Total System Security Malware/Virus Please Remove [Solved]

Hello and welcome to Geeks to Go! I'm Dave and I'll be helping you out. Let's get started:

Please go to the GMER Rootkit Scanner Download Site.

• Click on the Download EXE button.
• The file you are downloading will have a random name in order to circumvent the attempts of malware to block it from running.
• Take note of the name of the file (please don't change it), and then save it directly to your desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click on the file you downloaded (Vista users please right-click it and select Run as Administrator). The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked. Before proceeding, ensure that the only two boxes checked are Processes and Show All.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity, don't worry.
• Click Ok.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it to a location where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Cheers,
Dave

I cannot run the software. I cannot access the task manager either to kill the process. It says "task manager has been disable by your administrator." This happened after I ran the task manager right away and killed the process. I could navigate for a bit, then I got the blue screen of death and when my computer turned back on my task manager was disabled. I cannot do anything with .exe files.

I was able to run GMER

GMER 1.0.15.15077 [ee32fzzq.exe] - http://www.gmer.net
Rootkit scan 2009-08-21 11:30:48
Windows 5.1.2600 Service Pack 2


---- Processes - GMER 1.0.15 ----

Process System Idle 0
Process System 4
Process C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools Auxiliary Service/PC Tools) 208
Process C:\Program Files\AirPort\APAgent.exe (AirPort Base Station Agent/Apple Inc.) 216
Process C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe (Sophos Agent/Sophos Plc) 252
Process C:\Program Files\Sophos\AutoUpdate\ALsvc.exe (Sophos AutoUpdate Service./Sophos Plc) 276
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 324
Process D:\DOCUME~1\User\LOCALS~1\Temp\MSA\msctrl.exe 528
Process D:\DOCUME~1\User\LOCALS~1\Temp\MSA\msscan.exe 564
Process D:\DOCUME~1\User\LOCALS~1\Temp\MSA\msiemon.exe 572
Process D:\DOCUME~1\User\LOCALS~1\Temp\MSA\msfw.exe 580
Process C:\Program Files\Sophos\Remote Management System\RouterNT.exe (Sophos Message Router/Sophos Plc) 628
Process C:\WINDOWS\system32\spoolsv.exe (Spooler SubSystem App/Microsoft Corporation) 744
Process C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (SoundMAX service agent component/Analog Devices, Inc.) 776
Process C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools) 832
Process C:\WINDOWS\system32\alg.exe (Application Layer Gateway Service/Microsoft Corporation) 856
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 880
Process C:\WINDOWS\system32\csrss.exe (Client Server Runtime Process/Microsoft Corporation) 884
Process C:\WINDOWS\system32\winlogon.exe (Windows NT Logon Application/Microsoft Corporation) 912
Process C:\WINDOWS\system32\services.exe (Services and Controller app/Microsoft Corporation) 956
Process C:\WINDOWS\system32\lsass.exe (LSA Shell (Export Version)/Microsoft Corporation) 968
Process C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Mobile Device Service/Apple, Inc.) 1076
Process C:\WINDOWS\system32\ibmpmsvc.exe 1116
Process C:\WINDOWS\system32\ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) 1144
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1156
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1288
Process C:\WINDOWS\system32\wuauclt.exe (Windows Update Automatic Updates/Microsoft Corporation) 1300
Process C:\WINDOWS\odb.exe 1304
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1344
Process D:\DOCUME~1\User\LOCALS~1\Temp\MSA\msavsc.exe 1420
Process C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe (Performs virus scanning and disinfection functions/Sophos Plc) 1444
Process C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.) 1544
Process C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe 1592
Process C:\WINDOWS\system32\ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) 1604
Process C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel® PROSet/Wireless Event Log/Intel Corporation) 1756
Process C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe (Machine Debug Manager/Microsoft Corporation) 1780
Process C:\WINDOWS\explorer.exe (Windows Explorer/Microsoft Corporation) 1800
Process C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Wireless Management Service/Intel Corporation ) 1840
Process C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel® PROSet/Wireless Registry Service/Intel Corporation) 1992
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 2020
Process C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Administrator Service/Sophos Plc) 2044
Process C:\Program Files\iPod\bin\iPodService.exe (iPodService Module/Apple Inc.) 2096
Process C:\WINDOWS\system32\TPHDEXLG.exe (ThinkVantage Active Protection System - HDD Logger Module/Lenovo.) 2104
Process C:\WINDOWS\lsass.exe 2136
Process C:\WINDOWS\svc.exe 2152
Process C:\WINDOWS\system32\ctfmon.exe (CTF Loader/Microsoft Corporation) 2160
Process C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (GoogleToolbarNotifier/Google Inc.) 2168
Process C:\WINDOWS\system32\TpKmpSvc.exe 2212
Process C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe (ibmtcsd Application/IBM) 2276
Process C:\Program Files\Sophos\AutoUpdate\ALMon.exe (Component to show AutoUpdate's GUI elements./Sophos Plc) 2348
Process C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe 2416
Process C:\WINDOWS\system32\taskmgr.exe (Windows TaskManager/Microsoft Corporation) 2456
Process C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe 2472
Process C:\WINDOWS\system32\wdfmgr.exe (Windows User Mode Driver Manager/Microsoft Corporation) 2504
Process D:\Desktop\Spyware Removal\ee32fzzq.exe 2524
Process D:\DOCUME~1\User\LOCALS~1\Temp\MSA\mssadv.exe (home) 2708
Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (Internet Explorer/Microsoft Corporation) 3016
Process C:\WINDOWS\system32\rundll32.exe (Run a DLL as an App/Microsoft Corporation) 3300
Process C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (SMax4PNP MFC Application/Analog Devices, Inc.) 3404
Process C:\WINDOWS\system32\wbem\wmiprvse.exe (WMI/Microsoft Corporation) 3436
Process C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe (Java™ 2 Platform Standard Edition binary/Sun Microsystems, Inc.) 3464
Process C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe 3524
Process C:\WINDOWS\system32\TpShocks.exe (ThinkVantage Active Protection System/Lenovo, Ltd. and IBM Corporation.) 3548
Process C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe 3624
Process C:\WINDOWS\keyacc32.exe (KeyAccess for Windows/Sassafras Software Inc.) 3628
Process C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe (ThinkPad UltraZoom/IBM Corporation) 3644
Process C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics TouchPad Enhancements/Synaptics, Inc.) 3648
Process C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (TouchPad Driver Helper Application/Synaptics, Inc.) 3680
Process C:\Program Files\iTunes\iTunesHelper.exe (iTunesHelper Module/Apple Inc.) 3880
Process C:\WINDOWS\system32\inetsrv\inetinfo.exe (Internet Information Services/Microsoft Corporation) 4052

---- EOF - GMER 1.0.15 ----

I was able to run Malware Bytes and it seems to have worked.

To do this, you need to kill the process that starts with a string of numbers. I killed the process “14963754” To do this, you need to run task manager immediately and kill the process as soon as it pops up. But the virus still gives you problems, and can later disable your task manager, so you need to do this:

If Task manager is disabled then download and run this file:
2-spyware.com/download/task-manager-fix.reg

You need to run the task manager and kill the process as soon as you start the computer.

These web pages helped:

http://www.2-spyware...l-security.html
http://www.2-spyware...ws/post203.html

There are forums that I searched and found the solution. Hopefully this works. I have been using the computer for the last 45 minutes with no problems.

The key is to kill the process upon startup in the task manager. The process to kill will be named a string of numbers

Then run MalwareBytes

You can close this forum and I will repost if something else comes up.

Thank you very much for you help.

I'm glad that those instruction were able to help you, however it's quite likely that there is more malware on your computer than MBAM was able to detect and remove. It's good, but it probably didn't get everything, especially if you only ran the quick scan. Go ahead and test the PC for a few days. I'll leave this thread open for you, and if you experience any problems that still require fixing, let me know and we can continue.

Cheers,
Dave

Well I still have the Total Security Problem. My computer is about 90% operable. I have been using it over the weekend, but total security keeps poping up and trying to scan my computer and get me to buy their software. I also have a re-directing virus as well. I try and open a new window, and I keep getting redirected to ad sites. I have ran a full scan of Malware Bytes, and I cleaned out the computer using the help in this forum. I have now installed SUPERAntispyware and ran a scan and cleaned out whay they said was needed. I have SpywareGuard installed, and I have Avira Antivirus installed. My old antivirus software was outdated and I didn't pay for the new subscription. I ran TFC a while ago and did the other suggestions that Geekstogo suggests. But I still have problems.

Let me know what the next step is to clean my drive. Thank you very much for your help.

Alright if we're going to proceed with cleaning your PC I need you to stop attempting to remove the infection on my own and perform only those steps which I ask you to do, because that will help me get the clearest picture of what's going on with your machine and help you to resolve your problems as quickly as possible.

Let's run a slightly different GMER scan from last time to get a look at what we're dealing with here:

Please go to the GMER Rootkit Scanner Download Site.

• Click on the Download EXE button.
• The file you are downloading will have a random name in order to circumvent the attempts of malware to block it from running.
• Take note of the name of the file (please don't change it), and then save it directly to your desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click on the file you downloaded (Vista users please right-click it and select Run as Administrator). The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure that the "Show all" box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity, don't worry.
• Click Ok.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it to a location where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Then:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix.exe to svchost.exe. This name is important and must be exactly as I have given it to you here. Once you have changed the name, save the renamed file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page very carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here. Installing the recovery console if you're running an XP machine is another critical step. By following the directions in that guide closely, you give ComboFix the best chance at a successful run and minimmize the likelihood of having potentially serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix.exe to svchost.exe. This name is important and must be exactly as I have given it to you here. Once you have changed the name, save the renamed file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page very carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here. Installing the recovery console if you're running an XP machine is another critical step. By following the directions in that guide closely, you give ComboFix the best chance at a successful run and minimmize the likelihood of having potentially serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Just need the logs from GMER and CF in your next reply.

Cheers,
Dave

Thank you very much for your help. I will do as you instruct and will not do anything else on this PC until you resolve my issue. Here is my GMER scan. I am doing Combofix now.

GMER 1.0.15.15077 [meu7xd0k.exe] - http://www.gmer.net
Rootkit scan 2009-08-23 19:11:44
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 86D91128 ZwEnumerateKey
Code 863C09F0 ZwFlushInstructionCache
Code 86B9A7DE ZwSaveKey
Code 86AFA23E ZwSaveKeyEx
Code 86AF509E IofCallDriver
Code 86ADCA2E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 86AF50A3
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 86ADCA33
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC4 5 Bytes JMP 863C09F4
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB70 5 Bytes JMP 86D9112C
PAGE ntkrnlpa.exe!ZwSaveKey 8061BDE4 5 Bytes JMP 86B9A7E2
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8061BECA 5 Bytes JMP 86AFA242

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\iPod\bin\iPodService.exe[260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EB2F34
.text C:\Program Files\iPod\bin\iPodService.exe[260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EB2EFF
.text C:\Program Files\iPod\bin\iPodService.exe[260] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00EB2C42
.text C:\Program Files\iPod\bin\iPodService.exe[260] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00EB1C5E
.text C:\Program Files\iPod\bin\iPodService.exe[260] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00EB2B78
.text C:\Program Files\iPod\bin\iPodService.exe[260] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00EB1BCD
.text C:\Program Files\iPod\bin\iPodService.exe[260] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00EB1B3C
.text C:\Program Files\iPod\bin\iPodService.exe[260] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00EB2DB4
.text C:\Program Files\iPod\bin\iPodService.exe[260] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00EB2D9A
.text C:\WINDOWS\system32\spoolsv.exe[344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FA2F34
.text C:\WINDOWS\system32\spoolsv.exe[344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FA2EFF
.text C:\WINDOWS\system32\spoolsv.exe[344] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00FA2C42
.text C:\WINDOWS\system32\spoolsv.exe[344] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00FA1C5E
.text C:\WINDOWS\system32\spoolsv.exe[344] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00FA2B78
.text C:\WINDOWS\system32\spoolsv.exe[344] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00FA1BCD
.text C:\WINDOWS\system32\spoolsv.exe[344] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00FA1B3C
.text C:\WINDOWS\system32\spoolsv.exe[344] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00FA2DB4
.text C:\WINDOWS\system32\spoolsv.exe[344] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00FA2D9A
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013B2F34
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013B2EFF
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[452] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 013B2C42
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[452] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 013B1C5E
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[452] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 013B2B78
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[452] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 013B1BCD
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[452] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 013B1B3C
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[452] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 013B2DB4
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[452] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 013B2D9A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F32F34
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F32EFF
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[528] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00F32C42
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[528] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00F31C5E
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[528] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00F32B78
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[528] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00F31BCD
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[528] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00F31B3C
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[528] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00F32DB4
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[528] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00F32D9A
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A12F34
.text C:\WINDOWS\system32\svchost.exe[596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A12EFF
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00A12C42
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00A11C5E
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00A12B78
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00A11BCD
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00A11B3C
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00A12DB4
.text C:\WINDOWS\system32\svchost.exe[596] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00A12D9A
.text D:\My Documents\Downloads\Spyware Removal\meu7xd0k.exe[788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00152F34
.text D:\My Documents\Downloads\Spyware Removal\meu7xd0k.exe[788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00152EFF
.text D:\My Documents\Downloads\Spyware Removal\meu7xd0k.exe[788] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00152C42
.text D:\My Documents\Downloads\Spyware Removal\meu7xd0k.exe[788] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00151C5E
.text D:\My Documents\Downloads\Spyware Removal\meu7xd0k.exe[788] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00152B78
.text D:\My Documents\Downloads\Spyware Removal\meu7xd0k.exe[788] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00151BCD
.text D:\My Documents\Downloads\Spyware Removal\meu7xd0k.exe[788] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00151B3C
.text D:\My Documents\Downloads\Spyware Removal\meu7xd0k.exe[788] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00152DB4
.text D:\My Documents\Downloads\Spyware Removal\meu7xd0k.exe[788] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00152D9A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A12F34
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A12EFF
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[828] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00A12C42
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[828] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00A11C5E
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[828] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00A12B78
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[828] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00A11BCD
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[828] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00A11B3C
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[828] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00A12DB4
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[828] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00A12D9A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[880] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D12F34
.text C:\WINDOWS\System32\TPHDEXLG.EXE[880] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D12EFF
.text C:\WINDOWS\System32\TPHDEXLG.EXE[880] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00D12C42
.text C:\WINDOWS\System32\TPHDEXLG.EXE[880] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00D11C5E
.text C:\WINDOWS\System32\TPHDEXLG.EXE[880] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00D12B78
.text C:\WINDOWS\System32\TPHDEXLG.EXE[880] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00D11BCD
.text C:\WINDOWS\System32\TPHDEXLG.EXE[880] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00D11B3C
.text C:\WINDOWS\System32\TPHDEXLG.EXE[880] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00D12DB4
.text C:\WINDOWS\System32\TPHDEXLG.EXE[880] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00D12D9A
.text C:\WINDOWS\system32\winlogon.exe[912] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01352F34
.text C:\WINDOWS\system32\winlogon.exe[912] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01352EFF
.text C:\WINDOWS\system32\winlogon.exe[912] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01352C42
.text C:\WINDOWS\system32\winlogon.exe[912] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 01351C5E
.text C:\WINDOWS\system32\winlogon.exe[912] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 01352B78
.text C:\WINDOWS\system32\winlogon.exe[912] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01351BCD
.text C:\WINDOWS\system32\winlogon.exe[912] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 01351B3C
.text C:\WINDOWS\system32\winlogon.exe[912] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 01352DB4
.text C:\WINDOWS\system32\winlogon.exe[912] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 01352D9A
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD2F34
.text C:\WINDOWS\system32\services.exe[956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD2EFF
.text C:\WINDOWS\system32\services.exe[956] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00FD2C42
.text C:\WINDOWS\system32\services.exe[956] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00FD1C5E
.text C:\WINDOWS\system32\services.exe[956] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00FD2B78
.text C:\WINDOWS\system32\services.exe[956] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00FD1BCD
.text C:\WINDOWS\system32\services.exe[956] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00FD1B3C
.text C:\WINDOWS\system32\services.exe[956] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00FD2DB4
.text C:\WINDOWS\system32\services.exe[956] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00FD2D9A
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF2F34
.text C:\WINDOWS\system32\lsass.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF2EFF
.text C:\WINDOWS\system32\lsass.exe[968] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00CF2C42
.text C:\WINDOWS\system32\lsass.exe[968] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00CF1C5E
.text C:\WINDOWS\system32\lsass.exe[968] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00CF2B78
.text C:\WINDOWS\system32\lsass.exe[968] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00CF1BCD
.text C:\WINDOWS\system32\lsass.exe[968] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00CF1B3C
.text C:\WINDOWS\system32\lsass.exe[968] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00CF2DB4
.text C:\WINDOWS\system32\lsass.exe[968] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00CF2D9A
.text C:\WINDOWS\system32\TpKmpSVC.exe[1076] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B02F34
.text C:\WINDOWS\system32\TpKmpSVC.exe[1076] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B02EFF
.text C:\WINDOWS\system32\TpKmpSVC.exe[1076] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00B02C42
.text C:\WINDOWS\system32\TpKmpSVC.exe[1076] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00B01C5E
.text C:\WINDOWS\system32\TpKmpSVC.exe[1076] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00B02B78
.text C:\WINDOWS\system32\TpKmpSVC.exe[1076] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00B01BCD
.text C:\WINDOWS\system32\TpKmpSVC.exe[1076] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00B01B3C
.text C:\WINDOWS\system32\TpKmpSVC.exe[1076] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00B02DB4
.text C:\WINDOWS\system32\TpKmpSVC.exe[1076] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00B02D9A
.text C:\WINDOWS\system32\ibmpmsvc.exe[1136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00972F34
.text C:\WINDOWS\system32\ibmpmsvc.exe[1136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00972EFF
.text C:\WINDOWS\system32\ibmpmsvc.exe[1136] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00972C42
.text C:\WINDOWS\system32\ibmpmsvc.exe[1136] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00971C5E
.text C:\WINDOWS\system32\ibmpmsvc.exe[1136] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00972B78
.text C:\WINDOWS\system32\ibmpmsvc.exe[1136] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00971BCD
.text C:\WINDOWS\system32\ibmpmsvc.exe[1136] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00971B3C
.text C:\WINDOWS\system32\ibmpmsvc.exe[1136] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00972DB4
.text C:\WINDOWS\system32\ibmpmsvc.exe[1136] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00972D9A
.text C:\WINDOWS\system32\Ati2evxx.exe[1168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01152F34
.text C:\WINDOWS\system32\Ati2evxx.exe[1168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01152EFF
.text C:\WINDOWS\system32\Ati2evxx.exe[1168] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01152C42
.text C:\WINDOWS\system32\Ati2evxx.exe[1168] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 01151C5E
.text C:\WINDOWS\system32\Ati2evxx.exe[1168] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 01152B78
.text C:\WINDOWS\system32\Ati2evxx.exe[1168] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01151BCD
.text C:\WINDOWS\system32\Ati2evxx.exe[1168] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 01151B3C
.text C:\WINDOWS\system32\Ati2evxx.exe[1168] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 01152DB4
.text C:\WINDOWS\system32\Ati2evxx.exe[1168] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 01152D9A
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C62F34
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C62EFF
.text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00C62C42
.text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00C61C5E
.text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00C62B78
.text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00C61BCD
.text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00C61B3C
.text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00C62DB4
.text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00C62D9A
.text C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C82F34
.text C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C82EFF
.text C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe[1240] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00C82C42
.text C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe[1240] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00C81C5E
.text C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe[1240] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00C82B78
.text C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe[1240] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00C81BCD
.text C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe[1240] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00C81B3C
.text C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe[1240] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00C82DB4
.text C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe[1240] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00C82D9A
.text C:\WINDOWS\system32\wdfmgr.exe[1292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 005C2F34
.text C:\WINDOWS\system32\wdfmgr.exe[1292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 005C2EFF
.text C:\WINDOWS\system32\wdfmgr.exe[1292] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 005C2C42
.text C:\WINDOWS\system32\wdfmgr.exe[1292] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 005C1C5E
.text C:\WINDOWS\system32\wdfmgr.exe[1292] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 005C2B78
.text C:\WINDOWS\system32\wdfmgr.exe[1292] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 005C1BCD
.text C:\WINDOWS\system32\wdfmgr.exe[1292] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 005C1B3C
.text C:\WINDOWS\system32\wdfmgr.exe[1292] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 005C2DB4
.text C:\WINDOWS\system32\wdfmgr.exe[1292] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 005C2D9A
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC2F34
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC2EFF
.text C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00DC2C42
.text C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00DC1C5E
.text C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00DC2B78
.text C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00DC1BCD
.text C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00DC1B3C
.text C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00DC2DB4
.text C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00DC2D9A
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05232F34
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05232EFF
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 05232C42
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 05231C5E
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 05232B78
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 05231BCD
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 05231B3C
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 05232DB4
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 05232D9A
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[1396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01D12F34
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[1396] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01D12EFF
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[1396] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01D12C42
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[1396] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 01D11C5E
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[1396] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 01D12B78
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[1396] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01D11BCD
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[1396] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 01D11B3C
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[1396] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 01D12DB4
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[1396] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 01D12D9A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE2F34
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE2EFF
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1420] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00FE2C42
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1420] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00FE1C5E
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1420] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00FE2B78
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1420] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00FE1BCD
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1420] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00FE1B3C
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1420] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00FE2DB4
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1420] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00FE2D9A
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[1448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00992F34
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[1448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00992EFF
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[1448] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00992C42
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[1448] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00991C5E
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[1448] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00992B78
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[1448] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00991BCD
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[1448] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00991B3C
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[1448] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00992DB4
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[1448] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00992D9A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1560] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D52F34
.text C:\Program Files\Bonjour\mDNSResponder.exe[1560] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D52EFF
.text C:\Program Files\Bonjour\mDNSResponder.exe[1560] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00D52C42
.text C:\Program Files\Bonjour\mDNSResponder.exe[1560] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00D51C5E
.text C:\Program Files\Bonjour\mDNSResponder.exe[1560] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00D52B78
.text C:\Program Files\Bonjour\mDNSResponder.exe[1560] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00D51BCD
.text C:\Program Files\Bonjour\mDNSResponder.exe[1560] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00D51B3C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1560] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00D52DB4
.text C:\Program Files\Bonjour\mDNSResponder.exe[1560] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00D52D9A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E72F34
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E72EFF
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1576] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00E72C42
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1576] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00E71C5E
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1576] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00E72B78
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1576] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00E71BCD
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1576] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00E71B3C
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1576] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00E72DB4
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1576] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00E72D9A
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01922F34
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1636] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01922EFF
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1636] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01922C42
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1636] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 01921C5E
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1636] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 01922B78
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1636] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01921BCD
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1636] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 01921B3C
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1636] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 01922DB4
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1636] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 01922D9A
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B12F34
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B12EFF
.text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00B12C42
.text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00B11C5E
.text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00B12B78
.text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00B11BCD
.text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00B11B3C
.text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00B12DB4
.text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00B12D9A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00802F34
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00802EFF
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1764] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00802C42
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1764] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00801C5E
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1764] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00802B78
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1764] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00801BCD
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1764] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00801B3C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1764] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00802DB4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1764] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00802D9A
.text C:\WINDOWS\system32\Ati2evxx.exe[1824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E62F34
.text C:\WINDOWS\system32\Ati2evxx.exe[1824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E62EFF
.text C:\WINDOWS\system32\Ati2evxx.exe[1824] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00E62C42
.text C:\WINDOWS\system32\Ati2evxx.exe[1824] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00E61C5E
.text C:\WINDOWS\system32\Ati2evxx.exe[1824] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00E62B78
.text C:\WINDOWS\system32\Ati2evxx.exe[1824] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00E61BCD
.text C:\WINDOWS\system32\Ati2evxx.exe[1824] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00E61B3C
.text C:\WINDOWS\system32\Ati2evxx.exe[1824] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00E62DB4
.text C:\WINDOWS\system32\Ati2evxx.exe[1824] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00E62D9A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F32F34
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F32EFF
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1876] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00F32C42
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1876] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00F31C5E
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1876] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00F32B78
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1876] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00F31BCD
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1876] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00F31B3C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1876] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00F32DB4
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1876] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00F32D9A
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E52F34
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E52EFF
.text C:\WINDOWS\system32\svchost.exe[1920] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00E52C42
.text C:\WINDOWS\system32\svchost.exe[1920] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00E51C5E
.text C:\WINDOWS\system32\svchost.exe[1920] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00E52B78
.text C:\WINDOWS\system32\svchost.exe[1920] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00E51BCD
.text C:\WINDOWS\system32\svchost.exe[1920] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00E51B3C
.text C:\WINDOWS\system32\svchost.exe[1920] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00E52DB4
.text C:\WINDOWS\system32\svchost.exe[1920] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00E52D9A
.text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E02F34
.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E02EFF
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00E02C42
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00E01C5E
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00E02B78
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00E01BCD
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00E01B3C
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00E02DB4
.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00E02D9A
.text C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe[2724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF2F34
.text C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe[2724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF2EFF
.text C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe[2724] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00CF2C42
.text C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe[2724] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00CF1C5E
.text C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe[2724] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00CF2B78
.text C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe[2724] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00CF1BCD
.text C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe[2724] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00CF1B3C
.text C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe[2724] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00CF2DB4
.text C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe[2724] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00CF2D9A
.text C:\WINDOWS\system32\rundll32.exe[2928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EE2F34
.text C:\WINDOWS\system32\rundll32.exe[2928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EE2EFF
.text C:\WINDOWS\system32\rundll32.exe[2928] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00EE2C42
.text C:\WINDOWS\system32\rundll32.exe[2928] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00EE1C5E
.text C:\WINDOWS\system32\rundll32.exe[2928] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00EE2B78
.text C:\WINDOWS\system32\rundll32.exe[2928] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00EE1BCD
.text C:\WINDOWS\system32\rundll32.exe[2928] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00EE1B3C
.text C:\WINDOWS\system32\rundll32.exe[2928] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00EE2DB4
.text C:\WINDOWS\system32\rundll32.exe[2928] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00EE2D9A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01082F34
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01082EFF
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2936] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01082C42
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2936] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 01081C5E
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2936] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 01082B78
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2936] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01081BCD
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2936] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 01081B3C
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2936] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 01082DB4
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2936] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 01082D9A
.text C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe[2948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003E2F34
.text C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe[2948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 003E2EFF
.text C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe[2948] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 003E2C42
.text C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe[2948] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 003E1C5E
.text C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe[2948] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 003E2B78
.text C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe[2948] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 003E1BCD
.text C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe[2948] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 003E1B3C
.text C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe[2948] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 003E2DB4
.text C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe[2948] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 003E2D9A
.text C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe[2980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC2F34
.text C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe[2980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC2EFF
.text C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe[2980] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00DC2C42
.text C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe[2980] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00DC1C5E
.text C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe[2980] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00DC2B78
.text C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe[2980] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00DC1BCD
.text C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe[2980] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00DC1B3C
.text C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe[2980] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00DC2DB4
.text C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe[2980] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00DC2D9A
.text C:\WINDOWS\system32\TpShocks.exe[2988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B32F34
.text C:\WINDOWS\system32\TpShocks.exe[2988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B32EFF
.text C:\WINDOWS\system32\TpShocks.exe[2988] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00B32C42
.text C:\WINDOWS\system32\TpShocks.exe[2988] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00B31C5E
.text C:\WINDOWS\system32\TpShocks.exe[2988] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00B32B78
.text C:\WINDOWS\system32\TpShocks.exe[2988] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00B31BCD
.text C:\WINDOWS\system32\TpShocks.exe[2988] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00B31B3C
.text C:\WINDOWS\system32\TpShocks.exe[2988] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00B32DB4
.text C:\WINDOWS\system32\TpShocks.exe[2988] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00B32D9A
.text C:\WINDOWS\keyacc32.exe[3068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C02F34
.text C:\WINDOWS\keyacc32.exe[3068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C02EFF
.text C:\WINDOWS\keyacc32.exe[3068] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00C02C42
.text C:\WINDOWS\keyacc32.exe[3068] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00C01C5E
.text C:\WINDOWS\keyacc32.exe[3068] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00C02B78
.text C:\WINDOWS\keyacc32.exe[3068] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00C01BCD
.text C:\WINDOWS\keyacc32.exe[3068] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00C01B3C
.text C:\WINDOWS\keyacc32.exe[3068] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00C02DB4
.text C:\WINDOWS\keyacc32.exe[3068] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00C02D9A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01592F34
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3096] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01592EFF
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3096] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01592C42
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3096] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 01591C5E
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3096] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 01592B78
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3096] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01591BCD
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3096] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 01591B3C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3096] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 01592DB4
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3096] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 01592D9A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010A2F34
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010A2EFF
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3116] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 010A2C42
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3116] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 010A1C5E
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3116] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 010A2B78
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3116] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 010A1BCD
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3116] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 010A1B3C
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3116] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 010A2DB4
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[3116] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 010A2D9A
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe[3136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009A2F34
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe[3136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009A2EFF
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe[3136] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 009A2C42
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe[3136] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 009A1C5E
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe[3136] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 009A2B78
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe[3136] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 009A1BCD
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe[3136] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 009A1B3C
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe[3136] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 009A2DB4
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe[3136] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 009A2D9A
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe[3148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009F2F34
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe[3148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009F2EFF
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe[3148] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 009F2C42
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe[3148] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 009F1C5E
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe[3148] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 009F2B78
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe[3148] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 009F1BCD
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe[3148] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 009F1B3C
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe[3148] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 009F2DB4
.text C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe[3148] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 009F2D9A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00972F34
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00972EFF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3304] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00972C42
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3304] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00971C5E
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3304] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00972B78
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3304] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00971BCD
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3304] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00971B3C
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3304] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00972DB4
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[3304] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00972D9A
.text C:\Program Files\iTunes\iTunesHelper.exe[3340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02002F34
.text C:\Program Files\iTunes\iTunesHelper.exe[3340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02002EFF
.text C:\Program Files\iTunes\iTunesHelper.exe[3340] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 02002C42
.text C:\Program Files\iTunes\iTunesHelper.exe[3340] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 02001C5E
.text C:\Program Files\iTunes\iTunesHelper.exe[3340] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 02002B78
.text C:\Program Files\iTunes\iTunesHelper.exe[3340] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 02001BCD
.text C:\Program Files\iTunes\iTunesHelper.exe[3340] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 02001B3C
.text C:\Program Files\iTunes\iTunesHelper.exe[3340] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 02002DB4
.text C:\Program Files\iTunes\iTunesHelper.exe[3340] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 02002D9A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D22F34
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3436] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D22EFF
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3436] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00D22C42
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3436] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00D21C5E
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3436] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00D22B78
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3436] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00D21BCD
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3436] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00D21B3C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3436] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00D22DB4
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3436] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00D22D9A
.text C:\Program Files\AirPort\APAgent.exe[3660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F12F34
.text C:\Program Files\AirPort\APAgent.exe[3660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F12EFF
.text C:\Program Files\AirPort\APAgent.exe[3660] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00F12C42
.text C:\Program Files\AirPort\APAgent.exe[3660] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00F11C5E
.text C:\Program Files\AirPort\APAgent.exe[3660] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00F12B78
.text C:\Program Files\AirPort\APAgent.exe[3660] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00F11BCD
.text C:\Program Files\AirPort\APAgent.exe[3660] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00F11B3C
.text C:\Program Files\AirPort\APAgent.exe[3660] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00F12DB4
.text C:\Program Files\AirPort\APAgent.exe[3660] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00F12D9A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D22F34
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D22EFF
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3668] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00D22C42
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3668] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00D21C5E
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3668] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00D22B78
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3668] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00D21BCD
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3668] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00D21B3C
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3668] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00D22DB4
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3668] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00D22D9A
.text D:\Documents and Settings\All Users\Application Data\16838754\16838754.exe[3816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00032F34
.text D:\Documents and Settings\All Users\Application Data\16838754\16838754.exe[3816] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00032EFF
.text D:\Documents and Settings\All Users\Application Data\16838754\16838754.exe[3816] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00032C42
.text D:\Documents and Settings\All Users\Application Data\16838754\16838754.exe[3816] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00031C5E
.text D:\Documents and Settings\All Users\Application Data\16838754\16838754.exe[3816] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00032B78
.text D:\Documents and Settings\All Users\Application Data\16838754\16838754.exe[3816] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00031BCD
.text D:\Documents and Settings\All Users\Application Data\16838754\16838754.exe[3816] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00031B3C
.text D:\Documents and Settings\All Users\Application Data\16838754\16838754.exe[3816] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00032DB4
.text D:\Documents and Settings\All Users\Application Data\16838754\16838754.exe[3816] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00032D9A
.text C:\WINDOWS\system32\ctfmon.exe[3892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA2F34
.text C:\WINDOWS\system32\ctfmon.exe[3892] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA2EFF
.text C:\WINDOWS\system32\ctfmon.exe[3892] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00AA2C42
.text C:\WINDOWS\system32\ctfmon.exe[3892] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00AA1C5E
.text C:\WINDOWS\system32\ctfmon.exe[3892] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00AA2B78
.text C:\WINDOWS\system32\ctfmon.exe[3892] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00AA1BCD
.text C:\WINDOWS\system32\ctfmon.exe[3892] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00AA1B3C
.text C:\WINDOWS\system32\ctfmon.exe[3892] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00AA2DB4
.text C:\WINDOWS\system32\ctfmon.exe[3892] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00AA2D9A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F72F34
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F72EFF
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3968] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00F72C42
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3968] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00F71C5E
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3968] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 00F72B78
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3968] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00F71BCD
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3968] WININET.dll!HttpSendRequestA 3D95EE81 5 Bytes JMP 00F71B3C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3968] WININET.dll!InternetReadFileExW 3D963341 5 Bytes JMP 00F72DB4
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3968] WININET.dll!InternetReadFileExA 3D963379 5 Bytes JMP 00F72D9A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F79D47AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F79D486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F79D486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F79D47AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F79D47AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F79D486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F79D486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F79D47AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F79D486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F79D47AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F79D486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisRegisterProtocol] [F79D486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisDeregisterProtocol] [F79D47AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F79D486E] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F79D47AC] ANCSQ.sys (IBM Rescue and Recovery- ANCSQ/IBM Corp.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 TPInput.sys (ThinkPad SATA Power Management Driver/Lenovo, Ltd. and IBM Corporation.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 TPInput.sys (ThinkPad SATA Power Management Driver/Lenovo, Ltd. and IBM Corporation.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Fastfat \Fat EE64CD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmoblrsvdy.sys (*** hidden *** ) [SYSTEM] kbiwkmyfwairft <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft@imagepath \systemroot\system32\drivers\kbiwkmoblrsvdy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\main@sid 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\drivers\kbiwkmoblrsvdy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\kbiwkmuruwqjra.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\kbiwkmxepxmybp.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\kbiwkmthqbwghr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\kbiwkmqjwftypq.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft@imagepath \systemroot\system32\drivers\kbiwkmoblrsvdy.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\main@sid 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\drivers\kbiwkmoblrsvdy.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\kbiwkmuruwqjra.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\kbiwkmxepxmybp.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\kbiwkmthqbwghr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\kbiwkmqjwftypq.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft@imagepath \systemroot\system32\drivers\kbiwkmoblrsvdy.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\main@sid 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\drivers\kbiwkmoblrsvdy.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\kbiwkmuruwqjra.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\kbiwkmxepxmybp.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\kbiwkmthqbwghr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmyfwairft\[email protected] \systemroot\system32\kbiwkmqjwftypq.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs KATRACK.DLL
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----

Below is my Combofix log>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

ComboFix 09-08-22.06 - User 08/23/2009 19:52.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.679 [GMT -4:00]
Running from: d:\my documents\Downloads\Spyware Removal\ComboFix.exe
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {9EFC479D-082C-471E-BB2E-DB50CFB21926}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\9129837.exe
c:\windows\Installer\35d68.msi
c:\windows\Installer\35d69.msp
c:\windows\Installer\35d6a.msp
c:\windows\Installer\35d6b.msp
c:\windows\Installer\35d6c.msp
c:\windows\Installer\35d6d.msp
c:\windows\Installer\35d6e.msp
c:\windows\Installer\35d6f.msp
c:\windows\Installer\35d70.msp
c:\windows\Installer\35d71.msp
c:\windows\Installer\3df7896.msi
c:\windows\Installer\44751a.msi
c:\windows\Installer\447521.msi
c:\windows\Installer\616ac.msi
c:\windows\Installer\WinRMSrv.msi
c:\windows\run.log
c:\windows\system32\Cache
c:\windows\system32\drivers\kbiwkmoblrsvdy.sys
c:\windows\system32\kbiwkmprumltnd.dat
c:\windows\system32\kbiwkmqjwftypq.dat
c:\windows\system32\kbiwkmthqbwghr.dll
c:\windows\system32\kbiwkmuruwqjra.dll
c:\windows\system32\kbiwkmxepxmybp.dat
c:\windows\system32\mdm.exe
d:\docume~1\ALLUSE~1\APPLIC~1\16838754
d:\docume~1\ALLUSE~1\APPLIC~1\16838754\16838754
d:\docume~1\ALLUSE~1\APPLIC~1\16838754\16838754.exe
d:\docume~1\ALLUSE~1\APPLIC~1\16838754\pc16838754ins
d:\documents and settings\User\Application Data\wiaserva.log
d:\documents and settings\User\Start Menu\Programs\Startup\ikowin32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmyfwairft
-------\Legacy_kbiwkmyfwairft


((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.

2009-08-23 23:20 . 2009-08-23 23:20 -------- d-sh--w- d:\documents and settings\User\IECompatCache
2009-08-22 21:07 . 2009-08-22 21:07 -------- d-sh--w- d:\documents and settings\LocalService\IETldCache
2009-08-22 21:06 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-22 18:58 . 2009-08-22 19:03 -------- d-----w- c:\program files\SpywareGuard
2009-08-22 18:51 . 2009-08-22 18:57 -------- d-----w- c:\program files\SpywareBlaster
2009-08-22 18:46 . 2009-08-22 18:46 -------- d-----w- d:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-08-22 18:46 . 2009-08-22 18:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-22 18:46 . 2009-08-22 18:46 -------- d-----w- d:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-08-22 18:27 . 2009-08-22 18:27 -------- d-sh--w- d:\documents and settings\User\PrivacIE
2009-08-22 18:25 . 2009-08-22 18:25 -------- d-sh--w- d:\documents and settings\NetworkService\IETldCache
2009-08-22 18:25 . 2009-08-22 18:25 -------- d-sh--w- d:\documents and settings\User\IETldCache
2009-08-22 18:20 . 2009-08-22 18:20 -------- d-----w- c:\windows\ie8updates
2009-08-22 18:19 . 2009-08-22 18:19 -------- dc-h--w- c:\windows\ie8
2009-08-22 18:17 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-22 18:17 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-22 18:17 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-22 05:06 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-22 05:06 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-22 05:06 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-22 05:06 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-22 05:06 . 2009-06-29 11:07 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-22 05:06 . 2009-03-08 08:11 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-22 05:06 . 2009-02-07 01:07 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-22 05:06 . 2009-03-08 08:31 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll
2009-08-22 04:22 . 2009-08-22 04:22 -------- d-----w- c:\windows\system32\scripting
2009-08-22 04:22 . 2009-08-22 04:22 -------- d-----w- c:\windows\system32\en
2009-08-22 04:22 . 2009-08-22 04:22 -------- d-----w- c:\windows\l2schemas
2009-08-22 04:22 . 2009-08-22 04:22 -------- d-----w- c:\windows\system32\bits
2009-08-22 03:06 . 2009-08-22 03:06 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-22 03:06 . 2009-08-22 03:06 -------- d-----w- c:\program files\MSBuild
2009-08-22 03:05 . 2009-08-22 03:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 03:05 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-22 03:05 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-22 03:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-22 03:05 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-22 03:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-22 03:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-22 03:05 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-22 03:05 . 2009-08-22 03:05 -------- d-----w- C:\010fa30c96666f250890
2009-08-21 15:49 . 2009-08-21 15:49 -------- d-----w- d:\documents and settings\User\Application Data\Malwarebytes
2009-08-21 15:13 . 2009-08-21 15:13 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-21 14:56 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 14:56 . 2009-08-21 15:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-21 14:56 . 2009-08-21 14:56 -------- d-----w- d:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-21 14:56 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-21 14:44 . 2009-08-21 14:44 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-08-21 14:44 . 2009-08-21 14:44 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-21 14:41 . 2009-08-21 14:41 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-21 14:25 . 2009-08-21 15:44 -------- d---a-w- d:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-16 23:11 . 2009-08-22 04:19 -------- d-----w- c:\windows\ServicePackFiles
2009-08-12 05:05 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 00:12 . 2009-08-05 00:12 -------- d-----w- c:\program files\AGD Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 06:02 . 2005-04-27 13:16 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2009-08-22 20:30 . 2005-06-28 00:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-22 19:26 . 2006-08-09 17:07 -------- d-----w- c:\program files\Sophos
2009-08-22 18:45 . 2005-07-05 21:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-22 18:44 . 2008-05-27 23:45 -------- d-----w- d:\documents and settings\User\Application Data\Skype
2009-08-22 18:42 . 2005-06-28 00:20 -------- d-----w- d:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-22 18:41 . 2005-06-27 22:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-22 04:40 . 2005-07-01 13:23 114888 ----a-w- d:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 04:24 . 2005-06-27 22:27 86695 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-05 09:01 . 2005-06-28 01:12 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-30 16:49 . 2008-05-27 23:46 -------- d-----w- d:\documents and settings\User\Application Data\skypePM
2009-07-17 19:01 . 2005-06-28 01:11 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2005-06-28 01:12 286720 ------w- c:\windows\system32\wmpdxm.dll
2009-07-10 02:18 . 2008-03-04 00:25 -------- d-----w- c:\program files\Google
2009-07-03 17:09 . 2005-06-28 01:12 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 18:36 . 2005-06-28 01:12 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2005-06-28 01:12 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2005-06-28 01:12 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2005-06-28 01:12 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2005-06-28 01:12 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2005-06-28 01:12 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2005-06-28 01:12 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2005-06-28 01:12 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2005-06-28 01:12 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2005-06-28 01:12 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2005-06-28 01:12 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 2005-06-28 01:12 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 08:25 . 2005-06-28 01:12 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-06-28 01:12 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-06-28 01:12 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-06-28 01:12 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-06-28 01:12 730112 ------w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-06-28 01:12 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-06-28 01:12 92928 ------w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 11:49 . 2005-06-28 01:12 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2005-06-28 01:12 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2005-06-28 01:12 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2005-06-28 01:12 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:36 . 2005-06-28 01:12 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-06-28 01:11 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2005-06-28 01:12 80896 ------w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-06-28 01:12 76288 ------w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-06-28 01:11 84992 ------w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2005-06-27 22:24 2066432 ------w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-06-28 01:12 132096 ------w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-06-28 01:12 1291264 ----a-w- c:\windows\system32\quartz.dll
2005-07-05 03:12 . 2005-07-05 03:12 59900 ------w- c:\program files\setuplog.txt
2005-07-05 03:12 . 2005-07-05 03:12 54324 ------w- c:\program files\uninstal.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-07 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 139264]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 36975]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"KeyAccess"="c:\windows\keyacc32.exe" [2005-06-01 331776]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"imekrmig7.0"="c:\program files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2007-04-19 25440]
"IMJPMIG9.0"="c:\progra~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE" [2007-04-19 125792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"IMSCMig"="c:\progra~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE" [2007-04-03 17248]
"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]
"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2008-05-20 737280]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"configmsi"="rmdir" [X]
"supportdir"="rmdir" [X]

d:\documents and settings\User\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 04:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 03:23 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\\WINDOWS\\CT\\ctmweb.exe"=
"c:\\Program Files\\Soulseek-Test\\slsk.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:UDP"= 5353:UDP:Bonjour

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [8/2/2005 5:40 PM 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [7/5/2005 12:46 AM 85760]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [6/27/2005 6:49 PM 14848]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [7/5/2005 12:46 AM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [6/27/2005 6:49 PM 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [8/2/2005 6:15 PM 13184]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [8/2/2005 5:47 PM 3968]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [6/27/2005 6:49 PM 6784]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [8/2/2005 6:00 PM 14336]
S2 BootScreen;BootScreen;c:\windows\system32\drivers\vidstub.sys [6/27/2005 8:49 PM 163712]
S2 SRVCMONR;Workstation Event Service;c:\program files\DyKnow\Service\SRVCMONR.exe [8/1/2006 4:29 PM 20480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-16838754 - d:\documents and settings\All Users\Application Data\16838754\16838754.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Sacred Heart University
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\docume~1\User\APPLIC~1\Mozilla\Firefox\Profiles\2x311ay5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 19:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
Completion time: 2009-08-23 20:01
ComboFix-quarantined-files.txt 2009-08-24 00:01

Pre-Run: 11,484,938,240 bytes free
Post-Run: 11,463,696,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

331 --- E O F --- 2009-08-22 23:29

Quick heads-up before we continue:

I see you're using or have in the past used p2p software such as Soulseek. Although p2p programs are not usually malware in their own right, oftentimes malware is installed alongside them. Even if the program is clean, people often upload infected files to be shared using these programs, and it is very easy to end up compromising your PC. It's your decision about whether or not you use p2p programs, you don't have to remove them to be deemed clean and I'll still give you help if you want to keep them. It's just important that you're aware of the risks. If you want to continue using p2p programs that's fine with me, all I ask is that you not download anything from them until you're clean so we aren't taking steps backwards here. To remove p2p programs if you wish to do so, uninstall them from the Add/Remove Programs (it's Programs and Features in Vista) menu of your Control Panel.

Few leftovers to take care of:

1. Run a ComboFix script

• Copy the entire contents of the code box below to notepad (Start > Programs > Accessories > Notepad).
• Click on File > Save and name the file CFScript.txt. This name is important and must not be changed.
• Change the Save as Type to All Files.
• Save it directly on your desktop.

KillAll::

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"configmsi"=-
"supportdir"=-

File::
c:\windows\system32\drivers\vidstub.sys
c:\windows\system32\drivers\ANCSQ.sys

Rootkit::
c:\windows\system32\drivers\ANCSQ.sys

Driver::
ANCSQ
BootScreen

SysRst::

Note: If you are not the topic starter, DO NOT download or run this script as it could cause irreversible damage to your computer.

Please note that the same procedure applies to running ComboFix this time as before - disable your protection programs beforehand, close all other programs, don't interrupt it for any reason etc.



Once the script is saved, refering to the picture above, drag CFScript.txt into ComboFix.exe. This will cause ComboFix to start again. Allow it to complete running, following any prompts. Once the program has completed the log should appear automatically, if it doesn't it can be found at C:\ComboFix.txt. Please post the contents of that log in your next reply.

Cheers,
Dave

ComboFix 09-08-22.06 - User 08/23/2009 21:41.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.606 [GMT -4:00]
Running from: d:\my documents\Downloads\Spyware Removal\ComboFix.exe
Command switches used :: d:\desktop\CFScript.txt
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {9EFC479D-082C-471E-BB2E-DB50CFB21926}

FILE ::
"c:\windows\system32\drivers\ANCSQ.sys"
"c:\windows\system32\drivers\vidstub.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ANCSQ.sys
c:\windows\system32\drivers\vidstub.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANCSQ
-------\Legacy_BOOTSCREEN
-------\Service_ANCSQ
-------\Service_BootScreen


((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.

2009-08-23 23:20 . 2009-08-23 23:20 -------- d-sh--w- d:\documents and settings\User\IECompatCache
2009-08-22 21:07 . 2009-08-22 21:07 -------- d-sh--w- d:\documents and settings\LocalService\IETldCache
2009-08-22 21:06 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-22 18:58 . 2009-08-22 19:03 -------- d-----w- c:\program files\SpywareGuard
2009-08-22 18:51 . 2009-08-22 18:57 -------- d-----w- c:\program files\SpywareBlaster
2009-08-22 18:46 . 2009-08-22 18:46 -------- d-----w- d:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-08-22 18:46 . 2009-08-22 18:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-22 18:46 . 2009-08-22 18:46 -------- d-----w- d:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-08-22 18:27 . 2009-08-22 18:27 -------- d-sh--w- d:\documents and settings\User\PrivacIE
2009-08-22 18:25 . 2009-08-22 18:25 -------- d-sh--w- d:\documents and settings\NetworkService\IETldCache
2009-08-22 18:25 . 2009-08-22 18:25 -------- d-sh--w- d:\documents and settings\User\IETldCache
2009-08-22 18:20 . 2009-08-22 18:20 -------- d-----w- c:\windows\ie8updates
2009-08-22 18:19 . 2009-08-22 18:19 -------- dc-h--w- c:\windows\ie8
2009-08-22 18:17 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-22 18:17 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-22 18:17 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-22 05:06 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-22 05:06 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-22 05:06 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-22 05:06 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-22 05:06 . 2009-06-29 11:07 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-22 05:06 . 2009-03-08 08:11 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-22 05:06 . 2009-02-07 01:07 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-22 05:06 . 2009-03-08 08:31 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll
2009-08-22 04:22 . 2009-08-22 04:22 -------- d-----w- c:\windows\system32\scripting
2009-08-22 04:22 . 2009-08-22 04:22 -------- d-----w- c:\windows\system32\en
2009-08-22 04:22 . 2009-08-22 04:22 -------- d-----w- c:\windows\l2schemas
2009-08-22 04:22 . 2009-08-22 04:22 -------- d-----w- c:\windows\system32\bits
2009-08-22 03:06 . 2009-08-22 03:06 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-22 03:06 . 2009-08-22 03:06 -------- d-----w- c:\program files\MSBuild
2009-08-22 03:05 . 2009-08-22 03:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 03:05 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-22 03:05 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-22 03:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-22 03:05 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-22 03:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-22 03:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-22 03:05 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-22 03:05 . 2009-08-22 03:05 -------- d-----w- C:\010fa30c96666f250890
2009-08-21 15:49 . 2009-08-21 15:49 -------- d-----w- d:\documents and settings\User\Application Data\Malwarebytes
2009-08-21 15:13 . 2009-08-21 15:13 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-21 14:56 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 14:56 . 2009-08-21 15:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-21 14:56 . 2009-08-21 14:56 -------- d-----w- d:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-21 14:56 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-21 14:44 . 2009-08-21 14:44 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-08-21 14:44 . 2009-08-21 14:44 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-21 14:41 . 2009-08-21 14:41 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-21 14:25 . 2009-08-21 15:44 -------- d---a-w- d:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-16 23:11 . 2009-08-22 04:19 -------- d-----w- c:\windows\ServicePackFiles
2009-08-12 05:05 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 00:12 . 2009-08-05 00:12 -------- d-----w- c:\program files\AGD Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-24 01:33 . 2007-11-09 23:33 -------- d-----w- c:\program files\Soulseek
2009-08-24 01:33 . 2007-11-09 23:28 -------- d-----w- c:\program files\Soulseek-Test
2009-08-23 06:02 . 2005-04-27 13:16 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2009-08-22 20:30 . 2005-06-28 00:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-22 19:26 . 2006-08-09 17:07 -------- d-----w- c:\program files\Sophos
2009-08-22 18:45 . 2005-07-05 21:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-22 18:44 . 2008-05-27 23:45 -------- d-----w- d:\documents and settings\User\Application Data\Skype
2009-08-22 18:42 . 2005-06-28 00:20 -------- d-----w- d:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-22 18:41 . 2005-06-27 22:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-22 04:40 . 2005-07-01 13:23 114888 ----a-w- d:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 04:24 . 2005-06-27 22:27 86695 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-05 09:01 . 2005-06-28 01:12 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-30 16:49 . 2008-05-27 23:46 -------- d-----w- d:\documents and settings\User\Application Data\skypePM
2009-07-17 19:01 . 2005-06-28 01:11 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2005-06-28 01:12 286720 ------w- c:\windows\system32\wmpdxm.dll
2009-07-10 02:18 . 2008-03-04 00:25 -------- d-----w- c:\program files\Google
2009-07-03 17:09 . 2005-06-28 01:12 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 18:36 . 2005-06-28 01:12 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2005-06-28 01:12 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2005-06-28 01:12 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2005-06-28 01:12 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2005-06-28 01:12 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2005-06-28 01:12 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2005-06-28 01:12 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2005-06-28 01:12 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2005-06-28 01:12 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2005-06-28 01:12 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2005-06-28 01:12 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 2005-06-28 01:12 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 08:25 . 2005-06-28 01:12 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-06-28 01:12 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-06-28 01:12 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-06-28 01:12 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-06-28 01:12 730112 ------w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-06-28 01:12 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-06-28 01:12 92928 ------w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 11:49 . 2005-06-28 01:12 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2005-06-28 01:12 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2005-06-28 01:12 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2005-06-28 01:12 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:36 . 2005-06-28 01:12 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-06-28 01:11 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2005-06-28 01:12 80896 ------w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-06-28 01:12 76288 ------w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-06-28 01:11 84992 ------w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2005-06-27 22:24 2066432 ------w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-06-28 01:12 132096 ------w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-06-28 01:12 1291264 ----a-w- c:\windows\system32\quartz.dll
2005-07-05 03:12 . 2005-07-05 03:12 59900 ------w- c:\program files\setuplog.txt
2005-07-05 03:12 . 2005-07-05 03:12 54324 ------w- c:\program files\uninstal.log
.

((((((((((((((((((((((((((((( SnapShot@2009-08-23_23.58.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-06-27 22:52 . 2009-08-24 01:48 214169 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

08/04/2004 11:00 AM 11648 c:\windows\system32\dllcache\cache\acpiec.sys
08/04/2004 11:00 AM 11648 \RP8\A0000064.sys

04/13/2008 12:39 PM 142592 c:\windows\system32\dllcache\cache\aec.sys
04/13/2008 12:39 PM 142592 \RP8\A0000059.sys

04/13/2008 02:57 PM 14336 c:\windows\system32\dllcache\cache\asyncmac.sys
04/13/2008 02:57 PM 14336 \RP8\A0000070.sys

08/04/2004 11:00 AM 4224 c:\windows\system32\dllcache\cache\beep.sys
08/04/2004 11:00 AM 4224 \RP8\A0000057.sys

04/13/2008 08:11 PM 77824 c:\windows\system32\dllcache\cache\browser.dll
04/13/2008 08:11 PM 77824 \RP8\A0000075.dll

04/13/2008 08:11 PM 617472 c:\windows\system32\dllcache\cache\comctl32.dll
04/13/2008 08:11 PM 617472 \RP8\A0000063.dll

04/13/2008 08:11 PM 792064 c:\windows\system32\dllcache\cache\comres.dll
04/13/2008 08:11 PM 792064 \RP8\A0000055.dll

04/13/2008 08:11 PM 62464 c:\windows\system32\dllcache\cache\cryptsvc.dll
04/13/2008 08:11 PM 62464 \RP8\A0000074.dll

04/13/2008 08:12 PM 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
04/13/2008 08:12 PM 15360 \RP8\A0000045.exe

07/07/2008 04:26 PM 253952 c:\windows\system32\dllcache\cache\es.dll
07/07/2008 04:26 PM 253952 \RP8\A0000079.dll

04/13/2008 08:11 PM 56320 c:\windows\system32\dllcache\cache\eventlog.dll
04/13/2008 08:11 PM 56320 \RP8\A0000069.dll

04/13/2008 08:12 PM 1033728 c:\windows\system32\dllcache\cache\explorer.exe
04/13/2008 08:12 PM 1033728 \RP8\A0000042.exe

04/13/2008 08:11 PM 110080 c:\windows\system32\dllcache\cache\imm32.dll
04/13/2008 08:11 PM 110080 \RP8\A0000052.dll

04/13/2008 02:53 PM 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
04/13/2008 02:53 PM 36608 \RP8\A0000039.sys

04/13/2008 02:39 PM 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
04/13/2008 02:39 PM 24576 \RP8\A0000054.sys

03/21/2009 10:06 AM 989696 c:\windows\system32\dllcache\cache\kernel32.dll
03/21/2009 10:06 AM 989696 \RP8\A0000050.dll

04/13/2008 08:11 PM 22016 c:\windows\system32\dllcache\cache\lpk.dll
04/13/2008 08:11 PM 22016 \RP8\A0000056.dll

04/13/2008 08:12 PM 13312 c:\windows\system32\dllcache\cache\lsass.exe
04/13/2008 08:12 PM 13312 \RP8\A0000044.exe

04/13/2008 08:11 PM 927504 c:\windows\system32\dllcache\cache\mfc40u.dll
04/13/2008 08:11 PM 927504 \RP8\A0000060.dll

04/13/2008 08:11 PM 33792 c:\windows\system32\dllcache\cache\msgsvc.dll
04/13/2008 08:11 PM 33792 \RP8\A0000062.dll

07/19/2009 09:18 AM 5937152 c:\windows\system32\dllcache\cache\mshtml.dll
07/19/2009 09:18 AM 5937152 \RP8\A0000053.dll

01/28/2005 02:44 PM 25088 c:\windows\system32\dllcache\cache\MsPMSNSv.dll
01/28/2005 02:44 PM 25088 \RP8\A0000072.dll

06/20/2008 01:46 PM 245248 c:\windows\system32\dllcache\cache\mswsock.dll
06/20/2008 01:46 PM 245248 \RP8\A0000077.dll

04/13/2008 03:20 PM 182656 c:\windows\system32\dllcache\cache\ndis.sys
04/13/2008 03:20 PM 182656 \RP8\A0000038.sys

04/13/2008 08:12 PM 407040 c:\windows\system32\dllcache\cache\netlogon.dll
04/13/2008 08:12 PM 407040 \RP8\A0000066.dll

04/13/2008 08:12 PM 198144 c:\windows\system32\dllcache\cache\netman.dll
04/13/2008 08:12 PM 198144 \RP8\A0000078.dll

04/13/2008 03:15 PM 574976 c:\windows\system32\dllcache\cache\ntfs.sys
04/13/2008 03:15 PM 574976 \RP8\A0000071.sys

02/07/2009 07:02 PM 2066048 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
02/07/2009 07:02 PM 2066048 \RP8\A0000040.exe

04/13/2008 08:12 PM 435200 c:\windows\system32\dllcache\cache\ntmssvc.dll
04/13/2008 08:12 PM 435200 \RP8\A0000084.dll

02/06/2009 07:08 AM 2189056 c:\windows\system32\dllcache\cache\ntoskrnl.exe
02/06/2009 07:08 AM 2189056 \RP8\A0000041.exe

08/04/2004 11:00 AM 2944 c:\windows\system32\dllcache\cache\null.sys
08/04/2004 11:00 AM 2944 \RP8\A0000058.sys

04/13/2008 08:12 PM 17408 c:\windows\system32\dllcache\cache\powrprof.dll
04/13/2008 08:12 PM 17408 \RP8\A0000051.dll

04/13/2008 08:12 PM 409088 c:\windows\system32\dllcache\cache\qmgr.dll
04/13/2008 08:12 PM 409088 \RP8\A0000067.dll

04/13/2008 08:12 PM 88576 c:\windows\system32\dllcache\cache\rasauto.dll
04/13/2008 08:12 PM 88576 \RP8\A0000085.dll

04/13/2008 08:12 PM 59904 c:\windows\system32\dllcache\cache\regsvc.dll
04/13/2008 08:12 PM 59904 \RP8\A0000088.dll

02/09/2009 08:10 AM 401408 c:\windows\system32\dllcache\cache\rpcss.dll
02/09/2009 08:10 AM 401408 \RP8\A0000061.dll

04/13/2008 08:12 PM 181248 c:\windows\system32\dllcache\cache\scecli.dll
04/13/2008 08:12 PM 181248 \RP8\A0000068.dll

04/13/2008 08:12 PM 192512 c:\windows\system32\dllcache\cache\schedsvc.dll
04/13/2008 08:12 PM 192512 \RP8\A0000087.dll

02/06/2009 07:11 AM 110592 c:\windows\system32\dllcache\cache\services.exe
02/06/2009 07:11 AM 110592 \RP8\A0000043.exe

04/13/2008 08:12 PM 5120 c:\windows\system32\dllcache\cache\sfc.dll
04/13/2008 08:12 PM 5120 \RP8\A0000065.dll

04/13/2008 08:12 PM 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
04/13/2008 08:12 PM 1614848 \RP8\A0000086.dll

04/13/2008 08:12 PM 135168 c:\windows\system32\dllcache\cache\shsvcs.dll
04/13/2008 08:12 PM 135168 \RP8\A0000089.dll

04/13/2008 08:12 PM 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
04/13/2008 08:12 PM 57856 \RP8\A0000046.exe

04/13/2008 08:12 PM 171008 c:\windows\system32\dllcache\cache\srsvc.dll
04/13/2008 08:12 PM 171008 \RP8\A0000082.dll

04/13/2008 08:12 PM 71680 c:\windows\system32\dllcache\cache\ssdpsrv.dll
04/13/2008 08:12 PM 71680 \RP8\A0000080.dll

04/13/2008 08:12 PM 14336 c:\windows\system32\dllcache\cache\svchost.exe
04/13/2008 08:12 PM 14336 \RP8\A0000032.exe

04/13/2008 08:12 PM 249856 c:\windows\system32\dllcache\cache\tapisrv.dll
04/13/2008 08:12 PM 249856 \RP8\A0000076.dll

06/20/2008 07:51 AM 361600 c:\windows\system32\dllcache\cache\tcpip.sys
06/20/2008 07:51 AM 361600 \RP8\A0000036.sys

04/13/2008 08:12 PM 295424 c:\windows\system32\dllcache\cache\termsrv.dll
04/13/2008 08:12 PM 295424 \RP8\A0000049.dll

04/13/2008 08:12 PM 185856 c:\windows\system32\dllcache\cache\upnphost.dll
04/13/2008 08:12 PM 185856 \RP8\A0000081.dll

04/13/2008 08:12 PM 578560 c:\windows\system32\dllcache\cache\user32.dll
04/13/2008 08:12 PM 578560 \RP8\A0000033.dll

04/13/2008 08:12 PM 26112 c:\windows\system32\dllcache\cache\userinit.exe
04/13/2008 08:12 PM 26112 \RP8\A0000048.exe

07/03/2009 01:09 PM 915456 c:\windows\system32\dllcache\cache\wininet.dll
07/03/2009 01:09 PM 915456 \RP8\A0000035.dll

04/13/2008 08:12 PM 507904 c:\windows\system32\dllcache\cache\winlogon.exe
04/13/2008 08:12 PM 507904 \RP8\A0000037.exe

04/13/2008 08:12 PM 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
04/13/2008 08:12 PM 82432 \RP8\A0000034.dll

04/13/2008 08:12 PM 13824 c:\windows\system32\dllcache\cache\wscntfy.exe
04/13/2008 08:12 PM 13824 \RP8\A0000083.exe

10/16/2008 03:09 PM 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
10/16/2008 03:09 PM 51224 \RP8\A0000047.exe

04/13/2008 08:12 PM 129024 c:\windows\system32\dllcache\cache\xmlprov.dll
04/13/2008 08:12 PM 129024 \RP8\A0000073.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-07 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 139264]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 36975]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"KeyAccess"="c:\windows\keyacc32.exe" [2005-06-01 331776]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"imekrmig7.0"="c:\program files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2007-04-19 25440]
"IMJPMIG9.0"="c:\progra~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE" [2007-04-19 125792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"IMSCMig"="c:\progra~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE" [2007-04-03 17248]
"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]
"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2008-05-20 737280]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

d:\documents and settings\User\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 04:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 03:23 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\\WINDOWS\\CT\\ctmweb.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:UDP"= 5353:UDP:Bonjour

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [7/5/2005 12:46 AM 85760]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [6/27/2005 6:49 PM 14848]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [7/5/2005 12:46 AM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [6/27/2005 6:49 PM 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [8/2/2005 6:15 PM 13184]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [8/2/2005 5:47 PM 3968]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [6/27/2005 6:49 PM 6784]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [8/2/2005 6:00 PM 14336]
S2 SRVCMONR;Workstation Event Service;c:\program files\DyKnow\Service\SRVCMONR.exe [8/1/2006 4:29 PM 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Sacred Heart University
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\docume~1\User\APPLIC~1\Mozilla\Firefox\Profiles\2x311ay5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 21:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(160)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\program files\IBM ThinkVantage\Common\Logger\logmon.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-24 21:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-24 01:53
ComboFix2.txt 2009-08-24 00:01

Pre-Run: 11,490,783,232 bytes free
Post-Run: 11,302,801,408 bytes free

453 --- E O F --- 2009-08-22 23:29

Alright looking better let's run some final checks:

First we'll clean out your unnecessary temp files to speed up the scans:

1. TFC

• Please download TFC to your desktop.
• Save any work, then close all open windows.
• Double-click TFC to run it, and allow the process to complete, which should not take more than a couple minutes.
• You may or may not be prompted to reboot, if you are click "Yes" and allow the computer to reboot.
• Close TFC when it has completed.

2. Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from here.

Doubleclick (Vista users please right-click Run as Administrator) on mbam-setup.exe to install the program.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware at the end of setup, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Full Scan, then click Scan.
• The scan is different from the quick scan and will take a fairly long time to finish (you can leave it to run and go do something else), please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab.
• Copy & Paste the entire report in your next reply.

3. Kaspersky Online Scan

Kaspersky online scanner uses Java technology to perform the scan. Because your Java is out of date, we need to update it first so that the scan will run without issues.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts. A log will appear (JavaRa.log), DO NOT post this log, I have no need for it.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Scan

• Follow this link to the Kaspersky WebScanner
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

So post back with the logs from MBAM and Kaspersky when you have them and give me an update on how the PC is running, and we should have you on your way .

- Dave

Malwarebytes' Anti-Malware 1.40
Database version: 2670
Windows 5.1.2600 Service Pack 3

8/25/2009 7:07:47 PM
mbam-log-2009-08-25 (19-07-47).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 247225
Time elapsed: 48 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 25, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, August 26, 2009 00:47:46
Records in database: 2687967
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 137643
Threats found: 5
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 02:35:30


File name / Threat / Threats count
C:\Diag\PsTools\psshutdown.exe Infected: not-a-virus:RiskTool.Win32.PsKill.au 1
C:\Qoobox\Quarantine\C\WINDOWS\9129837.exe.vir Infected: Trojan-PSW.Win32.Papras.mo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmthqbwghr.dll.vir Infected: Trojan.Win32.Tdss.aplz 1
C:\Qoobox\Quarantine\D\Documents and Settings\ALLUSE~1\APPLIC~1\16838754\16838754.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.wqfn 1
C:\Qoobox\Quarantine\D\Documents and Settings\User\Start Menu\Programs\Startup\ikowin32.exe.vir Infected: Backdoor.Win32.Zdoogu.fd 1

Selected area has been scanned.

Those detections are already in quarantine, we'll get rid of them for good in a minute. Your logs are clean

We have a couple last things to take care of and then you're good to go.

Uninstall ComboFix from your computer:

• Click on Start > Run
• Type Combofix /u in the run box and click Ok. Note the space between the x and the /u, it needs to be there.
  

Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.

Please download OTC to your desktop.

• Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
• After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Here are some tips to reduce the potential for malware infection in the future; I strongly that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, and if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're still clean. Once a week works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

If you don't have a firewall, some great free options you can test out are: Online Armor, Outpost, and Sunbelt. I'd highly recommend that you install one of those. If you do decide to use a 3rd party firewall program, please be sure to disable the Windows firewall as per these instructions so they don't conflict:

• Please click on Start -> Control Panel
• Double click Windows Firewall
• Click Change Settings
• Choose Off to disable Windows Firewall.

Finally, for a great tutorial on how to get the best protection out of your firewall, take a look at this guide.

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives: Firefox, Opera, and Google Chrome. All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones: Green to go, Yellow for caution, and Red to stop. Available for Firefox and Internet Explorer.

NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing. Available for Firefox only.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at this article.

Exercise common sense

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to look before you leap. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you're getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in the vast majority of cases, and the benefits simply aren't worth the risk to your computer.

Keep up on Windows updates

Along with keeping all of the security programs that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and help to keep you safe. Typically the windows update icon will appear in your taskbar when new updates are available, whenever you see it you should open the menu up and install the updates that are available. Although it may be an annoyance, that little bit of extra time it takes to stay updated is very well worth it instead of getting infected from an exploit and having to clean your PC again.

Slow computer?

If your computer begins to slow down again in the future for no particular reason, your first step should not be to come back to the malware forum. As your computer ages and is used, its parts wear, files and programs accumulate, and its performance speed can decrease. To restore your computer's performance to its best possible level, follow the steps in this guide written by tech expert Artellos.

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,
Dave

Edited by Transience, 26 August 2009 - 08:50 AM.