1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Scour virus on Chrome :(

Discussion in 'Virus & Other Malware Removal' started by beefykoala, Aug 25, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. beefykoala

    beefykoala Thread Starter

    Joined:
    Oct 25, 2007
    Messages:
    34
    Hello. My silly boyfriend downloaded an infected copy of a game from a link he found on Reddit. Now we are getting redirects on searches in Chrome, add-ons that keep reinstalling themselves (appbario and 'video downloader' extension), new programs being added into the start menu (Optimizer Pro, Strongvault Online Backup and SpeedUpMyPC) and the whole system feels more... clunky. I think we're infected!

    I did all the logs as requested (posted below). Note that this is a computer we were gifted from his dad, so there's tons of stuff left on here from back then.

    Thanks in advance for all your help!!


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 4:01:01 PM, on 8/25/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
    C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\My Documents\Downloads\HijackThis (1).exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: CrossriderApp0003491 - {11111111-1111-1111-1111-110011341191} - C:\Program Files\Vid-Saver\Vid-Saver.dll
    O2 - BHO: CrossriderApp0005060 - {11111111-1111-1111-1111-110011501160} - C:\Program Files\Savings Sidekick\Savings Sidekick.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WhiteSmoke US New - {462be121-2b54-4218-bf00-b9bf8135b23f} - C:\Program Files\WhiteSmoke_US_New\prxtbWhit.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: WhiteSmoke US New Toolbar - {462be121-2b54-4218-bf00-b9bf8135b23f} - C:\Program Files\WhiteSmoke_US_New\prxtbWhit.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
    O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing

    Protection\adawarebp.exe"
    O4 - HKLM\..\Run: [SMessaging] C:\Documents and Settings\Bobby\Local Settings\Application Data\Strongvault Online Backup\SMessaging.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
    O4 - HKCU\..\Run: [LogMeIn] rundll32.exe "C:\Documents and Settings\Bobby\Local Settings\Application

    Data\Microsoft\LogMeIn\yrjivhp.dll",CreateInstance
    O4 - HKUS\S-1-5-19\..\Run: [LogMeIn] rundll32.exe "C:\Documents and Settings\Bobby\Local Settings\Application

    Data\Microsoft\LogMeIn\yrjivhp.dll",CreateInstance (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [LogMeIn] rundll32.exe "C:\Documents and Settings\Bobby\Local Settings\Application

    Data\Microsoft\LogMeIn\yrjivhp.dll",CreateInstance (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-602162358-1957994488-682003330-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Stab')
    O4 - HKUS\S-1-5-18\..\Run: [LogMeIn] rundll32.exe "C:\Documents and Settings\Bobby\Local Settings\Application

    Data\Microsoft\LogMeIn\yrjivhp.dll",CreateInstance (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [LogMeIn] rundll32.exe "C:\Documents and Settings\Bobby\Local Settings\Application

    Data\Microsoft\LogMeIn\yrjivhp.dll",CreateInstance (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: Epson scanner Registration.lnk = I:\Common\EpsonReg\Ereg.exe
    O4 - Global Startup: TweetDeck.lnk = C:\Program Files\TweetDeck\TweetDeck.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft

    Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft

    Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program

    Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet

    Publisher\FNPLicensingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe

    --
    End of file - 10153 bytes
     
  2. beefykoala

    beefykoala Thread Starter

    Joined:
    Oct 25, 2007
    Messages:
    34
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Helen at 16:02:31 on 2012-08-25
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.609 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
    C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Helen\My Documents\Downloads\HijackThis (1).exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: Vid-Saver: {11111111-1111-1111-1111-110011341191} - c:\program files\vid-saver\Vid-Saver.dll
    BHO: Savings Sidekick: {11111111-1111-1111-1111-110011501160} - c:\program files\savings sidekick\Savings Sidekick.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: WhiteSmoke US New Toolbar: {462be121-2b54-4218-bf00-b9bf8135b23f} - c:\program files\whitesmoke_us_new\prxtbWhit.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: WhiteSmoke US New Toolbar: {462be121-2b54-4218-bf00-b9bf8135b23f} - c:\program files\whitesmoke_us_new\prxtbWhit.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\helen\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC.exe
    uRun: [LogMeIn] rundll32.exe "c:\documents and settings\bobby\local settings\application data\microsoft\logmein\yrjivhp.dll",CreateInstance
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
    mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
    mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
    mRun: [SMessaging] c:\documents and settings\bobby\local settings\application data\strongvault online backup\SMessaging.exe
    dRun: [LogMeIn] rundll32.exe "c:\documents and settings\bobby\local settings\application data\microsoft\logmein\yrjivhp.dll",CreateInstance
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\helen\startm~1\programs\startup\epsons~1.lnk - i:\common\epsonreg\Ereg.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tweetd~1.lnk - c:\program files\tweetdeck\TweetDeck.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    TCP: Interfaces\{9DC90C21-ABEE-4E85-B841-A23843DBD7B9} : DhcpNameServer = 75.75.75.75 75.75.76.76
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: LMIinit - LMIinit.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 171064]
    R1 MpKslb34ef277;MpKslb34ef277;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5cf7bac6-b7f7-4f22-8440-17a6b48bdcc1}\MpKslb34ef277.sys [2012-8-25 29904]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2012-1-31 374184]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-9-16 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2012-5-14 47640]
    R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
    S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    .
    =============== Created Last 30 ================
    .
    2012-08-25 20:30:34 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5cf7bac6-b7f7-4f22-8440-17a6b48bdcc1}\MpKslb34ef277.sys
    2012-08-25 17:01:06 7023536 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5cf7bac6-b7f7-4f22-8440-17a6b48bdcc1}\mpengine.dll
    2012-08-25 02:03:17 -------- d-----w- c:\program files\MSXML 4.0
    2012-08-24 16:06:00 -------- d-----w- c:\program files\Uniblue
    2012-08-24 16:02:51 -------- d-----w- c:\program files\Optimizer Pro
    2012-08-24 16:02:31 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
    2012-08-24 16:02:25 -------- d-----w- c:\program files\Vid-Saver
    2012-08-24 16:02:25 -------- d-----w- c:\documents and settings\all users\application data\Strongvault Online Backup
    2012-08-24 16:02:24 -------- d-----w- c:\program files\Strongvault Online Backup
    2012-08-24 16:01:41 -------- d-----w- c:\program files\Conduit
    2012-08-24 16:01:36 -------- d-----w- c:\program files\WhiteSmoke_US_New
    2012-08-24 12:01:52 7023536 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2012-08-21 14:30:15 -------- d-----w- c:\documents and settings\helen\local settings\application data\adaware
    2012-08-21 02:01:23 -------- d-----w- c:\documents and settings\all users\application data\GFI Software
    2012-08-21 01:55:57 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
    2012-08-21 01:45:54 -------- d-----w- c:\program files\Ad-Aware Antivirus
    2012-08-21 01:44:32 558133 ----a-w- c:\windows\system32\sqlite3.dll
    2012-08-21 01:40:50 -------- d-----w- c:\documents and settings\all users\application data\IBUpdaterService
    2012-08-21 01:40:46 666272 ----a-w- c:\program files\uninstall information\ib_uninst_514\uninstall.exe
    2012-08-21 01:39:32 666272 ----a-w- c:\program files\uninstall information\ib_uninst_569\uninstall.exe
    2012-08-21 01:39:29 666272 ----a-w- c:\program files\uninstall information\ib_uninst_566\uninstall.exe
    2012-08-21 01:39:29 -------- d-----w- c:\windows\system32\Extensions
    2012-08-21 01:39:28 -------- d-----w- c:\windows\system32\searchplugins
    2012-08-21 01:39:19 666272 ----a-w- c:\program files\uninstall information\ib_uninst_383\uninstall.exe
    2012-08-21 01:38:53 666272 ----a-w- c:\program files\uninstall information\ib_uninst_342\uninstall.exe
    2012-08-21 01:38:51 -------- d-----w- c:\program files\Savings Sidekick
    2012-08-18 18:44:40 -------- d-----w- c:\documents and settings\helen\application data\My Games
    2012-08-16 00:13:04 -------- d-----w- c:\program files\Firaxis Games
    2012-08-16 00:09:22 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
    2012-08-15 01:29:14 -------- d-----w- c:\program files\XMedia Recode
    2012-08-15 01:11:03 -------- d-----w- c:\program files\Combined Community Codec Pack
    2012-08-15 00:57:28 221184 ----a-w- c:\windows\system32\wmpns.dll
    2012-08-15 00:57:16 -------- d-----w- c:\program files\Windows Media Connect 2
    .
    ==================== Find3M ====================
    .
    2012-07-13 02:10:39 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2012-07-13 02:10:39 52128 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
    2012-07-13 02:10:38 87456 ----a-w- c:\windows\system32\LMIinit.dll
    2012-07-13 02:10:38 30624 ----a-w- c:\windows\system32\LMIport.dll
    2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
    2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys
    2012-07-02 17:49:33 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-07-02 17:49:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-07-02 17:49:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-07-02 12:05:43 385024 ----a-w- c:\windows\system32\html.iec
    2012-07-01 22:56:00 81920 ----a-w- c:\windows\ALCFDRTM.VER
    2012-07-01 22:56:00 81920 ----a-w- c:\windows\ALCFDRTM.EXE
    2012-06-05 15:50:25 1372672 ------w- c:\windows\system32\msxml6.dll
    2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
    2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
    2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
    2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2012-06-02 19:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
    2012-06-02 19:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
    2012-06-02 19:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
    2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
    .
    ============= FINISH: 16:03:23.64 ===============
     
  3. beefykoala

    beefykoala Thread Starter

    Joined:
    Oct 25, 2007
    Messages:
    34
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-08-25 18:21:21
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 ST3200822AS rev.3.02
    Running: 7ykrsnrl.exe; Driver: C:\DOCUME~1\Helen\LOCALS~1\Temp\ugtdypod.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB834A000, 0x1C5D38, 0xE8000020]
    ? C:\DOCUME~1\Helen\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 3C, 00] {SUB [EAX], AL; CMP AL, 0x0}
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 3C, 00] {SUB [EBX], AL; CMP AL, 0x0}
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 3C, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 3C, 00] {TEST AL, 0x1; CMP AL, 0x0}
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91121A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 3C, 00] {TEST AL, 0x2; CMP AL, 0x0}
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 3C, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 3C, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91128B
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 3C, 00] {TEST AL, 0x0; CMP AL, 0x0}
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9113B9
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 3C, 00] {SUB [ECX], AL; CMP AL, 0x0}
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 3C, 00] {SUB [EDX], AL; CMP AL, 0x0}
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 3C, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1400] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2068] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 17, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 17, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 17, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 17, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED1A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 17, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 17, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 17, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED8B
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 17, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EEB9
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 17, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 17, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 17, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2144] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4488] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5640] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01760001
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5640] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A60F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5640] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A30F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5640] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5640] WS2_32.dll!send 71AB4C27 6 Bytes JMP 71A00F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5640] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71970F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5640] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719D0F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5640] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 719A0F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5640] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71940F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 54, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 54, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 54, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 54, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B912A1A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 54, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 54, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 54, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B912A8B
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 54, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B912BB9
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 54, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 54, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 54, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6196] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 55, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 55, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 55, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 55, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B912B1A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 55, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 55, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 55, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B912B8B
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 55, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B912CB9
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 55, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 55, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 55, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6488] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6528] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6584] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 31, 00] {SUB [EAX], AL; XOR [EAX], EAX}
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 31, 00] {SUB [EBX], AL; XOR [EAX], EAX}
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 31, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 31, 00] {TEST AL, 0x1; XOR [EAX], EAX}
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91071A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 31, 00] {TEST AL, 0x2; XOR [EAX], EAX}
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 31, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 31, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91078B
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 31, 00] {TEST AL, 0x0; XOR [EAX], EAX}
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9108B9
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 31, 00] {SUB [ECX], AL; XOR [EAX], EAX}
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 31, 00] {SUB [EDX], AL; XOR [EAX], EAX}
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 31, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[6784] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7660] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01750001
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7660] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A60F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7660] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A30F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7660] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7660] WS2_32.dll!send 71AB4C27 6 Bytes JMP 71A00F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7660] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71970F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7660] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719D0F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7660] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 719A0F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7660] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71940F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7880] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 017A0001
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7880] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A60F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7880] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A30F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7880] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7880] WS2_32.dll!send 71AB4C27 6 Bytes JMP 71A00F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7880] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71970F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7880] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719D0F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7880] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 719A0F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7880] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71940F5A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
    .text C:\Documents and Settings\Helen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[7932] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8044] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01720001
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8044] WS2_32.dll!WSALookupServiceNextW 71AB3181 6 Bytes JMP 71A60F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8044] WS2_32.dll!WSALookupServiceEnd 71AB350E 6 Bytes JMP 71A30F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8044] WS2_32.dll!WSALookupServiceBeginW 71AB35EF 6 Bytes JMP 71AF0F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8044] WS2_32.dll!send 71AB4C27 6 Bytes JMP 71A00F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8044] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71970F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8044] WS2_32.dll!recv 71AB676F 6 Bytes JMP 719D0F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8044] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 719A0F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8044] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 6 Bytes JMP 71940F5A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 2F, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 2F, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 2F, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 2F, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91051A
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 2F, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 2F, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 2F, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91058B
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 2F, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9106B9
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 2F, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 2F, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 2F, 00]
    .text C:\Documents and Settings\Stab\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[8060] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  4. beefykoala

    beefykoala Thread Starter

    Joined:
    Oct 25, 2007
    Messages:
    34
  5. beefykoala

    beefykoala Thread Starter

    Joined:
    Oct 25, 2007
    Messages:
    34
    Sorry to bump this again - I don't know what to do as the virus scan just keeps finding more instances of it and I'm worried it's affecting my work as I work from home on it. :(

    I'm very grateful for your help.
     
  6. beefykoala

    beefykoala Thread Starter

    Joined:
    Oct 25, 2007
    Messages:
    34
  7. beefykoala

    beefykoala Thread Starter

    Joined:
    Oct 25, 2007
    Messages:
    34
    Sorry to keep hassling, but is there anyone that can help? Our anti-virus has now been turned off and will not turn back on!! Pleeeease!! :(
     
  8. beefykoala

    beefykoala Thread Starter

    Joined:
    Oct 25, 2007
    Messages:
    34
    Is there anyone that can look at this? It's been two weeks since my original post and we're going to have to take it in to a repair shop soon if not - antivirus on this user space won't turn on, every other thing I do on the web redirects to another site, we can't seem to remove random programs that have installed themselves. I'm worried that we're putting all our documents at risk by leaving this virus on here.
     
  9. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,805
    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully
    Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

    Download ComboFix from Hereto your Desktop.
    As you download it rename it to username123.exe


    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on renamed combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

    Please tell us if it has cured the problems or if there are any outstanding issues

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot is due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...
     
  10. beefykoala

    beefykoala Thread Starter

    Joined:
    Oct 25, 2007
    Messages:
    34
    ComboFix 12-09-13.03 - Helen 09/13/2012 15:42:04.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1399 [GMT -5:00]
    Running from: c:\documents and settings\Helen\Desktop\helen123.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Bobby\Local Settings\Application Data\Vid-Saver
    c:\documents and settings\Bobby\Local Settings\Application Data\Vid-Saver\Chrome\Vid-Saver.crx
    c:\documents and settings\Bobby\My Documents\~WRL0046.tmp
    c:\documents and settings\Bobby\My Documents\~WRL3661.tmp
    c:\documents and settings\Bobby\My Documents\~WRL3790.tmp
    c:\documents and settings\Stab\Local Settings\Application Data\Savings Sidekick
    c:\documents and settings\Stab\Local Settings\Application Data\Savings Sidekick\Chrome\Savings Sidekick.crx
    c:\program files\Savings Sidekick
    c:\program files\Savings Sidekick\Savings Sidekick.ico
    c:\program files\Savings Sidekick\Savings Sidekick.ini
    c:\program files\Savings Sidekick\Savings SidekickInstaller.log
    c:\program files\Vid-Saver
    c:\program files\Vid-Saver\ButtonUtil.dll
    c:\program files\Vid-Saver\Vid-Saver-bg.exe
    c:\program files\Vid-Saver\Vid-Saver.exe
    c:\program files\Vid-Saver\Vid-Saver.ico
    c:\program files\Vid-Saver\Vid-Saver.ini
    c:\program files\Vid-Saver\Vid-SaverInstaller.log
    c:\windows\system32\sqlite3.dll
    H:\Autorun.inf
    L:\AUTORUN.INF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-13 to 2012-09-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-13 20:27 . 2012-09-13 20:27 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A589A4C8-FA45-4759-AC89-B56CC83BFA29}\MpKsl798d8601.sys
    2012-09-13 08:38 . 2012-08-23 07:15 7022536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A589A4C8-FA45-4759-AC89-B56CC83BFA29}\mpengine.dll
    2012-09-11 23:51 . 2012-08-23 07:15 7022536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-09-01 23:19 . 2012-09-13 20:29 -------- d-----w- c:\documents and settings\Helen\Local Settings\Application Data\Spotify
    2012-09-01 23:19 . 2012-09-13 20:29 -------- d-----w- c:\documents and settings\Helen\Application Data\Spotify
    2012-08-29 16:00 . 2010-10-24 05:56 49664 ----a-w- c:\windows\system32\CamCodec.dll
    2012-08-29 16:00 . 2012-08-29 16:01 -------- d-----w- c:\program files\CamStudio 2.6b
    2012-08-24 16:01 . 2012-08-24 16:01 -------- d-----w- c:\program files\Conduit
    2012-08-24 16:01 . 2012-08-24 16:01 -------- d-----w- c:\program files\WhiteSmoke_US_New
    2012-08-24 15:45 . 2012-08-24 15:49 -------- d-----w- c:\documents and settings\Bobby
    2012-08-21 14:30 . 2012-08-21 14:30 -------- d-----w- c:\documents and settings\Helen\Local Settings\Application Data\adaware
    2012-08-21 02:01 . 2012-08-21 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\GFI Software
    2012-08-21 01:58 . 2012-08-21 01:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\Ad-Aware Antivirus
    2012-08-21 01:55 . 2012-08-21 01:56 -------- d-----w- c:\documents and settings\Stab\Local Settings\Application Data\adaware
    2012-08-21 01:55 . 2012-09-13 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
    2012-08-21 01:45 . 2012-08-21 02:01 -------- d-----w- c:\program files\Ad-Aware Antivirus
    2012-08-21 01:45 . 2012-08-21 01:54 -------- d-----w- c:\documents and settings\Stab\Local Settings\Application Data\Downloaded Installations
    2012-08-21 01:40 . 2012-08-21 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\IBUpdaterService
    2012-08-21 01:40 . 2012-08-21 01:40 -------- d-----w- c:\documents and settings\Stab\Local Settings\Application Data\CRE
    2012-08-21 01:39 . 2012-08-21 01:39 -------- d-----w- c:\windows\system32\Extensions
    2012-08-21 01:39 . 2012-08-21 01:39 -------- d-----w- c:\windows\system32\searchplugins
    2012-08-18 18:44 . 2012-08-18 18:44 -------- d-----w- c:\documents and settings\Helen\Application Data\My Games
    2012-08-16 00:35 . 2012-08-16 00:35 -------- d-----w- c:\documents and settings\Stab\Application Data\My Games
    2012-08-16 00:13 . 2012-08-16 00:13 -------- d-----w- c:\program files\Firaxis Games
    2012-08-16 00:09 . 2005-05-26 20:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
    2012-08-16 00:08 . 2012-08-16 00:08 -------- d-----w- c:\documents and settings\Stab\Application Data\InstallShield
    2012-08-16 00:01 . 2012-08-16 00:01 -------- d-----w- c:\documents and settings\Stab\Application Data\XMedia Recode
    2012-08-15 01:29 . 2012-08-15 01:29 -------- d-----w- c:\program files\XMedia Recode
    2012-08-15 01:11 . 2012-08-15 01:11 -------- d-----w- c:\program files\Combined Community Codec Pack
    2012-08-15 00:58 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
    2012-08-15 00:57 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
    2012-08-15 00:57 . 2012-08-15 00:57 -------- d-----w- c:\program files\Windows Media Connect 2
    2012-08-15 00:55 . 2012-08-15 00:56 -------- d-----w- c:\windows\system32\drivers\UMDF
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-13 02:10 . 2012-05-14 22:56 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
    2012-07-13 02:10 . 2012-05-14 22:56 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2012-07-13 02:10 . 2012-05-14 22:56 30624 ----a-w- c:\windows\system32\LMIport.dll
    2012-07-13 02:10 . 2012-05-14 22:56 87456 ----a-w- c:\windows\system32\LMIinit.dll
    2012-07-06 13:58 . 2001-08-23 12:00 78336 ----a-w- c:\windows\system32\browser.dll
    2012-07-04 14:05 . 2011-07-23 21:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-03 13:40 . 2001-08-23 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
    2012-07-02 17:49 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-07-02 17:49 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-07-02 17:49 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-07-02 12:05 . 2012-01-27 00:53 385024 ----a-w- c:\windows\system32\html.iec
    2012-07-01 22:56 . 2012-07-01 22:55 81920 ----a-w- c:\windows\ALCFDRTM.EXE
    2012-07-01 22:56 . 2012-07-01 22:55 81920 ----a-w- c:\windows\ALCFDRTM.VER
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{462be121-2b54-4218-bf00-b9bf8135b23f}]
    2011-05-09 09:49 176936 ----a-w- c:\program files\WhiteSmoke_US_New\prxtbWhit.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{462be121-2b54-4218-bf00-b9bf8135b23f}"= "c:\program files\WhiteSmoke_US_New\prxtbWhit.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{462be121-2b54-4218-bf00-b9bf8135b23f}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Active Desktop Calendar"="c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe" [2011-11-23 7608832]
    "Spotify Web Helper"="c:\documents and settings\Helen\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2012-09-01 1193176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
    "SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
    "AlcWzrd"="ALCWZRD.EXE" [2005-09-21 2807808]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
    "EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
    "Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
    "SMessaging"="c:\documents and settings\Bobby\Local Settings\Application Data\Strongvault Online Backup\SMessaging.exe" [2012-04-04 31664]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\Helen\Start Menu\Programs\Startup\
    Epson scanner Registration.lnk - i:\common\EpsonReg\Ereg.exe [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    TweetDeck.lnk - c:\program files\TweetDeck\TweetDeck.exe [2012-2-1 142336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2012-07-13 02:10 87456 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\Helen\\Application Data\\Spotify\\spotify.exe"=
    .
    R1 MpKsl798d8601;MpKsl798d8601;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A589A4C8-FA45-4759-AC89-B56CC83BFA29}\MpKsl798d8601.sys [9/13/2012 3:27 PM 29904]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [1/31/2012 8:30 PM 374184]
    S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/16/2011 1:10 PM 12856]
    S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 7:51 PM 30963576]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSL798D8601
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1957994488-682003330-1006Core.job
    - c:\documents and settings\Helen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-01 15:00]
    .
    2012-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1957994488-682003330-1006UA.job
    - c:\documents and settings\Helen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-01 15:00]
    .
    2012-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1957994488-682003330-1007Core.job
    - c:\documents and settings\Stab\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-02 01:08]
    .
    2012-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1957994488-682003330-1007UA.job
    - c:\documents and settings\Stab\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-02 01:08]
    .
    2012-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1957994488-682003330-1009Core.job
    - c:\documents and settings\Bobby\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-24 16:02]
    .
    2012-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1957994488-682003330-1009UA.job
    - c:\documents and settings\Bobby\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-24 16:02]
    .
    2012-09-12 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
    - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-09-13 15:48
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(612)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    - - - - - - - > 'winlogon.exe'(1380)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\LMIinit.dll
    .
    Completion time: 2012-09-13 15:50:33
    ComboFix-quarantined-files.txt 2012-09-13 20:50
    .
    Pre-Run: 80,864,882,688 bytes free
    Post-Run: 82,472,833,024 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    .
    - - End Of File - - 35840688BF09367E6CD29F42A375A85F
     
  11. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,805
    next

    Please download Malwarebytes' Anti-Malware to your desktop
    from HERE orHERE

    Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

    Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

    If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
    Once the program has loaded, select Perform quick scan, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.
    Be sure that everything is checked, and click Remove Selected.
    When completed, a log will open in Notepad.
    Please include this log in your next reply.

    It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert)
    If you receive an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot
     
  12. beefykoala

    beefykoala Thread Starter

    Joined:
    Oct 25, 2007
    Messages:
    34
    Thank you for doing this btw...


    Malwarebytes Anti-Malware (Trial) 1.65.0.1400
    www.malwarebytes.org

    Database version: v2012.09.13.10

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Helen :: VIOLET [administrator]

    Protection: Enabled

    9/13/2012 4:48:41 PM
    mbam-log-2012-09-13 (16-48-41).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 245930
    Time elapsed: 7 minute(s), 16 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  13. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,805
    Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)
    Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
    Close any open browsers
    Then drag the CFScript.txt into the ComboFix.exe or renamed combofix icon as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply


    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

    This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

    at the end it will pop up an alert & open your browser and ask you to send the zip file

    please follow those instructions. We need to see the zip file before we can carry on with the fix

    If there is no pop up alert or open browser then

    please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:
    the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

    or to
    http://www.bleepingcomputer.com/submit-malware.php?channel=38
     

    Attached Files:

  14. beefykoala

    beefykoala Thread Starter

    Joined:
    Oct 25, 2007
    Messages:
    34
    ComboFix 12-09-14.03 - Helen 09/14/2012 10:59:09.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1359 [GMT -5:00]
    Running from: c:\documents and settings\Helen\Desktop\helen123.exe
    Command switches used :: c:\documents and settings\Helen\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    file zipped: c:\program files\WhiteSmoke_US_New\prxtbWhit.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\WhiteSmoke_US_New
    c:\program files\WhiteSmoke_US_New\GottenAppsContextMenu.xml
    c:\program files\WhiteSmoke_US_New\ldrtbWhit.dll
    c:\program files\WhiteSmoke_US_New\OtherAppsContextMenu.xml
    c:\program files\WhiteSmoke_US_New\prxtbWhit.dll
    c:\program files\WhiteSmoke_US_New\SharedAppsContextMenu.xml
    c:\program files\WhiteSmoke_US_New\tbWhit.dll
    c:\program files\WhiteSmoke_US_New\toolbar.cfg
    c:\program files\WhiteSmoke_US_New\ToolbarContextMenu.xml
    c:\program files\WhiteSmoke_US_New\uninstall.exe
    c:\program files\WhiteSmoke_US_New\WhiteSmoke_US_NewToolbarHelper.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-14 to 2012-09-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-14 12:04 . 2012-08-23 07:15 7022536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FA417A40-55EE-4B75-9206-E6FFD078FF62}\mpengine.dll
    2012-09-13 21:37 . 2012-09-13 21:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-09-13 21:37 . 2012-09-07 22:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-13 21:37 . 2012-09-13 21:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-09-13 21:17 . 2012-08-23 07:15 7022536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-09-01 23:19 . 2012-09-13 20:29 -------- d-----w- c:\documents and settings\Helen\Local Settings\Application Data\Spotify
    2012-09-01 23:19 . 2012-09-13 20:29 -------- d-----w- c:\documents and settings\Helen\Application Data\Spotify
    2012-08-29 16:00 . 2010-10-24 05:56 49664 ----a-w- c:\windows\system32\CamCodec.dll
    2012-08-29 16:00 . 2012-08-29 16:01 -------- d-----w- c:\program files\CamStudio 2.6b
    2012-08-26 23:42 . 2012-08-26 23:42 -------- d-----w- c:\program files\Strongvault Online Backup
    2012-08-26 23:28 . 2012-08-26 23:28 -------- d-----w- c:\documents and settings\Helen\Application Data\Malwarebytes
    2012-08-26 18:47 . 2012-08-26 18:47 -------- d-----w- c:\documents and settings\Stab\Application Data\Malwarebytes
    2012-08-26 18:46 . 2012-08-26 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-08-26 18:45 . 2012-08-26 23:42 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
    2012-08-26 18:40 . 2012-08-26 18:40 -------- d-----w- c:\program files\CCleaner
    2012-08-26 18:06 . 2012-08-26 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2012-08-26 18:06 . 2012-08-26 18:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-08-25 02:03 . 2012-08-25 02:03 -------- d-----w- c:\program files\MSXML 4.0
    2012-08-24 16:02 . 2012-08-26 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Strongvault Online Backup
    2012-08-24 16:01 . 2012-08-24 16:01 -------- d-----w- c:\program files\Conduit
    2012-08-24 15:45 . 2012-08-24 15:49 -------- d-----w- c:\documents and settings\Bobby
    2012-08-21 14:30 . 2012-08-21 14:30 -------- d-----w- c:\documents and settings\Helen\Local Settings\Application Data\adaware
    2012-08-21 02:01 . 2012-08-21 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\GFI Software
    2012-08-21 01:58 . 2012-08-21 01:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\Ad-Aware Antivirus
    2012-08-21 01:55 . 2012-08-21 01:56 -------- d-----w- c:\documents and settings\Stab\Local Settings\Application Data\adaware
    2012-08-21 01:55 . 2012-09-14 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
    2012-08-21 01:45 . 2012-08-21 02:01 -------- d-----w- c:\program files\Ad-Aware Antivirus
    2012-08-21 01:45 . 2012-08-21 01:54 -------- d-----w- c:\documents and settings\Stab\Local Settings\Application Data\Downloaded Installations
    2012-08-21 01:40 . 2012-08-21 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\IBUpdaterService
    2012-08-21 01:40 . 2012-08-21 01:40 -------- d-----w- c:\documents and settings\Stab\Local Settings\Application Data\CRE
    2012-08-21 01:39 . 2012-08-21 01:39 -------- d-----w- c:\windows\system32\Extensions
    2012-08-21 01:39 . 2012-08-21 01:39 -------- d-----w- c:\windows\system32\searchplugins
    2012-08-18 18:44 . 2012-08-18 18:44 -------- d-----w- c:\documents and settings\Helen\Application Data\My Games
    2012-08-16 00:35 . 2012-08-16 00:35 -------- d-----w- c:\documents and settings\Stab\Application Data\My Games
    2012-08-16 00:13 . 2012-08-16 00:13 -------- d-----w- c:\program files\Firaxis Games
    2012-08-16 00:09 . 2005-05-26 20:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
    2012-08-16 00:08 . 2012-08-16 00:08 -------- d-----w- c:\documents and settings\Stab\Application Data\InstallShield
    2012-08-16 00:01 . 2012-08-16 00:01 -------- d-----w- c:\documents and settings\Stab\Application Data\XMedia Recode
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-13 02:10 . 2012-05-14 22:56 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
    2012-07-13 02:10 . 2012-05-14 22:56 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2012-07-13 02:10 . 2012-05-14 22:56 30624 ----a-w- c:\windows\system32\LMIport.dll
    2012-07-13 02:10 . 2012-05-14 22:56 87456 ----a-w- c:\windows\system32\LMIinit.dll
    2012-07-06 13:58 . 2001-08-23 12:00 78336 ----a-w- c:\windows\system32\browser.dll
    2012-07-04 14:05 . 2011-07-23 21:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-03 13:40 . 2001-08-23 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
    2012-07-02 17:49 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-07-02 17:49 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-07-02 17:49 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-07-02 12:05 . 2012-01-27 00:53 385024 ----a-w- c:\windows\system32\html.iec
    2012-07-01 22:56 . 2012-07-01 22:55 81920 ----a-w- c:\windows\ALCFDRTM.EXE
    2012-07-01 22:56 . 2012-07-01 22:55 81920 ----a-w- c:\windows\ALCFDRTM.VER
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-09-13_20.48.32 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-09-14 16:06 . 2012-09-14 16:06 16384 c:\windows\Temp\Perflib_Perfdata_1e8.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Active Desktop Calendar"="c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe" [2011-11-23 7608832]
    "Spotify Web Helper"="c:\documents and settings\Helen\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2012-09-01 1193176]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
    "SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
    "AlcWzrd"="ALCWZRD.EXE" [2005-09-21 2807808]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
    "EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
    "Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
    "SMessaging"="c:\documents and settings\Bobby\Local Settings\Application Data\Strongvault Online Backup\SMessaging.exe" [2012-04-04 31664]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\Helen\Start Menu\Programs\Startup\
    Epson scanner Registration.lnk - i:\common\EpsonReg\Ereg.exe [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    TweetDeck.lnk - c:\program files\TweetDeck\TweetDeck.exe [2012-2-1 142336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2012-07-13 02:10 87456 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\Helen\\Application Data\\Spotify\\spotify.exe"=
    .
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [1/31/2012 8:30 PM 374184]
    R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/13/2012 4:42 PM 399432]
    S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/16/2011 1:10 PM 12856]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/13/2012 4:37 PM 676936]
    S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/13/2012 4:37 PM 22856]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/13/2012 4:37 PM 40776]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 7:51 PM 30963576]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1957994488-682003330-1006Core.job
    - c:\documents and settings\Helen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-01 15:00]
    .
    2012-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1957994488-682003330-1006UA.job
    - c:\documents and settings\Helen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-01 15:00]
    .
    2012-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1957994488-682003330-1007Core.job
    - c:\documents and settings\Stab\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-02 01:08]
    .
    2012-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1957994488-682003330-1007UA.job
    - c:\documents and settings\Stab\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-02 01:08]
    .
    2012-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1957994488-682003330-1009Core.job
    - c:\documents and settings\Bobby\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-24 16:02]
    .
    2012-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1957994488-682003330-1009UA.job
    - c:\documents and settings\Bobby\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-24 16:02]
    .
    2012-09-14 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
    - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-WhiteSmoke_US_New Toolbar - c:\program files\WhiteSmoke_US_New\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-09-14 11:25
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(620)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\LMIinit.dll
    .
    - - - - - - - > 'explorer.exe'(2016)
    c:\windows\system32\WININET.dll
    c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll
    c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
    c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\mshtml.dll
    c:\windows\system32\msls31.dll
    c:\program files\XemiComputers\Active Desktop Calendar\MouseHook.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\AGRSMMSG.exe
    c:\windows\SOUNDMAN.EXE
    c:\windows\ALCWZRD.EXE
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    .
    **************************************************************************
    .
    Completion time: 2012-09-14 11:28:18 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-09-14 16:28
    ComboFix2.txt 2012-09-13 20:50
    .
    Pre-Run: 82,409,066,496 bytes free
    Post-Run: 82,484,948,992 bytes free
    .
    - - End Of File - - 66944AD4A9629E5B98A6A9C7BDA8BE80
    Upload was successful
     
  15. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,805
    how is it now

    are you having any problems still
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1066496