Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

reocurring virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 eighty2

eighty2

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 23 November 2009 - 05:12 PM

Hi, I downloaded a virus have tried using Malbytes, Hijackthis, Killbox, and other AV's to remove it but have been unsuccessful. The virus limits access to AV sites. It was limiting my access to the internet, registry, and system restore but I've gotten that fixed. When I do a scan, calc.dll and some variation of windows/system32/3.tmp remains.

DDS:


DDS (Ver_09-11-23.01) - NTFSx86
Run by pgornell at 15:29:21.59 on 2009-11-23
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1103 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RapidSolution\Tunebite\vcdw\VCDAudioService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
svchost.exe C:\WINDOWS\TEMP\VRT2.tmp
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe
C:\Program Files\Hewlett-Packard\HP Printer Utility\HPPU.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Printer Utility DCS\Appinterfaces\HPPUDS.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Printer Utility DCS\AppInterfaces\HPPUDH.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\AppInterfaces\HPDeviceHost.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Boingo\Boingo Wi-Fi\Boingo Wi-Fi.exe
C:\WINDOWS\BisonCam\BisonTrayIcon.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips\GoGear Mix Device Manager\main.exe
C:\Program Files\Shoreline Communications\ShoreWare Client\STCHost.exe
C:\Program Files\Datacolor\Spyder3Pro\Utility\Spyder3Utility.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Shoreline Communications\ShoreWare Client\CSISCMGR.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\pgornell\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.playlist.com/
uInternet Settings,ProxyOverride = *.local;<local>
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - No File
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - No File
uRun: [ShoreTel Personal Call Manager] c:\program files\shoreline communications\shoreware client\StartCli.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRun: [RunTasktray] "c:\program files\hewlett-packard\hp easy printer care\hpprun.exe" --regkeypath=software\hewlett-packard\hp easy printer care\HPPRun --valuename=InstallTTM
mRun: [RunPUTasktray] "c:\program files\hewlett-packard\hp printer utility\hppu.exe" --regkeypath=software\hewlett-packard\hp printer utility\HPPURun --valuename=InstallTTM
mRun: [ctfmon] RUNDLL32.EXE c:\windows\system32\fgjk4wvb.dll,w
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PUStarter] c:\program files\common files\hewlett-packard\hp printer utility dcs\appinterfaces\HPPUDS.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [KnexStarter] c:\program files\common files\hewlett-packard\hp device communication services\appinterfaces\HPDeviceService.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [Boingo Wi-Fi] "c:\program files\boingo\boingo wi-fi\Boingo.lnk"
mRun: [BisonTrayIcon] c:\windows\bisoncam\BisonTrayIcon.exe
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [calc] rundll32.exe c:\windows\system32\config\system~1\ntuser.dll,_IWMPEvents@0
dRun: [msnmager] c:\windows\system32\rundll32.exe c:\windows\temp\idegcg.dll,Set1
StartupFolder: c:\docume~1\pgornell\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\philip~1.lnk - c:\program files\philips\gogear mix device manager\main.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spyder~1.lnk - c:\program files\datacolor\spyder3pro\utility\Spyder3Utility.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: hp.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {3AC3D009-2E89-4F1E-9F51-04D4FBD50122} - hxxp://192.168.102.249/shorewaredirector/clientinstall/ShoretelClientInstall.ocx
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177726452875
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.stockphotopro.com/ImageUploader4.cab
DPF: {71D73A47-975F-11D1-AA77-00A0C98D86D4} - hxxp://192.168.102.249/shorewaredirector/VoiceMessage.ocx
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://meetings.webex.com/client/T26L/webex/ieatgpc.cab
Handler: HPDCS - {ba135f49-a12c-4e26-a2c4-6ea945999072} - c:\program files\common files\hewlett-packard\hp device communication services\app\hpdcsapp.dll
Handler: hppfile - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\hewlett-packard\hp easy printer care\HPPCtrls.dll
Handler: hppsam - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\hewlett-packard\hp easy printer care\HPPCtrls.dll
Handler: HPPUDCS - {522CC7E5-F378-4F97-8BD7-125D17F5B332} - c:\program files\common files\hewlett-packard\hp printer utility dcs\app\hplidcsapp.dll
Handler: hppufile - {4BCA8E33-E18F-4358-9F6F-3C7206BCF72F} - c:\program files\hewlett-packard\hp printer utility\hpluCtrls.dll
Handler: hppusam - {4BCA8E33-E18F-4358-9F6F-3C7206BCF72F} - c:\program files\hewlett-packard\hp printer utility\hpluCtrls.dll
Handler: hppuzip - {4BCA8E33-E18F-4358-9F6F-3C7206BCF72F} - c:\program files\hewlett-packard\hp printer utility\hpluCtrls.dll
Handler: hppzip - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\hewlett-packard\hp easy printer care\HPPCtrls.dll
AppInit_DLLs: c:\windows\temp\3016xxx.dll,c:\windows\temp\197xxx.dll,c:\windows\temp\4913xxx.dll,c:\windows\temp\1921xxx.dll,c:\windows\temp\4926xxx.dll,c:\windows\temp\1931xxx.dll,c:\windows\temp\351923usc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli bakupabi.dll
mASetup: {43fu72BA-u2h9-13u1-bubf-eaKfu836gul5} - c:\windows\system32\csrss.exe
mASetup: {9C450606-ED24-4958-92BA-B8940C99D441} - c:\program files\pixiepack codec pack\InstallerHelper.exe
mASetup: {AB6316F1-B853-B5C4-383E-09E2BD8E1192} - c:\documents and settings\pgornell\my documents\usenext\alt.binaries.warez.ibm-pc\Helicon Focus v2.03 Pro(Working Keygen).exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pgornell\applic~1\mozilla\firefox\profiles\x9msz3ay.default\
FF - prefs.js: browser.startup.homepage - www.sidestep.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2009-08-22 22:24:32 75264 --sha-w- c:\windows\system32\bakupabi.dll
2009-03-21 14:06:58 24064 --sha-w- c:\windows\system32\calc.dll
2009-08-22 22:24:32 75264 --sha-w- c:\windows\system32\jutokuki.dll
2009-08-22 22:24:32 75264 --sha-w- c:\windows\system32\metefovu.dll
2009-03-21 14:06:58 24064 --sha-w- c:\windows\system32\config\systemprofile\ntuser.dll
2008-09-18 05:55:57 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat
2009-03-21 14:06:58 24064 --sha-w- c:\windows\system32\config\systemprofile\start menu\programs\startup\scandisk.dll

============= FINISH: 15:30:23.00 ===============


*************************************************************************************************************************************************

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/23 15:36
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3C71000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79C7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP7796
Image Path: \Driver\PCI_PNP7796
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB6467000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sppp.sys
Image Path: sppp.sys
Address: 0xF7289000 Size: 1036288 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\program files\multimedia card reader\moveicondll.exe
Status: Allocation size mismatch (API: 311296, Raw: 303104)

Path: c:\program files\multimedia card reader\wreg.exe
Status: Allocation size mismatch (API: 319488, Raw: 299008)

Path: c:\program files\winrar\rar.exe
Status: Allocation size mismatch (API: 262144, Raw: 253952)

Path: c:\program files\winrar\rarextloader.exe
Status: Allocation size mismatch (API: 53248, Raw: 36864)

Path: c:\program files\winrar\unrar.exe
Status: Allocation size mismatch (API: 167936, Raw: 147456)

Path: c:\program files\cyberlink\powerdvd\cltest.exe
Status: Allocation size mismatch (API: 139264, Raw: 118784)

Path: c:\program files\msn gaming zone\windows\zclientm.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\program files\realtek\installshield\alcmtr.exe
Status: Allocation size mismatch (API: 49152, Raw: 32768)

Path: c:\program files\realtek\installshield\alcwzrd.exe
Status: Allocation size mismatch (API: 958464, Raw: 950272)

Path: c:\program files\realtek\installshield\chcfg.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\program files\realtek\installshield\cplutl64.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\program files\realtek\installshield\rthdcpl.exe
Status: Allocation size mismatch (API: 7958528, Raw: 7938048)

Path: c:\program files\realtek\installshield\rtlcpl.exe
Status: Allocation size mismatch (API: 6258688, Raw: 6238208)

Path: c:\program files\realtek\installshield\rtlupd.exe
Status: Allocation size mismatch (API: 270336, Raw: 249856)

Path: c:\program files\realtek\installshield\rtlupd64.exe
Status: Allocation size mismatch (API: 360448, Raw: 339968)

Path: c:\program files\realtek\installshield\soundman.exe
Status: Allocation size mismatch (API: 57344, Raw: 40960)

Path: c:\program files\helicon software\helicon focus\heliconviewer.exe
Status: Allocation size mismatch (API: 2940928, Raw: 2920448)

Path: c:\program files\helicon software\helicon focus\dng.exe
Status: Allocation size mismatch (API: 585728, Raw: 573440)

Path: c:\program files\installshield installation information\{d80a6a73-e58a-4673-aff5-f12d7110661f}\setup.exe
Status: Allocation size mismatch (API: 253952, Raw: 241664)

Path: c:\program files\ivt corporation\bluesoleil\gprs.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\program files\ivt corporation\bluesoleil\hid2hci.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\program files\ivt corporation\bluesoleil\uninstall.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\$hf_mig$\kb834707\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb867282\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb873333\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb873339\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb885250\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb885835\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb885836\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb886185\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb887472\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb887742\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb888113\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb888302\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb890047\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb890175\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\$hf_mig$\kb891781\spuninst.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\servicepackfiles\i386\accwiz.exe
Status: Allocation size mismatch (API: 106496, Raw: 98304)

Path: c:\windows\servicepackfiles\i386\actmovie.exe
Status: Allocation size mismatch (API: 24576, Raw: 4096)

Path: c:\windows\servicepackfiles\i386\ngen.exe
Status: Allocation size mismatch (API: 118784, Raw: 98304)

Path: c:\windows\servicepackfiles\i386\smbinst.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\smi2smir.exe
Status: Allocation size mismatch (API: 172032, Raw: 151552)

Path: c:\windows\servicepackfiles\i386\smlogsvc.exe
Status: Allocation size mismatch (API: 81920, Raw: 61440)

Path: c:\windows\servicepackfiles\i386\sndrec32.exe
Status: Allocation size mismatch (API: 114688, Raw: 94208)

Path: c:\windows\servicepackfiles\i386\snmp.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\servicepackfiles\i386\snmptrap.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\sort.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\migregdb.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\migwiz.exe
Status: Allocation size mismatch (API: 147456, Raw: 135168)

Path: c:\windows\servicepackfiles\i386\migwiza.exe
Status: Allocation size mismatch (API: 147456, Raw: 126976)

Path: c:\windows\servicepackfiles\i386\mmc.exe
Status: Allocation size mismatch (API: 897024, Raw: 876544)

Path: c:\windows\servicepackfiles\i386\dfrgfat.exe
Status: Allocation size mismatch (API: 81920, Raw: 61440)

Path: c:\windows\servicepackfiles\i386\dfrgntfs.exe
Status: Allocation size mismatch (API: 98304, Raw: 77824)

Path: c:\windows\servicepackfiles\i386\dialer.exe
Status: Allocation size mismatch (API: 303104, Raw: 282624)

Path: c:\windows\servicepackfiles\i386\cacls.exe
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\clipbrd.exe
Status: Allocation size mismatch (API: 90112, Raw: 69632)

Path: c:\windows\servicepackfiles\i386\diantz.exe
Status: Allocation size mismatch (API: 86016, Raw: 65536)

Path: c:\windows\servicepackfiles\i386\fpcount.exe
Status: Allocation size mismatch (API: 126976, Raw: 122880)

Path: c:\windows\servicepackfiles\i386\wab.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\windows\servicepackfiles\i386\wabmig.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\servicepackfiles\i386\msimn.exe
Status: Allocation size mismatch (API: 57344, Raw: 49152)

Path: c:\windows\servicepackfiles\i386\msiregmv.exe
Status: Allocation size mismatch (API: 45056, Raw: 28672)

Path: c:\windows\servicepackfiles\i386\msmsgs.exe
Status: Allocation size mismatch (API: 1187840, Raw: 1183744)

Path: c:\windows\servicepackfiles\i386\author.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\sysocmgr.exe
Status: Allocation size mismatch (API: 77824, Raw: 57344)

Path: c:\windows\servicepackfiles\i386\wordpad.exe
Status: Allocation size mismatch (API: 147456, Raw: 131072)

Path: c:\windows\servicepackfiles\i386\wpabaln.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\servicepackfiles\i386\wpnpinst.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\eudcedit.exe
Status: Allocation size mismatch (API: 151552, Raw: 147456)

Path: c:\windows\servicepackfiles\i386\evcreate.exe
Status: Allocation size mismatch (API: 45056, Raw: 32768)

Path: c:\windows\servicepackfiles\i386\evntcmd.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\evntwin.exe
Status: Allocation size mismatch (API: 81920, Raw: 61440)

Path: c:\windows\servicepackfiles\i386\evtrig.exe
Status: Allocation size mismatch (API: 73728, Raw: 53248)

Path: c:\windows\servicepackfiles\i386\extrac32.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\faxpatch.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\mtstocom.exe
Status: Allocation size mismatch (API: 98304, Raw: 90112)

Path: c:\windows\servicepackfiles\i386\napstat.exe
Status: Allocation size mismatch (API: 147456, Raw: 126976)

Path: c:\windows\servicepackfiles\i386\narrator.exe
Status: Allocation size mismatch (API: 61440, Raw: 49152)

Path: c:\windows\servicepackfiles\i386\rundll32.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\runonce.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\savedump.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\oemig50.exe
Status: Allocation size mismatch (API: 65536, Raw: 57344)

Path: c:\windows\servicepackfiles\i386\cipher.exe
Status: Allocation size mismatch (API: 57344, Raw: 49152)

Path: c:\windows\servicepackfiles\i386\cisvc.exe
Status: Allocation size mismatch (API: 24576, Raw: 4096)

Path: c:\windows\servicepackfiles\i386\cleanmgr.exe
Status: Allocation size mismatch (API: 65536, Raw: 61440)

Path: c:\windows\servicepackfiles\i386\cliconfg.exe
Status: Allocation size mismatch (API: 32768, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\inetin51.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\inetwiz.exe
Status: Allocation size mismatch (API: 32768, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\userinit.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\utilman.exe
Status: Allocation size mismatch (API: 57344, Raw: 40960)

Path: c:\windows\servicepackfiles\i386\locator.exe
Status: Allocation size mismatch (API: 73728, Raw: 53248)

Path: c:\windows\servicepackfiles\i386\logman.exe
Status: Allocation size mismatch (API: 61440, Raw: 53248)

Path: c:\windows\servicepackfiles\i386\logon.scr
Status: Allocation size mismatch (API: 90112, Raw: 69632)

Path: c:\windows\servicepackfiles\i386\logonui.exe
Status: Allocation size mismatch (API: 274432, Raw: 266240)

Path: c:\windows\servicepackfiles\i386\lsass.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\winver.exe
Status: Allocation size mismatch (API: 24576, Raw: 4096)

Path: c:\windows\servicepackfiles\i386\ss3dfo.scr
Status: Allocation size mismatch (API: 512000, Raw: 495616)

Path: c:\windows\servicepackfiles\i386\ssbezier.scr
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\ssflwbox.scr
Status: Allocation size mismatch (API: 253952, Raw: 258048)

Path: c:\windows\servicepackfiles\i386\ssmarque.scr
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\ssmypics.scr
Status: Allocation size mismatch (API: 57344, Raw: 36864)

Path: c:\windows\servicepackfiles\i386\ssmyst.scr
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\sspipes.scr
Status: Allocation size mismatch (API: 413696, Raw: 389120)

Path: c:\windows\servicepackfiles\i386\ssstars.scr
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\sstext3d.scr
Status: Allocation size mismatch (API: 483328, Raw: 462848)

Path: c:\windows\servicepackfiles\i386\fxssvc.exe
Status: Allocation size mismatch (API: 217088, Raw: 192512)

Path: c:\windows\servicepackfiles\i386\dpvsetup.exe
Status: Allocation size mismatch (API: 81920, Raw: 61440)

Path: c:\windows\servicepackfiles\i386\drvqry.exe
Status: Allocation size mismatch (API: 65536, Raw: 61440)

Path: c:\windows\servicepackfiles\i386\perfmon.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\csc.exe
Status: Allocation size mismatch (API: 53248, Raw: 36864)

Path: c:\windows\servicepackfiles\i386\cscript.exe
Status: Allocation size mismatch (API: 114688, Raw: 94208)

Path: c:\windows\servicepackfiles\i386\ctfmon.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\agentsvr.exe
Status: Allocation size mismatch (API: 196608, Raw: 188416)

Path: c:\windows\servicepackfiles\i386\services.exe
Status: Allocation size mismatch (API: 98304, Raw: 77824)

Path: c:\windows\servicepackfiles\i386\sessmgr.exe
Status: Allocation size mismatch (API: 114688, Raw: 94208)

Path: c:\windows\servicepackfiles\i386\sethc.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\servicepackfiles\i386\setup.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\setup50.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\servicepackfiles\i386\setupn.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\rcimlby.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\servicepackfiles\i386\rcp.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\rdsaddin.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\rdshost.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\servicepackfiles\i386\msoobe.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\mspaint.exe
Status: Allocation size mismatch (API: 249856, Raw: 229376)

Path: c:\windows\servicepackfiles\i386\nddeapir.exe
Status: Allocation size mismatch (API: 24576, Raw: 4096)

Path: c:\windows\servicepackfiles\i386\net.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\windows\servicepackfiles\i386\net1.exe
Status: Allocation size mismatch (API: 114688, Raw: 106496)

Path: c:\windows\servicepackfiles\i386\ipv6.exe
Status: Allocation size mismatch (API: 61440, Raw: 53248)

Path: c:\windows\servicepackfiles\i386\ipxroute.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\irftp.exe
Status: Allocation size mismatch (API: 118784, Raw: 98304)

Path: c:\windows\servicepackfiles\i386\qprocess.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\ntvdm.exe
Status: Allocation size mismatch (API: 339968, Raw: 319488)

Path: c:\windows\servicepackfiles\i386\msdtc.exe
Status: Allocation size mismatch (API: 24576, Raw: 4096)

Path: c:\windows\servicepackfiles\i386\tzchange.exe
Status: Allocation size mismatch (API: 61440, Raw: 57344)

Path: c:\windows\servicepackfiles\i386\xpnetdg.exe
Status: Allocation size mismatch (API: 266240, Raw: 241664)

Path: c:\windows\servicepackfiles\i386\icwrmind.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\ie4uinit.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\servicepackfiles\i386\iedw.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\wextract.exe
Status: Allocation size mismatch (API: 65536, Raw: 69632)

Path: c:\windows\servicepackfiles\i386\atmadm.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\attrib.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\auditusr.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\fp98sadm.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\fp98swin.exe
Status: Allocation size mismatch (API: 86016, Raw: 65536)

Path: c:\windows\servicepackfiles\i386\fpadmcgi.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\help.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\helpctr.exe
Status: Allocation size mismatch (API: 512000, Raw: 491520)

Path: c:\windows\servicepackfiles\i386\helpsvc.exe
Status: Allocation size mismatch (API: 495616, Raw: 475136)

Path: c:\windows\servicepackfiles\i386\hh.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\comrepl.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\comrereg.exe
Status: Allocation size mismatch (API: 24576, Raw: 4096)

Path: c:\windows\servicepackfiles\i386\comsdupd.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\conf.exe
Status: Allocation size mismatch (API: 540672, Raw: 528384)

Path: c:\windows\servicepackfiles\i386\wuauclt.exe
Status: Allocation size mismatch (API: 98304, Raw: 77824)

Path: c:\windows\servicepackfiles\i386\wuauclt1.exe
Status: Allocation size mismatch (API: 122880, Raw: 102400)

Path: c:\windows\servicepackfiles\i386\xcopy.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\dmremote.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\dplaysvr.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\servicepackfiles\i386\dpnsvr.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\dumprep.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\dvdupgrd.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\dwwin.exe
Status: Allocation size mismatch (API: 155648, Raw: 139264)

Path: c:\windows\servicepackfiles\i386\dxdiag.exe
Status: Allocation size mismatch (API: 663552, Raw: 655360)

Path: c:\windows\servicepackfiles\i386\rsh.exe
Status: Allocation size mismatch (API: 28672, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\rsnotify.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\servicepackfiles\i386\rstrui.exe
Status: Allocation size mismatch (API: 241664, Raw: 233472)

Path: c:\windows\servicepackfiles\i386\rtcshare.exe
Status: Allocation size mismatch (API: 81920, Raw: 61440)

Path: c:\windows\servicepackfiles\i386\pinball.exe
Status: Allocation size mismatch (API: 200704, Raw: 180224)

Path: c:\windows\servicepackfiles\i386\ping.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\powercfg.exe
Status: Allocation size mismatch (API: 53248, Raw: 40960)

Path: c:\windows\servicepackfiles\i386\shmgrate.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\windows\servicepackfiles\i386\shrpubw.exe
Status: Allocation size mismatch (API: 57344, Raw: 32768)

Path: c:\windows\servicepackfiles\i386\shtml.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\shutdown.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\sigverif.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\windows\servicepackfiles\i386\wmiadap.exe
Status: Allocation size mismatch (API: 147456, Raw: 151552)

Path: c:\windows\servicepackfiles\i386\wmic.exe
Status: Allocation size mismatch (API: 245760, Raw: 225280)

Path: c:\windows\servicepackfiles\i386\wmiprvse.exe
Status: Allocation size mismatch (API: 147456, Raw: 126976)

Path: c:\windows\servicepackfiles\i386\scardsvr.exe
Status: Allocation size mismatch (API: 86016, Raw: 65536)

Path: c:\windows\servicepackfiles\i386\scrcons.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\windows\servicepackfiles\i386\scrnsave.scr
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\sctasks.exe
Status: Allocation size mismatch (API: 90112, Raw: 81920)

Path: c:\windows\servicepackfiles\i386\sdbinst.exe
Status: Allocation size mismatch (API: 77824, Raw: 57344)

Path: c:\windows\servicepackfiles\i386\secedit.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\mmcperf.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\mnmsrvc.exe
Status: Allocation size mismatch (API: 36864, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\mobsync.exe
Status: Allocation size mismatch (API: 122880, Raw: 102400)

Path: c:\windows\servicepackfiles\i386\mofcomp.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\admin.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\mstinit.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\jsc.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\icwconn2.exe
Status: Allocation size mismatch (API: 77824, Raw: 53248)

Path: c:\windows\servicepackfiles\i386\migload.exe
Status: Allocation size mismatch (API: 94208, Raw: 73728)

Path: c:\windows\servicepackfiles\i386\stimon.exe
Status: Allocation size mismatch (API: 28672, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\stub_fpsrvadm.exe
Status: Allocation size mismatch (API: 28672, Raw: 4096)

Path: c:\windows\servicepackfiles\i386\stub_fpsrvwin.exe
Status: Allocation size mismatch (API: 65536, Raw: 45056)

Path: c:\windows\servicepackfiles\i386\oobebaln.exe
Status: Allocation size mismatch (API: 57344, Raw: 40960)

Path: c:\windows\servicepackfiles\i386\opnfiles.exe
Status: Allocation size mismatch (API: 65536, Raw: 45056)

Path: c:\windows\servicepackfiles\i386\osk.exe
Status: Allocation size mismatch (API: 147456, Raw: 126976)

Path: c:\windows\servicepackfiles\i386\packager.exe
Status: Allocation size mismatch (API: 65536, Raw: 57344)

Path: c:\windows\servicepackfiles\i386\blastcln.exe
Status: Allocation size mismatch (API: 73728, Raw: 53248)

Path: c:\windows\servicepackfiles\i386\bootcfg.exe
Status: Allocation size mismatch (API: 94208, Raw: 77824)

Path: c:\windows\servicepackfiles\i386\netsetup.exe
Status: Allocation size mismatch (API: 331776, Raw: 311296)

Path: c:\windows\servicepackfiles\i386\netsh.exe
Status: Allocation size mismatch (API: 57344, Raw: 36864)

Path: c:\windows\servicepackfiles\i386\netstat.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\spdwnwxp.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\spider.exe
Status: Allocation size mismatch (API: 393216, Raw: 376832)

Path: c:\windows\servicepackfiles\i386\spiisupd.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\spnpinst.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\spoolsv.exe
Status: Allocation size mismatch (API: 61440, Raw: 53248)

Path: c:\windows\servicepackfiles\i386\tlntsess.exe
Status: Allocation size mismatch (API: 77824, Raw: 57344)

Path: c:\windows\servicepackfiles\i386\tlntsvr.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\servicepackfiles\i386\tourstrt.exe
Status: Allocation size mismatch (API: 212992, Raw: 192512)

Path: c:\windows\servicepackfiles\i386\tp4mon.exe
Status: Allocation size mismatch (API: 86016, Raw: 65536)

Path: c:\windows\servicepackfiles\i386\tracerpt.exe
Status: Allocation size mismatch (API: 167936, Raw: 163840)

Path: c:\windows\servicepackfiles\i386\tracert.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\mshta.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\msiexec.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\servicepackfiles\i386\at.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\rasphone.exe
Status: Allocation size mismatch (API: 57344, Raw: 53248)

Path: c:\windows\servicepackfiles\i386\ipconfig.exe
Status: Allocation size mismatch (API: 53248, Raw: 45056)

Path: c:\windows\servicepackfiles\i386\upnpcont.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\ups.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\wbemtest.exe
Status: Allocation size mismatch (API: 98304, Raw: 81920)

Path: c:\windows\servicepackfiles\i386\ahui.exe
Status: Allocation size mismatch (API: 94208, Raw: 73728)

Path: c:\windows\servicepackfiles\i386\alg.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\windows\servicepackfiles\i386\notepad.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\servicepackfiles\i386\nppagent.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\nslookup.exe
Status: Allocation size mismatch (API: 65536, Raw: 49152)

Path: c:\windows\servicepackfiles\i386\ntbackup.exe
Status: Allocation size mismatch (API: 794624, Raw: 774144)

Path: c:\windows\servicepackfiles\i386\findstr.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\fltmc.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\servicepackfiles\i386\fontview.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\forcedos.exe
Status: Allocation size mismatch (API: 24576, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\davcdata.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\windows\servicepackfiles\i386\dcomcnfg.exe
Status: Allocation size mismatch (API: 24576, Raw: 4096)

Path: c:\windows\servicepackfiles\i386\ddeshare.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\defrag.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\skeys.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\slrundll.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\servicepackfiles\i386\slserv.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\servicepackfiles\i386\clipsrv.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\servicepackfiles\i386\cmdl32.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\servicepackfiles\i386\cmmon32.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\windows\servicepackfiles\i386\cmstp.exe
Status: Allocation size mismatch (API: 65536, Raw: 61440)

Path: c:\windows\servicepackfiles\i386\lhmstsc.exe
Status: Allocation size mismatch (API: 466944, Raw: 446464)

Path: c:\windows\servicepackfiles\i386\caspol.exe
Status: Allocation size mismatch (API: 65536, Raw: 45056)

Path: c:\windows\servicepackfiles\i386\cfgwiz.exe
Status: Allocation size mismatch (API: 155648, Raw: 147456)

Path: c:\windows\servicepackfiles\i386\progman.exe
Status: Allocation size mismatch (API: 65536, Raw: 45056)

Path: c:\windows\servicepackfiles\i386\proquota.exe
Status: Allocation size mismatch (API: 61440, Raw: 45056)

Path: c:\windows\servicepackfiles\i386\proxycfg.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\servicepackfiles\i386\getmac.exe
Status: Allocation size mismatch (API: 61440, Raw: 53248)

Path: c:\windows\servicepackfiles\i386\gprslt.exe
Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8aa011f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: rsvcdwdr, IRP_MJ_CREATE]
Process: System Address: 0x8aa021f8 Size: 121

Object: Hidden Code [Driver: rsvcdwdr, IRP_MJ_CLOSE]
Process: System Address: 0x8aa021f8 Size: 121

Object: Hidden Code [Driver: rsvcdwdr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa021f8 Size: 121

Object: Hidden Code [Driver: rsvcdwdr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa021f8 Size: 121

Object: Hidden Code [Driver: rsvcdwdr, IRP_MJ_POWER]
Process: System Address: 0x8aa021f8 Size: 121

Object: Hidden Code [Driver: rsvcdwdr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa021f8 Size: 121

Object: Hidden Code [Driver: rsvcdwdr, IRP_MJ_PNP]
Process: System Address: 0x8aa021f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8aa721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8aa721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8aa721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aa721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aa721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8aa721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8aa721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8aa721f8 Size: 121

Object: Hidden Code [Driver: atlvavo9Ѕఅ瑎獆⯨, IRP_MJ_CREATE]
Process: System Address: 0x8a8781f8 Size: 121

Object: Hidden Code [Driver: atlvavo9Ѕఅ瑎獆⯨, IRP_MJ_CLOSE]
Process: System Address: 0x8a8781f8 Size: 121

Object: Hidden Code [Driver: atlvavo9Ѕఅ瑎獆⯨, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8781f8 Size: 121

Object: Hidden Code [Driver: atlvavo9Ѕఅ瑎獆⯨, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8781f8 Size: 121

Object: Hidden Code [Driver: atlvavo9Ѕఅ瑎獆⯨, IRP_MJ_POWER]
Process: System Address: 0x8a8781f8 Size: 121

Object: Hidden Code [Driver: atlvavo9Ѕఅ瑎獆⯨, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8781f8 Size: 121

Object: Hidden Code [Driver: atlvavo9Ѕఅ瑎獆⯨, IRP_MJ_PNP]
Process: System Address: 0x8a8781f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x891831f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x891831f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x891831f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x891831f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x891831f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x891831f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x891641f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఛ楄⍈ 鐘, IRP_MJ_CREATE]
Process: System Address: 0x891321f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఛ楄⍈ 鐘, IRP_MJ_CLOSE]
Process: System Address: 0x891321f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఛ楄⍈ 鐘, IRP_MJ_READ]
Process: System Address: 0x891321f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఛ楄⍈ 鐘, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x891321f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఛ楄⍈ 鐘, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x891321f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఛ楄⍈ 鐘, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x891321f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఛ楄⍈ 鐘, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x891321f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఛ楄⍈ 鐘, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x891321f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఛ楄⍈ 鐘, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x891321f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఛ楄⍈ 鐘, IRP_MJ_SHUTDOWN]
Process: System Address: 0x891321f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఛ楄⍈ 鐘, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x891321f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఛ楄⍈ 鐘, IRP_MJ_CLEANUP]
Process: System Address: 0x891321f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఛ楄⍈ 鐘, IRP_MJ_PNP]
Process: System Address: 0x891321f8 Size: 121

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 eighty2

eighty2
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 24 November 2009 - 01:29 PM

Hi all,

Just checking in to see if anyone's had a chance to look over my virus issue.

One thing I need to add it that I tried booting in safe mode and got the blue screen of death... I ran chkdsk/f but it didn't help.

I know folks here are busy so thanks in advance!

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:07 AM

Posted 29 November 2009 - 08:38 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 eighty2

eighty2
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 30 November 2009 - 01:29 AM

Hi, thanks for looking this over!

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-30 00:24:54
Windows 5.1.2600 Service Pack 3
Running: 6eftqb2s[1].exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kgtyypog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7791360, 0x33AACD, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe[164] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe[164] ntdll.dll!NtCreateKey 7C90D0D0 5 Bytes JMP 10005EE9 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe[164] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe[164] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe[164] ntdll.dll!NtDeleteKey 7C90D230 5 Bytes JMP 1000611A C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe[164] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 100060CB C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe[164] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe[164] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe[164] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10005F2F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe[164] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 10006141 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe[164] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe[164] ntdll.dll!NtQueryValueKey 7C90D950 5 Bytes JMP 10005F69 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe[164] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 1000603F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6PQRATU9\6eftqb2s[1].exe[408] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6PQRATU9\6eftqb2s[1].exe[408] ntdll.dll!NtCreateKey 7C90D0D0 5 Bytes JMP 10005EE9 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6PQRATU9\6eftqb2s[1].exe[408] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6PQRATU9\6eftqb2s[1].exe[408] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6PQRATU9\6eftqb2s[1].exe[408] ntdll.dll!NtDeleteKey 7C90D230 5 Bytes JMP 1000611A C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6PQRATU9\6eftqb2s[1].exe[408] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 100060CB C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6PQRATU9\6eftqb2s[1].exe[408] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6PQRATU9\6eftqb2s[1].exe[408] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6PQRATU9\6eftqb2s[1].exe[408] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10005F2F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6PQRATU9\6eftqb2s[1].exe[408] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 10006141 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6PQRATU9\6eftqb2s[1].exe[408] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6PQRATU9\6eftqb2s[1].exe[408] ntdll.dll!NtQueryValueKey 7C90D950 5 Bytes JMP 10005F69 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6PQRATU9\6eftqb2s[1].exe[408] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 1000603F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\svchost.exe[424] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\system32\svchost.exe[424] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\system32\svchost.exe[424] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\system32\svchost.exe[424] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\system32\svchost.exe[424] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\system32\svchost.exe[424] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\System32\alg.exe[536] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\System32\alg.exe[536] ntdll.dll!NtCreateKey 7C90D0D0 5 Bytes JMP 10005EE9 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\System32\alg.exe[536] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\System32\alg.exe[536] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\System32\alg.exe[536] ntdll.dll!NtDeleteKey 7C90D230 5 Bytes JMP 1000611A C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\System32\alg.exe[536] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 100060CB C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\System32\alg.exe[536] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\System32\alg.exe[536] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\System32\alg.exe[536] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10005F2F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\System32\alg.exe[536] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 10006141 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\System32\alg.exe[536] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\System32\alg.exe[536] ntdll.dll!NtQueryValueKey 7C90D950 5 Bytes JMP 10005F69 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\System32\alg.exe[536] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 1000603F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe[616] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe[616] ntdll.dll!NtCreateKey 7C90D0D0 5 Bytes JMP 10005EE9 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe[616] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe[616] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe[616] ntdll.dll!NtDeleteKey 7C90D230 5 Bytes JMP 1000611A C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe[616] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 100060CB C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe[616] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe[616] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe[616] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10005F2F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe[616] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 10006141 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe[616] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe[616] ntdll.dll!NtQueryValueKey 7C90D950 5 Bytes JMP 10005F69 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe[616] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 1000603F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\winlogon.exe[728] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FF94707
.text C:\WINDOWS\system32\winlogon.exe[728] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FF94796
.text C:\WINDOWS\system32\winlogon.exe[728] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FF947A3
.text C:\WINDOWS\system32\winlogon.exe[728] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FF94A27
.text C:\WINDOWS\system32\winlogon.exe[728] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FF9478C
.text C:\WINDOWS\system32\winlogon.exe[728] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FF947E4
.text C:\WINDOWS\system32\services.exe[772] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FF94707
.text C:\WINDOWS\system32\services.exe[772] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FF94796
.text C:\WINDOWS\system32\services.exe[772] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FF947A3
.text C:\WINDOWS\system32\services.exe[772] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FF94A27
.text C:\WINDOWS\system32\services.exe[772] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FF9478C
.text C:\WINDOWS\system32\services.exe[772] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FF947E4
.text C:\WINDOWS\system32\lsass.exe[784] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FF94707
.text C:\WINDOWS\system32\lsass.exe[784] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FF94796
.text C:\WINDOWS\system32\lsass.exe[784] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FF947A3
.text C:\WINDOWS\system32\lsass.exe[784] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FF94A27
.text C:\WINDOWS\system32\lsass.exe[784] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FF9478C
.text C:\WINDOWS\system32\lsass.exe[784] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FF947E4
.text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FF94707
.text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FF94796
.text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FF947A3
.text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FF94A27
.text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FF9478C
.text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FF947E4
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ntdll.dll!NtCreateKey 7C90D0D0 5 Bytes JMP 10005EE9 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ntdll.dll!NtDeleteKey 7C90D230 5 Bytes JMP 1000611A C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 100060CB C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10005F2F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 10006141 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ntdll.dll!NtQueryValueKey 7C90D950 5 Bytes JMP 10005F69 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1032] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 1000603F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\nvsvc32.exe[1080] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\system32\nvsvc32.exe[1080] ntdll.dll!NtCreateKey 7C90D0D0 5 Bytes JMP 10005EE9 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\nvsvc32.exe[1080] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\system32\nvsvc32.exe[1080] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\system32\nvsvc32.exe[1080] ntdll.dll!NtDeleteKey 7C90D230 5 Bytes JMP 1000611A C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\nvsvc32.exe[1080] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 100060CB C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\nvsvc32.exe[1080] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\system32\nvsvc32.exe[1080] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\system32\nvsvc32.exe[1080] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10005F2F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\nvsvc32.exe[1080] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 10006141 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\nvsvc32.exe[1080] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\system32\nvsvc32.exe[1080] ntdll.dll!NtQueryValueKey 7C90D950 5 Bytes JMP 10005F69 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\nvsvc32.exe[1080] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 1000603F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FF84707
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FF84796
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FF847A3
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FF84A27
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FF8478C
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FF847E4
.text C:\WINDOWS\System32\snmp.exe[1224] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\System32\snmp.exe[1224] ntdll.dll!NtCreateKey 7C90D0D0 5 Bytes JMP 10005EE9 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\System32\snmp.exe[1224] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\System32\snmp.exe[1224] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\System32\snmp.exe[1224] ntdll.dll!NtDeleteKey 7C90D230 5 Bytes JMP 1000611A C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\System32\snmp.exe[1224] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 100060CB C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\System32\snmp.exe[1224] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\System32\snmp.exe[1224] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\System32\snmp.exe[1224] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10005F2F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\System32\snmp.exe[1224] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 10006141 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\System32\snmp.exe[1224] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\System32\snmp.exe[1224] ntdll.dll!NtQueryValueKey 7C90D950 5 Bytes JMP 10005F69 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\System32\snmp.exe[1224] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 1000603F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\system32\ctfmon.exe[2236] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\system32\ctfmon.exe[2236] ntdll.dll!NtCreateKey 7C90D0D0 5 Bytes JMP 10005EE9 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2236] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\system32\ctfmon.exe[2236] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\system32\ctfmon.exe[2236] ntdll.dll!NtDeleteKey 7C90D230 5 Bytes JMP 1000611A C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2236] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 100060CB C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2236] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\system32\ctfmon.exe[2236] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\system32\ctfmon.exe[2236] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10005F2F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2236] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 10006141 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2236] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\system32\ctfmon.exe[2236] ntdll.dll!NtQueryValueKey 7C90D950 5 Bytes JMP 10005F69 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2236] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 1000603F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01439315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0150DBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 0150DD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 01514832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 01471CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0162E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 0162DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 0162DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0162DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 0162DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 0162E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 0162DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0151488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10005C8E C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10005A67 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10005BE6 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10005ADA C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2400] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10005B4C C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01439315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 01514832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0162E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 0162DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 0162DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0162DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 0162DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 0162E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 0162DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10005C8E C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10005A67 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10005BE6 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10005ADA C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2928] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10005B4C C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[2964] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\system32\wscntfy.exe[2964] ntdll.dll!NtCreateKey 7C90D0D0 5 Bytes JMP 10005EE9 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[2964] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\system32\wscntfy.exe[2964] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\system32\wscntfy.exe[2964] ntdll.dll!NtDeleteKey 7C90D230 5 Bytes JMP 1000611A C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[2964] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 100060CB C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[2964] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\system32\wscntfy.exe[2964] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\system32\wscntfy.exe[2964] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10005F2F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[2964] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 10006141 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[2964] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\system32\wscntfy.exe[2964] ntdll.dll!NtQueryValueKey 7C90D950 5 Bytes JMP 10005F69 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\system32\wscntfy.exe[2964] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 1000603F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\explorer.exe[3224] explorer.exe 0101A57C 4 Bytes [FF, 15, 1C, 11]
.text C:\WINDOWS\explorer.exe[3224] C:\WINDOWS\explorer.exe section is writeable [0x01001000, 0x44C09, 0xE0000020]
.reloc C:\WINDOWS\explorer.exe[3224] C:\WINDOWS\explorer.exe section is executable [0x010FB000, 0x8800, 0xE0000040]
.text C:\WINDOWS\explorer.exe[3224] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\explorer.exe[3224] ntdll.dll!NtCreateKey 7C90D0D0 5 Bytes JMP 10005EE9 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\explorer.exe[3224] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\explorer.exe[3224] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\explorer.exe[3224] ntdll.dll!NtDeleteKey 7C90D230 5 Bytes JMP 1000611A C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\explorer.exe[3224] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 100060CB C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\explorer.exe[3224] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\explorer.exe[3224] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\explorer.exe[3224] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10005F2F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\explorer.exe[3224] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 10006141 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\explorer.exe[3224] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\explorer.exe[3224] ntdll.dll!NtQueryValueKey 7C90D950 5 Bytes JMP 10005F69 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\explorer.exe[3224] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 1000603F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01439315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0150DBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 0150DD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 01514832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 01471CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0162E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 0162DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 0162DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0162DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 0162DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 0162E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 0162DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0151488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10005C8E C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10005A67 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10005BE6 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10005ADA C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10005B4C C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe[3608] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe[3608] ntdll.dll!NtCreateKey 7C90D0D0 5 Bytes JMP 10005EE9 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe[3608] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe[3608] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe[3608] ntdll.dll!NtDeleteKey 7C90D230 5 Bytes JMP 1000611A C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe[3608] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 100060CB C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe[3608] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe[3608] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe[3608] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10005F2F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe[3608] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 10006141 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe[3608] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe[3608] ntdll.dll!NtQueryValueKey 7C90D950 5 Bytes JMP 10005F69 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe[3608] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 1000603F C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA4707
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4796
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA47A3
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ntdll.dll!NtDeviceIoControlFile 7C90D260 5 Bytes CALL 7FFA4A27
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA478C
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA47E4
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01439315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0150DBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 0150DD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 01514832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 01471CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0162E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 0162DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 0162DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0162DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 0162DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 0162E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 0162DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0151488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10005C8E C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10005A67 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10005BE6 C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10005ADA C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10005B4C C:\WINDOWS\system32\curslib.dll (Microsoft RDO Library/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[2400] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [00C018FD] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [00C018FD] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3980] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [00C018FD] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\curslib.dll 31744 bytes executable
File C:\WINDOWS\system32\wincert.dll 37376 bytes executable
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config 0 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\HPPConfig.zip 32788 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\HPPConfig.zip.sig 262 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\hppconfig_cache 0 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\hppconfig_cache\authorization.xml 182 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\hppconfig_cache\DMModules.xml 547 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\ttm.zip 14851 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\ttm.zip.sig 262 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\ttm_cache 0 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\ttm_cache\authorization.xml 182 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\ttm_cache\images 0 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\ttm_cache\images\ttmicon.ico 25214 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\ttm_cache\ttmbase.xml 8401 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\ttm_cache\TTMModules.xml 612 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\xmlmgnt.zip 45690 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\xmlmgnt.zip.sig 262 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\xmlmgnt_cache 0 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\xmlmgnt_cache\authorization.xml 182 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\xmlmgnt_cache\directives 0 bytes
File D:\My Documents\Hewlett-Packard\HP Easy Printer Care\config\xmlmgnt_cache\directives\LocalizeDirective.xml 1277 bytes
File D:\My Documents\Hewlett-Packard\HP Printer Utility\config 0 bytes
File D:\My Documents\Hewlett-Packard\HP Printer Utility\config\GenericXDMProfile.xml 9196 bytes
File D:\My Documents\Hewlett-Packard\HP Printer Utility\config\HPPConfig.zip 46871 bytes
File D:\My Documents\Hewlett-Packard\HP Printer Utility\config\HPPConfig.zip.sig 262 bytes
File D:\My Documents\Hewlett-Packard\HP Printer Utility\config\ttm.zip 12977 bytes
File D:\My Documents\Hewlett-Packard\HP Printer Utility\config\ttm.zip.sig 262 bytes
File D:\My Documents\Hewlett-Packard\HP Printer Utility\config\xmlmgnt.zip 46326 bytes
File D:\My Documents\Hewlett-Packard\HP Printer Utility\config\xmlmgnt.zip.sig 262 bytes
File D:\My Documents\My Downloads\BookSmart\resources\application\config 0 bytes
File D:\Backup\PGORNELL\C\Documents and Settings\pgornell\My Documents\My Music\iTunes\iTunes Music\Robin's Music\0200311a3600392c0502001f0b3c00031b03020022263f002f10050200063744001c380302\0200311a3600392c0502001f0b3c00031b03020022263f002f10050200063744001c380302\14 - 14.rmj 4225519 bytes
File D:\Backup\PGORNELL\C\Documents and Settings\pgornell\My Documents\My Music\iTunes\iTunes Music\Robin's Music\0200311a3600392c0502001f0b3c00031b03020022263f002f10050200063744001c380302\0200311a3600392c0502001f0b3c00031b03020022263f002f10050200063744001c380302\15 - 15.rmj 5832483 bytes
File D:\Backup\PGORNELL\C\Documents and Settings\pgornell\My Documents\My Music\iTunes\iTunes Music\Robin's Music\0200311a3600392c0502001f0b3c00031b03020022263f002f10050200063744001c380302\0200311a3600392c0502001f0b3c00031b03020022263f002f10050200063744001c380302\16 - 16.rmj 3561773 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win 0 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_el_gr.zstrings 162686 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_ar_ae.zstrings 145800 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_cs_cz.zstrings 153864 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_da_dk.zstrings 154420 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_de_de.zstrings 166566 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_en_us.zstrings 152856 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_es_es.zstrings 162250 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_fi_fi.zstrings 156020 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_fr_fr.zstrings 164006 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_he_il.zstrings 141834 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_hu_hu.zstrings 156014 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_it_it.zstrings 160908 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_ja_jp.zstrings 128992 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_ko_kr.zstrings 128514 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_nl_nl.zstrings 165288 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_no_no.zstrings 154094 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_pl_pl.zstrings 156434 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_pt_br.zstrings 159400 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_ro_ro.zstrings 159762 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_ru_ru.zstrings 157626 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_sv_se.zstrings 155882 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_tr_tr.zstrings 154174 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_uk_ua.zstrings 153858 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_zh_cn.zstrings 118204 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.0.0\dictionaries\win\versioncueui_zh_tw.zstrings 118244 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win 0 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_el_gr.zstrings 162686 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_ar_ae.zstrings 145800 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_cs_cz.zstrings 153864 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_da_dk.zstrings 154420 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_de_de.zstrings 166566 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_en_us.zstrings 152856 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_es_es.zstrings 162250 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_fi_fi.zstrings 156020 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_fr_fr.zstrings 164006 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_he_il.zstrings 141834 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_hu_hu.zstrings 156014 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_it_it.zstrings 160908 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_ja_jp.zstrings 128992 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_ko_kr.zstrings 128514 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_nl_nl.zstrings 165288 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_no_no.zstrings 154094 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_pl_pl.zstrings 156434 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_pt_br.zstrings 159400 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_ro_ro.zstrings 159762 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_ru_ru.zstrings 157626 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_sv_se.zstrings 155882 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_tr_tr.zstrings 154160 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_uk_ua.zstrings 153858 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_zh_cn.zstrings 118204 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\Adobe Version Cue CS3\Client\3.1.0\dictionaries\win\versioncueui_zh_tw.zstrings 118244 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\TypeSpt\Unicode\Mappings\win 0 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\TypeSpt\Unicode\Mappings\win\CP1250.TXT 9828 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\TypeSpt\Unicode\Mappings\win\CP1251.TXT 9503 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\TypeSpt\Unicode\Mappings\win\CP1252.TXT 9653 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\TypeSpt\Unicode\Mappings\win\CP1253.TXT 9236 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\TypeSpt\Unicode\Mappings\win\CP1254.TXT 9644 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\TypeSpt\Unicode\Mappings\win\CP1257.TXT 9516 bytes
File D:\Backup\PGORNELL\Common Files\Adobe\TypeSpt\Unicode\Mappings\win\CP1258.TXT 9506 bytes

---- EOF - GMER 1.0.15 ----

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:07 AM

Posted 30 November 2009 - 03:09 AM

Hello eighty2,

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:07 AM

Posted 03 December 2009 - 06:45 AM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:07 AM

Posted 06 December 2009 - 08:04 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic to be re-opened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users