23 . 2009-09-13 11:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-13 11:23 . 2009-09-13 11:23 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-13 11:23 . 2009-09-13 11:23 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-13 11:23 . 2009-09-13 11:23 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-13 11:22 . 2009-09-29 14:01 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-13 11:22 . 2009-09-13 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-13 11:22 . 2009-09-13 11:22 -------- d-----w- c:\program files\AVG
2009-09-13 11:22 . 2009-09-28 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-13 11:15 . 2009-09-13 11:15 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 06:25 . 2008-06-17 21:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-30 06:07 . 2009-01-04 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\BOINC
2009-09-29 14:30 . 2008-06-17 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-13 15:44 . 2008-06-17 10:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-13 15:42 . 2008-06-17 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-13 11:56 . 2008-12-03 10:24 256 ----a-w- c:\windows\system32\pool.bin
2009-09-02 21:06 . 2008-06-17 09:42 87152 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 11:47 . 2008-12-03 10:13 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-08-29 11:47 . 2009-08-29 11:45 -------- d-----w- c:\program files\Roxio
2009-08-29 11:45 . 2008-12-03 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-08-29 11:45 . 2009-08-29 11:45 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-29 11:24 . 2008-12-03 10:06 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-08-24 06:24 . 2008-06-17 20:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 12:51 . 2008-08-19 20:08 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-02 08:31 . 2008-06-17 20:33 -------- d-----w- c:\program files\Vuze
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-03-31 21:47 . 2008-12-18 20:52 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2009-04-07 09:46 . 2009-04-07 09:46 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-04-07 09:46 . 2009-04-07 09:46 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-04-07 09:46 . 2009-04-07 09:47 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2008-02-07 20:46 . 2008-02-07 20:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-07 20:46 . 2008-02-07 20:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-07 20:46 . 2008-02-07 20:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-07 20:46 . 2008-02-07 20:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-07 20:46 . 2008-02-07 20:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-07 20:46 . 2008-02-07 20:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-07 20:46 . 2008-02-07 20:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-04-07 09:46 . 2009-04-07 09:46 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2007-03-16 16:27 . 2007-03-16 16:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 16:27 . 2007-03-16 16:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 16:27 . 2007-03-16 16:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 11:47 . 2007-07-20 11:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-07 20:46 . 2008-02-07 20:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-17 68856]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-13 133104]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 790528]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2008-12-09 4289280]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-17 185896]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-01 623960]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-13 2007832]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-13 11:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"osCheck"="c:\program files\Norton 360\osCheck.exe"
"boinctray"="c:\program files\BOINC\boinctray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Input Director\\InputDirector.exe"=
"c:\\Program Files\\Input Director\\InputDirectorSessionHelper.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/09/2009 12:23 335240]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/09/2009 12:23 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [13/09/2009 12:22 297752]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [15/09/2008 22:39 47640]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [05/10/2008 20:09 356920]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [04/01/2009 14:44 603904]
R3 echondgo;Indigo Service;c:\windows\system32\drivers\echondgo.sys [17/06/2008 16:41 133760]
S2 InputDirector;Input Director Service;c:\program files\Input Director\IDWinService.exe [10/09/2008 00:03 32768]
S3 cpuz128;cpuz128;\??\c:\docume~1\Owner\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Owner\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 SeratoUsb;SeratoUsb driver;c:\windows\system32\drivers\SeratoUsb.sys [21/09/2008 14:01 35712]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-30 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:30]

2009-09-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-09-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-17 18:34]

2009-09-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1532298954-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-13 17:00]

2009-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1532298954-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-13 17:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
Trusted Zone: reimage.com\cdnrep
TCP: {5628D3CA-710D-4701-938E-43F3CE86C914} = 192.168.0.1
DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} - hxxp://cdnrep.reimage.com/reix1214.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kemmk8c6.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kemmk8c6.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kemmk8c6.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 07:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|˙˙˙˙¤•€|ů•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1432)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(1080)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\msiexec.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HPQ\shared\hpqwmi.exe
c:\program files\BOINC\boinc.exe
c:\documents and settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
c:\documents and settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
.
**************************************************************************
.
Completion time: 2009-09-30 7:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-30 06:33

Pre-Run: 30,261,309,440 bytes free
Post-Run: 30,469,206,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
288 --- E O F --- 2009-08-29 14:19

Thanks for all your help again...

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:14 PM

Posted 30 September 2009 - 08:50 AM

Hi dannyyoung,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
""=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
Driver::
LMIRfsClientNP
uxtdapow
cpuz128

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please update and run a full scan with MBAM and post back with the MBAM log and combofix.txt.

Thanks
Syler

unite.jpg


#13 dannyyoung

dannyyoung
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 01 October 2009 - 01:12 AM

I think we may be getting close now! Here's the Combofix log:

ComboFix 09-09-29.04 - Owner 30/09/2009 19:48.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1309 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: E:\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CPUZ128
-------\Legacy_LMIRFSCLIENTNP
-------\Legacy_uxtdapow
-------\Service_cpuz128
-------\Service_LMIRfsClientNP


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-30 19:00 . 2009-09-30 19:00 -------- d-----w- c:\windows\LastGood
2009-09-29 07:40 . 2009-09-29 07:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-29 07:40 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-29 07:40 . 2009-09-29 07:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-29 07:40 . 2009-09-29 07:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-29 07:40 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-29 07:36 . 2009-09-29 07:36 -------- d-----w- C:\rsit
2009-09-28 22:20 . 2009-09-28 22:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-13 12:41 . 2009-09-13 12:41 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-13 12:40 . 2009-09-13 12:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-13 11:50 . 2009-09-28 16:27 -------- d-----w- C:\$AVG8.VAULT$
2009-09-13 11:45 . 2009-09-13 11:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-13 11:45 . 2009-09-13 11:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-13 11:45 . 2009-09-13 11:45 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-09-13 11:40 . 2009-09-13 11:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-13 11:23 . 2009-09-13 11:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-13 11:23 . 2009-09-13 11:23 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-13 11:23 . 2009-09-13 11:23 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-13 11:23 . 2009-09-13 11:23 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-13 11:22 . 2009-09-30 18:16 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-13 11:22 . 2009-09-13 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-13 11:22 . 2009-09-13 11:22 -------- d-----w- c:\program files\AVG
2009-09-13 11:22 . 2009-09-28 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-13 11:15 . 2009-09-13 11:15 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2009-09-13 08:31 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 21:09 . 2009-01-04 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\BOINC
2009-09-30 21:08 . 2008-06-17 21:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-30 19:02 . 2008-08-19 20:08 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-30 18:14 . 2008-06-17 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-13 15:44 . 2008-06-17 10:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-13 15:42 . 2008-06-17 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-13 11:56 . 2008-12-03 10:24 256 ----a-w- c:\windows\system32\pool.bin
2009-09-02 21:06 . 2008-06-17 09:42 87152 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 11:47 . 2008-12-03 10:13 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-08-29 11:47 . 2009-08-29 11:45 -------- d-----w- c:\program files\Roxio
2009-08-29 11:45 . 2008-12-03 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-08-29 11:45 . 2009-08-29 11:45 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-29 11:24 . 2008-12-03 10:06 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-08-24 06:24 . 2008-06-17 20:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 08:31 . 2008-06-17 20:33 -------- d-----w- c:\program files\Vuze
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-03-31 21:47 . 2008-12-18 20:52 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2009-04-07 09:46 . 2009-04-07 09:46 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-04-07 09:46 . 2009-04-07 09:46 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-04-07 09:46 . 2009-04-07 09:47 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2008-02-07 20:46 . 2008-02-07 20:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-07 20:46 . 2008-02-07 20:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-07 20:46 . 2008-02-07 20:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-07 20:46 . 2008-02-07 20:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-07 20:46 . 2008-02-07 20:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-07 20:46 . 2008-02-07 20:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-07 20:46 . 2008-02-07 20:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-04-07 09:46 . 2009-04-07 09:46 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2007-03-16 16:27 . 2007-03-16 16:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 16:27 . 2007-03-16 16:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 16:27 . 2007-03-16 16:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 11:47 . 2007-07-20 11:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-07 20:46 . 2008-02-07 20:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-30_06.25.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-30 18:57 . 2009-09-30 18:57 16384 c:\windows\temp\Perflib_Perfdata_340.dat
- 2008-06-17 12:32 . 2009-08-15 02:08 23040 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-06-17 12:32 . 2009-09-30 19:03 23040 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-06-17 12:32 . 2009-08-15 02:08 61440 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-06-17 12:32 . 2009-09-30 19:03 61440 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-06-17 12:32 . 2009-09-30 19:03 27136 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-06-17 12:32 . 2009-08-15 02:08 27136 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-06-17 12:32 . 2009-09-30 19:03 11264 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-06-17 12:32 . 2009-08-15 02:08 11264 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-06-17 12:32 . 2009-09-30 19:03 86016 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-06-17 12:32 . 2009-08-15 02:08 86016 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-06-17 12:32 . 2009-09-30 19:03 12288 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-06-17 12:32 . 2009-08-15 02:08 12288 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-06-17 12:32 . 2009-09-30 19:03 4096 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-06-17 12:32 . 2009-08-15 02:08 4096 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2004-08-04 12:00 . 2009-03-08 03:33 726528 c:\windows\system32\jscript.dll
+ 2004-08-04 12:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 2007-08-13 17:38 . 2009-03-08 03:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2007-08-13 17:38 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-06-17 12:32 . 2009-09-30 19:03 409600 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-06-17 12:32 . 2009-08-15 02:08 409600 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-06-17 12:32 . 2009-09-30 19:03 286720 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-06-17 12:32 . 2009-08-15 02:08 286720 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-06-17 12:32 . 2009-09-30 19:03 249856 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-06-17 12:32 . 2009-08-15 02:08 249856 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-06-17 12:32 . 2009-09-30 19:03 794624 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-06-17 12:32 . 2009-08-15 02:08 794624 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-06-17 12:32 . 2009-09-30 19:03 135168 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-06-17 12:32 . 2009-08-15 02:08 135168 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-06-17 12:32 . 2009-08-15 02:08 593920 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-06-17 12:32 . 2009-09-30 19:03 593920 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-09-30 19:01 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-30 19:01 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-30 19:01 . 2009-03-08 03:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
- 2004-08-04 12:00 . 2008-06-18 05:03 2458112 c:\windows\system32\WMVCore.dll
+ 2004-08-04 12:00 . 2009-05-20 03:56 2458112 c:\windows\system32\WMVCore.dll
- 2004-08-04 12:00 . 2008-06-18 05:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2004-08-04 12:00 . 2009-05-20 03:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-08-25 13:57 . 2009-08-25 13:57 5518336 c:\windows\Installer\4d6ee.msp
+ 2008-06-17 12:08 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe
+ 2009-09-30 19:01 . 2009-09-30 19:01 15709696 c:\windows\Installer\4d6da.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-17 68856]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-13 133104]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 790528]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2008-12-09 4289280]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-17 185896]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-01 623960]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-13 2007832]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-13 11:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"osCheck"="c:\program files\Norton 360\osCheck.exe"
"boinctray"="c:\program files\BOINC\boinctray.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Input Director\\InputDirector.exe"=
"c:\\Program Files\\Input Director\\InputDirectorSessionHelper.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/09/2009 12:23 335240]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/09/2009 12:23 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [13/09/2009 12:22 297752]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [15/09/2008 22:39 47640]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [05/10/2008 20:09 356920]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [04/01/2009 14:44 603904]
R3 echondgo;Indigo Service;c:\windows\system32\drivers\echondgo.sys [17/06/2008 16:41 133760]
S2 InputDirector;Input Director Service;c:\program files\Input Director\IDWinService.exe [10/09/2008 00:03 32768]
S3 SeratoUsb;SeratoUsb driver;c:\windows\system32\drivers\SeratoUsb.sys [21/09/2008 14:01 35712]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-30 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:30]

2009-09-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-09-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-17 18:34]

2009-09-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1532298954-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-13 17:00]

2009-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1532298954-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-13 17:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
Trusted Zone: reimage.com\cdnrep
TCP: {5628D3CA-710D-4701-938E-43F3CE86C914} = 192.168.0.1
DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} - hxxp://cdnrep.reimage.com/reix1214.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kemmk8c6.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 22:08
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|˙˙˙˙¤•€|ů•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3144)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\HPQ\shared\hpqwmi.exe
c:\program files\BOINC\boinc.exe
c:\program files\iPod\bin\iPodService.exe
c:\documents and settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe
c:\documents and settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
.
**************************************************************************
.
Completion time: 2009-09-30 22:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-30 21:15
ComboFix2.txt 2009-09-30 06:33

Pre-Run: 30,434,353,152 bytes free
Post-Run: 30,300,061,696 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
312 --- E O F --- 2009-09-30 19:05

And here is the MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 2878
Windows 5.1.2600 Service Pack 3

01/10/2009 07:05:16
mbam-log-2009-10-01 (07-05-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 224244
Time elapsed: 55 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E3EA0B7A-3E25-492F-ABFA-34A02C2D0D54}\RP1\A0000094.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Thanks :(

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:14 PM

Posted 01 October 2009 - 08:29 AM

We are getting there, please let me know in your next reply how thing are running.

Download the HostsXpert
  • Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Next

You still have some leftovers from an incomplete uninstallation of Norton security products on your computer.
To remove the leftovers please download and run the Norton Removal Tool.

Note: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer.
If you use ACT! or WinFAX, back up those databases before you proceed.


Next

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Reamove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back here with the following logs:
  • Kaspersky report
  • New Rsit log
Thanks

unite.jpg


#15 dannyyoung

dannyyoung
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 01 October 2009 - 11:40 AM

Hi syler

I've tried to Restore MS Hosts File using HostsXpert but I get an error that says ERROR: Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts - when I click OK the program closes. As far as I am aware I've done nothing with custom Hosts files so far - if I have it's news to me! Any ideas on how to get round this?

I haven't done anything else you mentioned in case it causes further problems...

Cheers

Dan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users