Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unkown Trouble maker


  • This topic is locked This topic is locked

#1
Voland

Voland

    Member

  • Member
  • PipPip
  • 66 posts
After cleanning with all the tools provided by this section I have run the rootrepeal and resulted in the following logs

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/31 22:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB2B5F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB85F8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP6154
Image Path: \Driver\PCI_PNP6154
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAFDA7000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spdk.sys
Image Path: spdk.sys
Address: 0xB7EA7000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\owner\local settings\temp\~dfc984.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spdk.sys" at address 0xb7ea80e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spdk.sys" at address 0xb7ec6ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spdk.sys" at address 0xb7ec7030

#: 119 Function Name: NtOpenKey
Status: Hooked by "spdk.sys" at address 0xb7ea80c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spdk.sys" at address 0xb7ec7108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spdk.sys" at address 0xb7ec6f88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spdk.sys" at address 0xb7ec719a

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8ab5d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8a204500 Size: 121

Object: Hidden Code [Driver: atqh8ehoࠅఈ灐畳솰, IRP_MJ_CREATE]
Process: System Address: 0x8a8b21f8 Size: 121

Object: Hidden Code [Driver: atqh8ehoࠅఈ灐畳솰, IRP_MJ_CLOSE]
Process: System Address: 0x8a8b21f8 Size: 121

Object: Hidden Code [Driver: atqh8ehoࠅఈ灐畳솰, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8b21f8 Size: 121

Object: Hidden Code [Driver: atqh8ehoࠅఈ灐畳솰, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8b21f8 Size: 121

Object: Hidden Code [Driver: atqh8ehoࠅఈ灐畳솰, IRP_MJ_POWER]
Process: System Address: 0x8a8b21f8 Size: 121

Object: Hidden Code [Driver: atqh8ehoࠅఈ灐畳솰, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8b21f8 Size: 121

Object: Hidden Code [Driver: atqh8ehoࠅఈ灐畳솰, IRP_MJ_PNP]
Process: System Address: 0x8a8b21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a8eb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a8eb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a8eb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a8eb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a8eb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8eb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8eb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a8eb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a8eb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8eb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a8eb1f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CREATE]
Process: System Address: 0x8ab5e1f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CLOSE]
Process: System Address: 0x8ab5e1f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab5e1f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab5e1f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_POWER]
Process: System Address: 0x8ab5e1f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ab5e1f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_PNP]
Process: System Address: 0x8ab5e1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8aaef1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8aaef1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8aaef1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8aaef1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aaef1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aaef1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aaef1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aaef1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8aaef1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aaef1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8aaef1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a9191f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a9191f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a9191f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a9191f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a9191f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a9191f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a9191f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8ab601f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8ab601f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8ab601f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ab601f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab601f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab601f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ab601f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8ab601f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8ab601f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ab601f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8ab601f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a2601f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a2601f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2601f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a2601f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a2601f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a2601f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a2521f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఐ卆浩, IRP_MJ_CREATE]
Process: System Address: 0x8a218500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఐ卆浩, IRP_MJ_CLOSE]
Process: System Address: 0x8a218500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఐ卆浩, IRP_MJ_READ]
Process: System Address: 0x8a218500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఐ卆浩, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a218500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఐ卆浩, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a218500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఐ卆浩, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a218500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఐ卆浩, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a218500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఐ卆浩, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a218500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఐ卆浩, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a218500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఐ卆浩, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a218500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఐ卆浩, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a218500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఐ卆浩, IRP_MJ_CLEANUP]
Process: System Address: 0x8a218500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఐ卆浩, IRP_MJ_PNP]
Process: System Address: 0x8a218500 Size: 121

Shadow SSDT
-------------------
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys" at address 0xb71fc646

==EOF==






Is any of this not saposed to be there? It looks legit enough to me.
  • 0

Advertisements


#2
Voland

Voland

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
HELLO?
  • 0

#3
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Would you kindly take a look at the topic Not getting help? which is pinned at the top of this forum. It gives instructions of what to do when your topic has gone for 3 days without receiving assistance.
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Voland

Welcome to G2Go. :)
=====================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

  • 0

#5
Voland

Voland

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
OTL. txt

OTL logfile created on: 11/16/2009 2:06:16 PM - Run 1
OTL by OldTimer - Version 3.1.5.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.37 Gb Available Physical Memory | 68.45% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 3742 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 211.31 Gb Free Space | 70.89% Space Free | Partition Type: NTFS
Drive D: | 209.38 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 298.08 Gb Total Space | 188.11 Gb Free Space | 63.11% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-783BC40F8
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe (F-Secure Corporation)
PRC - C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe (F-Secure Corporation)
PRC - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32.exe (F-Secure Corporation)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\Program Files\Hotspot Shield\bin\openvpnas.exe ()
PRC - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe (AnchorFree Inc.)
PRC - C:\WINDOWS\system32\ZuneBusEnum.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\PnkBstrB.exe ()
PRC - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE (F-Secure Corporation)
PRC - C:\Program Files\F-Secure Internet Security\Common\FSLAUNCHER0.EXE (F-Secure Corporation)
PRC - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe (F-Secure Corporation)
PRC - C:\Program Files\TortoiseSVN\bin\TSVNCache.exe (http://tortoisesvn.net)
PRC - C:\WINDOWS\system32\PnkBstrA.exe ()
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe (NVIDIA)
PRC - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
PRC - C:\Program Files\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
PRC - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
PRC - C:\WINDOWS\vsnpstd3.exe ()
PRC - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMax4.exe (Analog Devices, Inc.)
PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe (American Power Conversion Corporation)
PRC - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe (American Power Conversion Corporation)
PRC - C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe (Adobe Sytems Incorporated)
PRC - C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe (Adobe Systems Inc.)
PRC - C:\WINDOWS\system32\cidaemon.exe (Microsoft Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\MsPMSPSv.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\mslbui.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\wbem\framedyn.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (FSORSPClient) -- C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe (F-Secure Corporation)
SRV - (FSDFWD) -- C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe (F-Secure Corporation)
SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (HssTrayService) -- C:\Program Files\Hotspot Shield\bin\HssTrayService.exe ()
SRV - (HotspotShieldService) -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe ()
SRV - (HssSrv) -- C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe (AnchorFree Inc.)
SRV - (ZuneWlanCfgSvc) -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe (Microsoft Corporation)
SRV - (ZuneNetworkSvc) -- c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (ZuneBusEnum) -- C:\WINDOWS\system32\ZuneBusEnum.exe (Microsoft Corporation)
SRV - (Adobe LM Service) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (PnkBstrB) -- C:\WINDOWS\system32\PnkBstrB.exe ()
SRV - (FSMA) -- C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE (F-Secure Corporation)
SRV - (F-Secure Gatekeeper Handler Starter) -- C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe (F-Secure Corporation)
SRV - (PnkBstrA) -- C:\WINDOWS\system32\PnkBstrA.exe ()
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (UpdateCenterService) -- C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe (NVIDIA)
SRV - (nTuneService) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
SRV - (odserv) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (Microsoft Office Groove Audit Service) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (FontCache3.0.0.0) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (idsvc) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (helpsvc) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)
SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
SRV - (WLSetupSvc) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (WMPNetworkSvc) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (LightScribeService) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
SRV - (IAANTMON) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (APC UPS Service) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe (American Power Conversion Corporation)
SRV - (Adobe Version Cue CS2) -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe (Adobe Systems Incorporated)
SRV - (MDM) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (WMDM PMSP Service) -- C:\WINDOWS\system32\MsPMSPSv.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (F-Secure Gatekeeper) -- C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys ()
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (fsbts) -- C:\WINDOWS\system32\Drivers\fsbts.sys ()
DRV - (HssDrv) -- C:\WINDOWS\system32\drivers\hssdrv.sys (AnchorFree Inc.)
DRV - (taphss) -- C:\WINDOWS\system32\drivers\taphss.sys (AnchorFree Inc)
DRV - (zumbus) -- C:\WINDOWS\system32\drivers\zumbus.sys (Microsoft Corporation)
DRV - (PnkBstrK) -- C:\WINDOWS\system32\drivers\PnkBstrK.sys ()
DRV - (F-Secure HIPS) -- C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (F-Secure Corporation)
DRV - (FSFW) -- C:\WINDOWS\System32\drivers\fsdfw.sys (F-Secure Corporation)
DRV - (F-Secure Filter) -- C:\Program Files\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys ()
DRV - (F-Secure Recognizer) -- C:\Program Files\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys ()
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (NVR0FLASHDev) -- C:\WINDOWS\nvflash.sys (NVIDIA Corp.)
DRV - (NVR0Dev) -- C:\WINDOWS\nvoclock.sys (NVIDIA Corp.)
DRV - (gdrv) -- C:\WINDOWS\gdrv.sys (Windows ® 2000 DDK provider)
DRV - (HidBatt) -- C:\WINDOWS\system32\drivers\hidbatt.sys (Microsoft Corporation)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (tapvpn) -- C:\WINDOWS\system32\drivers\tapvpn.sys (The OpenVPN Project)
DRV - (ManyCam) -- C:\WINDOWS\system32\drivers\ManyCam.sys (ManyCam LLC.)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)
DRV - (SNPSTD3) -- C:\WINDOWS\system32\drivers\snpstd3.sys (Sonix Co. Ltd.)
DRV - (JRAID) -- C:\WINDOWS\system32\DRIVERS\jraid.sys (JMicron Technology Corp.)
DRV - (ADIDTSFiltService) -- C:\WINDOWS\system32\drivers\adidts.sys (Analog Devices, Inc.)
DRV - (iaStor) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys ()
DRV - (ADIHdAudAddService) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.)
DRV - (AEAudio) -- C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Electronics Corporation)
DRV - (JGOGO) -- C:\WINDOWS\system32\DRIVERS\JGOGO.sys (JMicron )
DRV - (ENTECH) -- C:\WINDOWS\system32\drivers\Entech.sys (EnTech Taiwan)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://forums.whyweprotest.net/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.devryu.net/
IE - HKCU\..\URLSearchHook: {9198CEC1-4DD8-95E7-1053-F5AAFDBBE0FB} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://comments-subm...m&comment=XENU"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: {9c51bd27-6ed8-4000-a2bf-36cb95c0c947}:10.1.0
FF - prefs.js..extensions.enabledItems: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca}:1.2.2
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.14

FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/30 12:21:27 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/04 10:57:47 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\F-Secure Internet Security\NRS\[email protected] [2009/11/06 03:54:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/01 13:04:50 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/14 20:04:54 | 00,000,000 | ---D | M]

[2009/03/03 13:09:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/03/03 13:09:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/10/29 16:39:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5inukvb5.default\extensions
[2009/09/05 08:58:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5inukvb5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/06/11 11:56:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5inukvb5.default\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}
[2009/10/29 16:29:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5inukvb5.default\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
[2009/10/29 16:39:41 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/09/14 20:04:54 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/17 14:05:28 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/09/14 20:04:50 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/09/14 20:04:50 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/03/09 04:19:09 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2009/09/14 20:04:51 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2004/12/14 01:19:18 | 00,057,344 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2009/09/02 12:41:15 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/09/02 12:41:15 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/09/02 12:41:15 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/09/02 12:41:15 | 00,002,343 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/09/02 12:41:15 | 00,001,706 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/09/02 12:41:15 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/09/02 12:41:15 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (348955 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 11965 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Browsing Protection Class) - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll (AnchorFree Inc.)
O3 - HKLM\..\Toolbar: (Browsing Protection Toolbar) - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure Internet Security\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [36X Raid Configurer] C:\WINDOWS\System32\xRaidSetup.exe (JMicron Technology Corp.)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe (Adobe Sytems Incorporated)
O4 - HKLM..\Run: [F-Secure Manager] C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE (F-Secure Corporation)
O4 - HKLM..\Run: [F-Secure TNB] C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe (F-Secure Corporation)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe (JMicron Technology Corp.)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe File not found
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe ()
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
O4 - HKLM..\RunOnce: [lxceUninstallerRan] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\F-Secure Internet Security\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: wachovia.com ([onlinebanking2] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.appl...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} http://intel-drv-cdn...reqlab_srlx.cab (System Requirements Lab Class)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplane...C_2.3.9.113.cab (CDownloadCtrl Object)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace....ploader1006.cab (MySpace Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1221590296953 (WUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zon...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} http://service.futur...ark/tc/MSC3.cab (Measurement Services Client v.3.12)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://devrypresent...ing/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zon...er.cab56986.cab (Minesweeper Flags Class)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\qbwc {FC598A64-626C-4447-85B8-53150405FD57} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{0e456050-8a74-11dd-8849-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{0e456050-8a74-11dd-8849-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0e456050-8a74-11dd-8849-806d6172696f}\Shell\AutoRun\command - "" = D:\ASUSACPI.exe -- File not found
O33 - MountPoints2\{6b321094-a7b6-11dd-885e-0018f35b9a64}\Shell\AutoRun\command - "" = E:\setupSNK.exe -- File not found
O33 - MountPoints2\{f4cb4364-950a-11dd-8859-0018f35b9a64}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/16 13:30:32 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/11/14 00:34:24 | 00,000,000 | ---D | C] -- C:\792b6a92f5d64ec3783b
[2009/11/12 11:03:18 | 00,000,000 | ---D | C] -- C:\Program Files\Packet Tracer 5.1
[2009/11/12 11:02:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\CCNA2
[2009/11/08 15:17:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Tracing
[2009/11/08 15:15:17 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/11/08 15:15:04 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2009/11/08 14:48:08 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/11/01 20:25:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\TechSmith
[2009/10/31 20:41:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/10/31 20:41:05 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/10/31 20:31:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/10/31 20:31:11 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/31 20:31:09 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/10/31 20:31:09 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/31 20:31:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/10/31 20:21:10 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Documents and Settings\Owner\Desktop\SysRestorePoint.exe
[2009/10/31 18:37:00 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/10/29 10:31:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
[2008/10/05 12:16:41 | 00,131,072 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnpstd3.dll
[2008/10/05 12:16:41 | 00,061,440 | ---- | C] ( ) -- C:\WINDOWS\System32\vsnpstd3.dll
[2008/10/05 12:16:40 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnpstd3.dll

========== Files - Modified Within 30 Days ==========

[2009/11/16 13:44:43 | 00,037,338 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Bongart_memp.docx
[2009/11/16 13:39:59 | 00,023,082 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Week_3_-_Feasibility_Analysis_Assignment_NPV_analysis.xlsx
[2009/11/16 13:31:05 | 00,291,840 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\7rc9409h.exe
[2009/11/16 13:30:33 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/11/16 13:16:39 | 03,344,430 | ---- | M] () -- C:\lxceunst.csv
[2009/11/16 13:13:27 | 00,037,840 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Week_1_-_Job_Description_Assignment_-_v3_1.docx
[2009/11/16 13:13:21 | 00,014,065 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Week_1_-_Job_Description_Template_-_v2.docx
[2009/11/16 13:10:10 | 00,010,878 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Week_4_-_RFP_Evaluation_Matrix_template.xlsx
[2009/11/16 13:10:00 | 00,040,712 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Week_4_-_RFP_Evaluation_Assignment_-_v3_1.docx
[2009/11/16 08:46:33 | 00,000,757 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2009/11/16 01:51:59 | 00,000,508 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled scanning task.job
[2009/11/15 19:47:44 | 30,577,325 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\20091114-kfi-marcheadley.wma
[2009/11/14 23:06:11 | 79,193,568 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Ballerina.avi
[2009/11/12 23:37:54 | 10,223,616 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2009/11/12 11:03:38 | 00,000,846 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Packet Tracer 5.1.lnk
[2009/11/11 11:08:47 | 00,011,961 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\New Document (2).docx
[2009/11/11 10:52:30 | 00,002,359 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2009/11/11 10:52:18 | 00,249,230 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2009/11/11 10:51:30 | 00,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/11 10:47:49 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/11/11 10:44:44 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/11 10:44:22 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/11 10:44:15 | 21,466,19392 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/11 10:44:15 | 00,286,904 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/11 10:07:38 | 00,000,151 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Rules of Court.url
[2009/11/11 09:45:42 | 00,000,221 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/11/10 11:43:41 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/08 15:16:35 | 00,000,905 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\My Sharing Folders.lnk
[2009/11/06 08:16:49 | 00,026,372 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Bongart_week2.docx
[2009/11/05 12:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/11/04 22:43:06 | 00,055,296 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/04 12:41:39 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2009/11/04 12:26:45 | 00,451,486 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/04 12:26:45 | 00,075,352 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/04 12:26:41 | 00,537,114 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/04 08:22:08 | 00,016,176 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Memo_Structure.docx
[2009/11/04 07:48:12 | 00,039,170 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Week_2_-_Network_Maintenance_Assignment_-_v3_1.docx
[2009/11/03 12:40:56 | 00,014,855 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\TakeHomeExam.docx
[2009/11/01 12:26:16 | 00,212,992 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CrucialScan.exe
[2009/10/31 20:55:57 | 00,000,236 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Boot.ini missing and Strange RAID problem.url
[2009/10/31 20:41:26 | 00,000,773 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/10/31 20:31:13 | 00,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/31 20:23:53 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2009/10/31 20:21:11 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Documents and Settings\Owner\Desktop\SysRestorePoint.exe
[2009/10/31 18:37:01 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2009/10/31 10:41:20 | 00,348,955 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/10/31 10:12:48 | 00,000,201 | ---- | M] () -- C:\Boot.ini
[2009/10/29 10:16:57 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/10/27 12:30:49 | 00,000,020 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\aionmemo_37e33bdb.dat
[2009/10/24 05:57:27 | 00,257,620 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/10/22 04:19:04 | 05,939,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll
[2009/10/22 04:19:04 | 05,939,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2009/10/19 12:02:32 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

========== Files Created - No Company Name ==========

[2009/11/16 13:31:04 | 00,291,840 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\7rc9409h.exe
[2009/11/16 13:16:34 | 03,344,430 | ---- | C] () -- C:\lxceunst.csv
[2009/11/16 13:13:27 | 00,037,840 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Week_1_-_Job_Description_Assignment_-_v3_1.docx
[2009/11/16 13:13:21 | 00,014,065 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Week_1_-_Job_Description_Template_-_v2.docx
[2009/11/16 13:10:09 | 00,010,878 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Week_4_-_RFP_Evaluation_Matrix_template.xlsx
[2009/11/16 13:09:58 | 00,040,712 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Week_4_-_RFP_Evaluation_Assignment_-_v3_1.docx
[2009/11/15 19:47:41 | 30,577,325 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\20091114-kfi-marcheadley.wma
[2009/11/14 23:06:07 | 79,193,568 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Ballerina.avi
[2009/11/14 18:44:24 | 00,023,082 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Week_3_-_Feasibility_Analysis_Assignment_NPV_analysis.xlsx
[2009/11/12 11:03:38 | 00,000,846 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Packet Tracer 5.1.lnk
[2009/11/12 10:58:11 | 00,037,338 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Bongart_memp.docx
[2009/11/11 10:07:38 | 00,000,151 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Rules of Court.url
[2009/11/11 03:03:43 | 00,000,221 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/11/04 09:31:35 | 00,026,372 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Bongart_week2.docx
[2009/11/04 09:20:34 | 00,011,961 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\New Document (2).docx
[2009/11/04 08:22:08 | 00,016,176 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Memo_Structure.docx
[2009/11/04 07:48:10 | 00,039,170 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MGMT408_-_Week_2_-_Network_Maintenance_Assignment_-_v3_1.docx
[2009/11/01 12:26:14 | 00,212,992 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\CrucialScan.exe
[2009/10/31 20:41:26 | 00,000,773 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/10/31 20:31:13 | 00,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/31 20:23:09 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2009/10/31 09:16:12 | 00,000,201 | ---- | C] () -- C:\Boot.ini
[2009/10/21 15:37:15 | 00,000,236 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Boot.ini missing and Strange RAID problem.url
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/18 21:12:08 | 01,051,136 | ---- | C] () -- C:\WINDOWS\System32\drivers\CAMTHWDM.sys
[2009/07/16 11:24:48 | 00,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/07/16 11:24:47 | 00,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/07/16 11:24:47 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/07/16 11:24:46 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/07/16 11:24:46 | 00,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/07/16 11:24:45 | 00,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/07/16 11:24:45 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/07/14 16:15:00 | 00,178,432 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009/07/08 08:42:49 | 00,000,433 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/02/19 08:42:25 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/01/30 15:31:10 | 00,000,319 | ---- | C] () -- C:\WINDOWS\WPE PRO.INI
[2009/01/20 09:59:59 | 00,139,072 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2008/11/28 19:55:19 | 00,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2008/11/07 09:20:24 | 01,970,176 | ---- | C] () -- C:\WINDOWS\System32\d3dx9.dll
[2008/10/31 05:59:03 | 00,033,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\fsbts.sys
[2008/10/07 09:27:11 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/10/07 08:13:30 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 08:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/10/05 12:16:40 | 00,015,498 | ---- | C] () -- C:\WINDOWS\snpstd3.ini
[2008/09/26 19:37:08 | 00,055,296 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/24 15:07:35 | 00,247,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys
[2008/09/23 18:36:21 | 00,022,047 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2008/09/23 18:36:09 | 00,021,724 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/09/23 18:36:03 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/09/23 18:36:01 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/09/16 11:31:51 | 02,115,816 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/09/16 11:27:13 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/09/16 11:19:28 | 00,074,656 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/09/16 11:10:33 | 00,257,620 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2008/09/16 11:08:13 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Owner\Application Data\desktop.ini
[2008/09/16 06:47:42 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2008/05/16 13:01:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2004/08/12 08:33:16 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/12 08:30:36 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2001/11/19 18:05:18 | 00,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys

========== LOP Check ==========

[2008/09/26 10:54:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2008/12/16 15:10:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Blizzard
[2009/08/20 01:46:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Blizzard Entertainment
[2008/12/29 15:58:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2009/02/19 08:47:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2009/01/15 09:31:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2008/09/16 11:36:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\f-secure
[2009/08/30 13:16:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fallout3
[2009/09/18 19:00:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\fssg
[2009/10/16 14:40:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2009/11/16 13:43:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/19 17:56:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Azureus
[2008/10/14 07:45:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Blender Foundation
[2009/02/19 08:48:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DAEMON Tools
[2009/02/19 08:48:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DAEMON Tools Lite
[2009/02/19 08:51:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DAEMON Tools Pro
[2009/09/18 20:09:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\F-Secure
[2009/01/05 10:10:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ICAClient
[2009/08/23 14:40:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ManyCam
[2009/11/16 13:47:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MyScribe
[2009/01/11 08:49:18 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Owner\Application Data\SecuROM
[2009/07/22 09:07:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Subversion
[2009/07/18 21:13:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Webcammax
[2009/04/22 06:03:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\webex
[2008/10/14 07:54:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Wings3D
[2004/08/12 08:23:47 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/11 10:47:49 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2009/11/11 10:44:44 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/11/16 01:51:59 | 00,000,508 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled scanning task.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 489 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EA029835
< End of report >


Extras.txt

OTL Extras logfile created on: 11/16/2009 2:06:16 PM - Run 1
OTL by OldTimer - Version 3.1.5.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.37 Gb Available Physical Memory | 68.45% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 3742 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 211.31 Gb Free Space | 70.89% Space Free | Partition Type: NTFS
Drive D: | 209.38 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 298.08 Gb Total Space | 188.11 Gb Free Space | 63.11% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-783BC40F8
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\WINDOWS\system32\rundll32.exe" = C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32 -- (Microsoft Corporation)
"C:\WINDOWS\system32\0s_install.exe" = C:\WINDOWS\system32\0s_install.exe:*:Enabled:0s_install -- File not found
"C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- (iAnywhere Solutions, Inc.)
"C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" = C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2 -- (Adobe Systems Incorporated)
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program Files\iCall\iCall.exe" = C:\Program Files\iCall\iCall.exe:*:Enabled:iCall -- ()
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
".sol Editor" = .sol Editor 1.1.0.1
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{0134A1A1-C283-4A47-91A1-92F19F960372}" = Adobe Creative Suite 2
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{243FA669-BEA1-4FD7-906F-DAF000D6B33A}" = Casper XP
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 13
"{28F451B0-44E5-48C0-8706-84114249F5B4}" = LightScribe 1.4.109.1
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JRAID
"{3BC1954F-F5C9-4ED2-BB2A-BAEEF4DAC74D}" = TortoiseSVN 1.6.3.16613 (32 bit)
"{5A0C892E-FD1C-4203-941E-0956AED20A6A}" = APC PowerChute Personal Edition
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6F69C969-2942-4E7B-B594-75B37664B8BA}" = NVIDIA System Update
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA Performance
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{888FFC82-688D-46AB-A776-B417885432B6}" = Zune
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{8ECB8220-F422-4BEB-9596-97033C533702}" = QuickBooks Pro 2008
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A589DA26-51BD-475D-8C32-E19E34145842}" = Camtasia Studio 6
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
"{AC76BA86-7AD7-1033-7B44-A81300000003}_814" = KB408682
"{ADBE46EE-54E0-4610-B436-D7E93D829100}" = Adobe Version Cue CS2
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}" = Adobe Illustrator CS2
"{B343B0E3-212A-40B9-8207-1BD299228F5D}" = Fallout 3 - The Garden of Eden Creation Kit
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B45FABE7-D101-4D99-A671-E16DA40AF7F0}" = Microsoft Games for Windows - LIVE
"{B578C85A-A84C-4230-A177-C5B2AF565B8C}" = Microsoft Games for Windows - LIVE Redistributable
"{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C49DAA9C-5BA8-459A-8244-E57B69DF0F04}" = Suite Specific
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{C9FB868B-2086-4EE2-BD4F-BFBA36B131F4}" = NCsoft Launcher
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E2E7A0E8-77C4-495F-8FA3-63DAEDAA2DB3}" = F-Secure PSC Prerequisites
"{E9459BCF-0982-498B-ABA7-26C34323493F}" = Citrix Presentation Server Client - Web Only
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{E9CFBE78-ED91-4FCF-9E6F-210E477E527D}" = NVIDIA System Monitor
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{EEB1AAA8-CEFB-4B92-A2F0-416063416C38}" = Aion
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F999C60C-0DB8-4563-A54B-ABB97560CF65}" = Ezonics VGA camera
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"AviSynth" = AviSynth 2.5
"Cheat Engine 5.4_is1" = Cheat Engine 5.4
"Download Manager" = Download Manager 2.3.9
"DtsFilter" = DTS+AC3 Filter
"EADM" = EA Download Manager
"ENTERPRISER" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"Fallout Mod Manager_is1" = Fallout Mod Manager 0.9.15
"Fraps" = Fraps
"F-Secure Product 444" = F-Secure Internet Security 2010
"GCFScape_is1" = GCFScape 1.7.3
"GOM Player" = GOM Player
"HotspotShield" = Hotspot Shield 1.30
"iCall_is1" = iCall
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{6F69C969-2942-4E7B-B594-75B37664B8BA}" = NVIDIA System Update
"InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA Performance
"InstallShield_{E9CFBE78-ED91-4FCF-9E6F-210E477E527D}" = NVIDIA System Monitor
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.0.0 (Full)
"Lexmark 4300 Series" = Lexmark 4300 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"ManyCam" = ManyCam 2.4 (remove only)
"Measurement Services Client" = Futuremark Measurement Services Client
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"mIRC" = mIRC
"MoneyCube" = MoneyCube
"Mozilla Firefox (3.0.14)" = Mozilla Firefox (3.0.14)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyScribe" = MyScribe
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Packet Tracer 5.1_is1" = Packet Tracer 5.1
"RealAlt_is1" = Real Alternative 1.9.0
"SocksCap V2" = SocksCap V2
"SystemRequirementsLab" = System Requirements Lab
"VLC media player" = VLC media player 1.0.0
"Vuze" = Vuze
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"Wings 3D 0.99.02" = Wings 3D 0.99.02
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XTTB00001.XTTB00001Toolbar" = 811 Toolbar
"Zune" = Zune

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/8/2009 1:46:10 AM | Computer Name = OWNER-783BC40F8 | Source = F-Secure Management Agent | ID = 103
Description = 7 2009-11-08 00:46:10-04:00 owner-783bc40f8 OWNER-783BC40F8\Owner
F-Secure Management Agent The module F-Secure Anti-Virus Handler monitored by
F-Secure Management Agent has stopped responding or was terminated. Restarting it
was not possible and it will not be functional until the computer is restarted.
If this message appears after restarting the computer, contact the system administrator
or reinstall F-Secure products.

Error - 11/8/2009 2:47:33 AM | Computer Name = OWNER-783BC40F8 | Source = F-Secure Anti-Virus | ID = 103
Description = 8 2009-11-08 01:47:32-04:00 owner-783bc40f8 OWNER-783BC40F8\Owner
F-Secure Anti-Virus Manual scanning was finished - workstation was found infected!


Error - 11/9/2009 1:20:05 AM | Computer Name = OWNER-783BC40F8 | Source = F-Secure Management Agent | ID = 103
Description = 9 2009-11-09 00:20:02-04:00 owner-783bc40f8 OWNER-783BC40F8\Owner
F-Secure Management Agent The module F-Secure Anti-Virus Handler monitored by
F-Secure Management Agent has stopped responding or was terminated. Restarting it
was not possible and it will not be functional until the computer is restarted.
If this message appears after restarting the computer, contact the system administrator
or reinstall F-Secure products.

Error - 11/9/2009 3:12:34 AM | Computer Name = OWNER-783BC40F8 | Source = F-Secure Anti-Virus | ID = 103
Description = 10 2009-11-09 02:12:33-04:00 owner-783bc40f8 OWNER-783BC40F8\Owner
F-Secure Anti-Virus Manual scanning was finished - workstation was found infected!


Error - 11/10/2009 2:59:11 AM | Computer Name = OWNER-783BC40F8 | Source = F-Secure Anti-Virus | ID = 103
Description = 1 2009-11-10 01:59:10-04:00 owner-783bc40f8 OWNER-783BC40F8\Owner
F-Secure Anti-Virus Manual scanning was finished - workstation was found infected!


Error - 11/12/2009 2:55:16 AM | Computer Name = OWNER-783BC40F8 | Source = F-Secure Anti-Virus | ID = 103
Description = 1 2009-11-12 01:55:15-04:00 owner-783bc40f8 OWNER-783BC40F8\Owner
F-Secure Anti-Virus Manual scanning was finished - workstation was found infected!


Error - 11/14/2009 3:01:17 AM | Computer Name = OWNER-783BC40F8 | Source = F-Secure Anti-Virus | ID = 103
Description = 2 2009-11-14 02:01:17-04:00 owner-783bc40f8 OWNER-783BC40F8\Owner
F-Secure Anti-Virus Manual scanning was finished - workstation was found infected!


Error - 11/15/2009 12:29:22 AM | Computer Name = OWNER-783BC40F8 | Source = F-Secure Anti-Virus | ID = 103
Description = 3 2009-11-14 23:29:22-04:00 owner-783bc40f8 OWNER-783BC40F8\Owner
F-Secure Anti-Virus Crash detected.

Error - 11/15/2009 3:07:50 AM | Computer Name = OWNER-783BC40F8 | Source = F-Secure Anti-Virus | ID = 103
Description = 4 2009-11-15 02:07:49-04:00 owner-783bc40f8 OWNER-783BC40F8\Owner
F-Secure Anti-Virus Manual scanning was finished - workstation was found infected!


Error - 11/16/2009 2:51:57 AM | Computer Name = OWNER-783BC40F8 | Source = F-Secure Anti-Virus | ID = 103
Description = 5 2009-11-16 01:51:56-04:00 owner-783bc40f8 OWNER-783BC40F8\Owner
F-Secure Anti-Virus Manual scanning was finished - workstation was found infected!


[ System Events ]
Error - 11/14/2009 1:49:09 PM | Computer Name = OWNER-783BC40F8 | Source = Dhcp | ID = 1002
Description = The IP address lease 10.19.91.15 for the Network Card with network
address 00FF8B16B5E2 has been denied by the DHCP server 10.19.127.254 (The DHCP
Server sent a DHCPNACK message).

Error - 11/14/2009 1:50:04 PM | Computer Name = OWNER-783BC40F8 | Source = Dhcp | ID = 1002
Description = The IP address lease 10.19.115.220 for the Network Card with network
address 00FF8B16B5E2 has been denied by the DHCP server 10.19.127.254 (The DHCP
Server sent a DHCPNACK message).

Error - 11/14/2009 7:59:19 PM | Computer Name = OWNER-783BC40F8 | Source = Dhcp | ID = 1002
Description = The IP address lease 10.19.113.142 for the Network Card with network
address 00FF8B16B5E2 has been denied by the DHCP server 10.25.47.254 (The DHCP Server
sent a DHCPNACK message).

Error - 11/14/2009 8:55:02 PM | Computer Name = OWNER-783BC40F8 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition
1.69.881.0).

Error - 11/14/2009 11:18:19 PM | Computer Name = OWNER-783BC40F8 | Source = Dhcp | ID = 1002
Description = The IP address lease 10.25.37.253 for the Network Card with network
address 00FF8B16B5E2 has been denied by the DHCP server 10.20.31.254 (The DHCP Server
sent a DHCPNACK message).

Error - 11/14/2009 11:19:04 PM | Computer Name = OWNER-783BC40F8 | Source = Dhcp | ID = 1002
Description = The IP address lease 10.20.20.5 for the Network Card with network
address 00FF8B16B5E2 has been denied by the DHCP server 10.28.55.254 (The DHCP Server
sent a DHCPNACK message).

Error - 11/15/2009 12:39:12 AM | Computer Name = OWNER-783BC40F8 | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_FSBL\0000 disappeared from the system without
first being prepared for removal.

Error - 11/15/2009 4:15:51 PM | Computer Name = OWNER-783BC40F8 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition
1.69.881.0).

Error - 11/15/2009 5:40:49 PM | Computer Name = OWNER-783BC40F8 | Source = Dhcp | ID = 1002
Description = The IP address lease 10.28.50.16 for the Network Card with network
address 00FF8B16B5E2 has been denied by the DHCP server 10.26.71.254 (The DHCP Server
sent a DHCPNACK message).

Error - 11/16/2009 12:38:24 AM | Computer Name = OWNER-783BC40F8 | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_FSBL\0000 disappeared from the system without
first being prepared for removal.


< End of report >
  • 0

#6
Voland

Voland

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
GMER Results.log

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-16 15:12:31
Windows 5.1.2600 Service Pack 3
Running: 7rc9409h.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwwdipod.sys


---- System - GMER 1.0.15 ----

SSDT sppy.sys ZwCreateKey [0xB7EA80E0]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcess [0xB71FACD6]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcessEx [0xB71FACF0]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateThread [0xB71F9E8C]
SSDT sppy.sys ZwEnumerateKey [0xB7EC6CA2]
SSDT sppy.sys ZwEnumerateValueKey [0xB7EC7030]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwLoadDriver [0xB71FA1BC]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwMapViewOfSection [0xB71F9BCC]
SSDT sppy.sys ZwOpenKey [0xB7EA80C0]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwOpenSection [0xB71FA5EE]
SSDT sppy.sys ZwQueryKey [0xB7EC7108]
SSDT sppy.sys ZwQueryValueKey [0xB7EC6F88]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwRenameKey [0xB71FB88C]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSetSystemInformation [0xB71FA43E]
SSDT sppy.sys ZwSetValueKey [0xB7EC719A]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendProcess [0xB71F9A4C]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendThread [0xB71F9EC0]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSystemDebugControl [0xB71FA042]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateProcess [0xB71F99A6]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateThread [0xB71F9B06]
SSDT \??\C:\Program Files\F-Secure Internet Security\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwWriteVirtualMemory [0xB71F9F86]

INT 0x63 ? 8A7E3BF8
INT 0x63 ? 8A7E3BF8
INT 0x63 ? 8A7E3BF8
INT 0x63 ? 8A7E3BF8
INT 0x63 ? 8A5F4BF8
INT 0x63 ? 8A7E3BF8
INT 0x73 ? 8A5F4BF8
INT 0x83 ? 8A854BF8
INT 0x83 ? 8A5F4BF8
INT 0x83 ? 8A854BF8
INT 0x84 ? 8A5F4BF8
INT 0xA4 ? 8A5F4BF8
INT 0xA4 ? 8A5F4BF8

Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FB9 80504855 11 Bytes [9A, 1F, B7, C0, 9E, 1F, B7, ...]
PAGE ntkrnlpa.exe!IoCreateDevice 805758EE 5 Bytes JMP B7C5EFFA fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
? sppy.sys The system cannot find the file specified. !
PAGENPNP NDIS.SYS!NdisRegisterProtocol B7C2F17F 5 Bytes JMP B7C5EE0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisOpenAdapter B7C2F399 5 Bytes JMP B7C5F394 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisCloseAdapter B7C39642 5 Bytes JMP B7C5EF18 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisDeregisterProtocol B7C39821 5 Bytes JMP B7C5F1B0 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisReturnPackets B7C3C810 5 Bytes JMP B7C5FC0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisRequest B7C3C97B 5 Bytes JMP B7C5F5AC fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisSend B7C3F986 5 Bytes JMP B7C6058C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisSendPackets B7C3F9A3 5 Bytes JMP B7C6065E fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisTransferData B7C3F9BE 5 Bytes JMP B7C5FD0A fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoCreateVc B7C46186 5 Bytes JMP B7C5EE76 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoDeleteVc B7C47557 5 Bytes JMP B7C5EEE4 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoSendPackets B7C47AF1 5 Bytes JMP B7C60376 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
.text USBPORT.SYS!DllUnload B742F8AC 5 Bytes JMP 8A5F41D8
.text aqly4aig.SYS B72B0386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text aqly4aig.SYS B72B03AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text aqly4aig.SYS B72B03C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text aqly4aig.SYS B72B03C9 1 Byte [2E]
.text aqly4aig.SYS B72B03C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text c:\WINDOWS\system32\ZuneBusEnum.exe[208] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01CE000C
.text c:\WINDOWS\system32\ZuneBusEnum.exe[208] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 01CE100C
.text c:\WINDOWS\system32\ZuneBusEnum.exe[208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01CE200C
.text c:\WINDOWS\system32\ZuneBusEnum.exe[208] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 01CE300C
.text c:\WINDOWS\system32\ZuneBusEnum.exe[208] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 01CE700C
.text c:\WINDOWS\system32\ZuneBusEnum.exe[208] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 01CE500C
.text c:\WINDOWS\system32\ZuneBusEnum.exe[208] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 01CE600C
.text c:\WINDOWS\system32\ZuneBusEnum.exe[208] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 01CE800C
.text c:\WINDOWS\system32\ZuneBusEnum.exe[208] USER32.dll!SetWindowsHookExW 7E42820F 3 Bytes JMP 01CE400C
.text c:\WINDOWS\system32\ZuneBusEnum.exe[208] USER32.dll!SetWindowsHookExW + 4 7E428213 1 Byte [83]
.text c:\WINDOWS\system32\ZuneBusEnum.exe[208] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 01CEA00C
.text c:\WINDOWS\system32\ZuneBusEnum.exe[208] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 01CE900C
.text C:\Program Files\Java\jre6\bin\jqs.exe[332] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0205000C
.text C:\Program Files\Java\jre6\bin\jqs.exe[332] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0205100C
.text C:\Program Files\Java\jre6\bin\jqs.exe[332] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0205200C
.text C:\Program Files\Java\jre6\bin\jqs.exe[332] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0205300C
.text C:\Program Files\Java\jre6\bin\jqs.exe[332] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 0205700C
.text C:\Program Files\Java\jre6\bin\jqs.exe[332] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 0205500C
.text C:\Program Files\Java\jre6\bin\jqs.exe[332] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 0205600C
.text C:\Program Files\Java\jre6\bin\jqs.exe[332] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0205800C
.text C:\Program Files\Java\jre6\bin\jqs.exe[332] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 0205900C
.text C:\Program Files\Java\jre6\bin\jqs.exe[332] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0205400C
.text C:\Program Files\Java\jre6\bin\jqs.exe[332] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 0205A00C
.text C:\WINDOWS\system32\nvsvc32.exe[344] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008D000C
.text C:\WINDOWS\system32\nvsvc32.exe[344] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 008D100C
.text C:\WINDOWS\system32\nvsvc32.exe[344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008D200C
.text C:\WINDOWS\system32\nvsvc32.exe[344] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 008D300C
.text C:\WINDOWS\system32\nvsvc32.exe[344] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 008D400C
.text C:\WINDOWS\system32\nvsvc32.exe[344] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 008DA00C
.text C:\WINDOWS\system32\nvsvc32.exe[344] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 008D700C
.text C:\WINDOWS\system32\nvsvc32.exe[344] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 008D500C
.text C:\WINDOWS\system32\nvsvc32.exe[344] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 008D600C
.text C:\WINDOWS\system32\nvsvc32.exe[344] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 008D800C
.text C:\WINDOWS\system32\nvsvc32.exe[344] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 008D900C
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[432] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009C000C
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[432] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 009C100C
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C200C
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[432] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 009C300C
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[432] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 009C700C
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[432] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 009C500C
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[432] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 009C600C
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[432] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 009C800C
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[432] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 009C400C
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[432] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 009CA00C
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[432] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 009C900C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[456] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0065000C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[456] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0065100C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0065200C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[456] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0065300C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[456] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 0065700C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[456] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 0065500C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[456] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 0065600C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[456] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0065800C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[456] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0065400C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[456] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 0065900C
.text C:\WINDOWS\system32\cidaemon.exe[560] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0090000C
.text C:\WINDOWS\system32\cidaemon.exe[560] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0090100C
.text C:\WINDOWS\system32\cidaemon.exe[560] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0090200C
.text C:\WINDOWS\system32\cidaemon.exe[560] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0090300C
.text C:\WINDOWS\system32\cidaemon.exe[560] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0090400C
.text C:\WINDOWS\system32\cidaemon.exe[560] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 0090A00C
.text C:\WINDOWS\system32\cidaemon.exe[560] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 0090700C
.text C:\WINDOWS\system32\cidaemon.exe[560] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 0090500C
.text C:\WINDOWS\system32\cidaemon.exe[560] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 0090600C
.text C:\WINDOWS\system32\cidaemon.exe[560] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0090800C
.text C:\WINDOWS\system32\cidaemon.exe[560] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 0090900C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[564] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008F000C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[564] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 008F100C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008F200C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[564] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 008F300C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[564] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 008F700C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[564] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 008F500C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[564] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 008F600C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[564] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 008F800C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[564] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 008F900C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[564] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 008F400C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[564] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 008FA00C
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[708] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009E000C
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[708] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 009E100C
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[708] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009E200C
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[708] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 009E300C
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[708] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 009E700C
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[708] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 009E500C
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[708] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 009E600C
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[708] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 009E800C
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[708] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 009E400C
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[708] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 009EA00C
.text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[708] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 009E900C
.text C:\Program Files\Windows Defender\MsMpEng.exe[724] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0084000C
.text C:\Program Files\Windows Defender\MsMpEng.exe[724] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0084100C
.text C:\Program Files\Windows Defender\MsMpEng.exe[724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0084200C
.text C:\Program Files\Windows Defender\MsMpEng.exe[724] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0084300C
.text C:\Program Files\Windows Defender\MsMpEng.exe[724] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 0084700C
.text C:\Program Files\Windows Defender\MsMpEng.exe[724] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 0084500C
.text C:\Program Files\Windows Defender\MsMpEng.exe[724] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 0084600C
.text C:\Program Files\Windows Defender\MsMpEng.exe[724] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0084800C
.text C:\Program Files\Windows Defender\MsMpEng.exe[724] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0084400C
.text C:\Program Files\Windows Defender\MsMpEng.exe[724] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 0084A00C
.text C:\Program Files\Windows Defender\MsMpEng.exe[724] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 0084900C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[912] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CB000C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[912] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00CB100C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[912] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB200C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[912] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00CB300C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[912] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 00CB700C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[912] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 00CB500C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[912] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 00CB600C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[912] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 00CB800C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[912] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00CB400C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[912] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 00CBA00C
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[912] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00CB900C
.text C:\WINDOWS\system32\PnkBstrA.exe[960] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006A000C
.text C:\WINDOWS\system32\PnkBstrA.exe[960] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 006A100C
.text C:\WINDOWS\system32\PnkBstrA.exe[960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006A200C
.text C:\WINDOWS\system32\PnkBstrA.exe[960] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 006A300C
.text C:\WINDOWS\system32\PnkBstrA.exe[960] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 006A400C
.text C:\WINDOWS\system32\PnkBstrA.exe[960] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 006A900C
.text C:\WINDOWS\system32\PnkBstrA.exe[960] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 006A700C
.text C:\WINDOWS\system32\PnkBstrA.exe[960] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 006A500C
.text C:\WINDOWS\system32\PnkBstrA.exe[960] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 006A600C
.text C:\WINDOWS\system32\PnkBstrA.exe[960] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 006A800C
.text C:\WINDOWS\system32\PnkBstrB.exe[972] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A2000C
.text C:\WINDOWS\system32\PnkBstrB.exe[972] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00A2100C
.text C:\WINDOWS\system32\PnkBstrB.exe[972] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A2200C
.text C:\WINDOWS\system32\PnkBstrB.exe[972] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00A2300C
.text C:\WINDOWS\system32\PnkBstrB.exe[972] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00A2400C
.text C:\WINDOWS\system32\PnkBstrB.exe[972] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 00A2900C
.text C:\WINDOWS\system32\PnkBstrB.exe[972] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 00A2700C
.text C:\WINDOWS\system32\PnkBstrB.exe[972] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 00A2500C
.text C:\WINDOWS\system32\PnkBstrB.exe[972] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 00A2600C
.text C:\WINDOWS\system32\PnkBstrB.exe[972] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 00A2800C
.text C:\WINDOWS\Explorer.EXE[1224] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B5000C
.text C:\WINDOWS\Explorer.EXE[1224] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00B5100C
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B5200C
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00B5300C
.text C:\WINDOWS\Explorer.EXE[1224] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 00B5700C
.text C:\WINDOWS\Explorer.EXE[1224] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 00B5500C
.text C:\WINDOWS\Explorer.EXE[1224] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 00B5600C
.text C:\WINDOWS\Explorer.EXE[1224] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 00B5800C
.text C:\WINDOWS\Explorer.EXE[1224] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00B5400C
.text C:\WINDOWS\Explorer.EXE[1224] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 00B5A00C
.text C:\WINDOWS\Explorer.EXE[1224] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00B5900C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1436] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008F000C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1436] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 008F100C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008F200C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1436] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 008F300C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1436] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 008F400C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1436] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 008FA00C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1436] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 008F700C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1436] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 008F500C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1436] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 008F600C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1436] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 008F800C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1436] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 008F900C
.text C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe[1444] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009B000C
.text C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe[1444] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 009B100C
.text C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe[1444] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009B200C
.text C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe[1444] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 009B300C
.text C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe[1444] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 009B400C
.text C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe[1444] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 009B900C
.text C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe[1444] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 009B700C
.text C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe[1444] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 009B500C
.text C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe[1444] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 009B600C
.text C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe[1444] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 009B800C
.text C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe[1444] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 009BA00C
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1532] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009E000C
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1532] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 009E100C
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009E200C
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1532] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 009E300C
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1532] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 009E700C
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1532] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 009E500C
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1532] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 009E600C
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1532] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 009E800C
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1532] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 009E400C
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1532] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 009EA00C
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1532] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 009E900C
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1568] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B9000C
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1568] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00B9100C
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B9200C
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1568] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00B9300C
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1568] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00B9400C
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1568] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 00B9A00C
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1568] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 00B9700C
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1568] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 00B9500C
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1568] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 00B9600C
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1568] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 00B9800C
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1568] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00B9900C
.text C:\WINDOWS\system32\cisvc.exe[1600] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0094000C
.text C:\WINDOWS\system32\cisvc.exe[1600] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0094100C
.text C:\WINDOWS\system32\cisvc.exe[1600] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0094200C
.text C:\WINDOWS\system32\cisvc.exe[1600] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0094300C
.text C:\WINDOWS\system32\cisvc.exe[1600] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0094400C
.text C:\WINDOWS\system32\cisvc.exe[1600] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 0094A00C
.text C:\WINDOWS\system32\cisvc.exe[1600] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 0094700C
.text C:\WINDOWS\system32\cisvc.exe[1600] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 0094500C
.text C:\WINDOWS\system32\cisvc.exe[1600] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 0094600C
.text C:\WINDOWS\system32\cisvc.exe[1600] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0094800C
.text C:\WINDOWS\system32\cisvc.exe[1600] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 0094900C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[1716] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AA000C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[1716] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00AA100C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[1716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA200C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[1716] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00AA300C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[1716] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 00AA700C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[1716] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 00AA500C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[1716] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 00AA600C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[1716] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 00AA800C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[1716] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00AA400C
.text C:\Program Files\Hotspot Shield\bin\openvpnas.exe[1716] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 00AA900C
.text C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe[1808] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0080000C
.text C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe[1808] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0080100C
.text C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe[1808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0080200C
.text C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe[1808] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0080300C
.text C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe[1808] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 0080700C
.text C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe[1808] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 0080500C
.text C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe[1808] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 0080600C
.text C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe[1808] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0080800C
.text C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe[1808] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0080400C
.text C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe[1808] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 0080900C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[1824] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E1000C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[1824] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00E1100C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[1824] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E1200C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[1824] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00E1300C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[1824] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 00E1700C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[1824] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 00E1500C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[1824] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 00E1600C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[1824] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 00E1800C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[1824] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00E1400C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[1824] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 00E1A00C
.text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[1824] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00E1900C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1868] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 017E000C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1868] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 017E100C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1868] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 017E200C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1868] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 017E300C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1868] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 017E400C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1868] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 017EA00C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1868] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 017E700C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1868] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 017E500C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1868] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 017E600C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1868] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 017E800C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1868] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 017E900C
.text C:\WINDOWS\system32\MsPMSPSv.exe[1912] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006E000C
.text C:\WINDOWS\system32\MsPMSPSv.exe[1912] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 006E100C
.text C:\WINDOWS\system32\MsPMSPSv.exe[1912] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E200C
.text C:\WINDOWS\system32\MsPMSPSv.exe[1912] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 006E300C
.text C:\WINDOWS\system32\MsPMSPSv.exe[1912] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 006E700C
.text C:\WINDOWS\system32\MsPMSPSv.exe[1912] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 006E500C
.text C:\WINDOWS\system32\MsPMSPSv.exe[1912] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 006E600C
.text C:\WINDOWS\system32\MsPMSPSv.exe[1912] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 006E800C
.text C:\WINDOWS\system32\MsPMSPSv.exe[1912] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 006E400C
.text C:\WINDOWS\system32\MsPMSPSv.exe[1912] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 006EA00C
.text C:\WINDOWS\system32\MsPMSPSv.exe[1912] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 006E900C
.text C:\WINDOWS\system32\winlogon.exe[1976] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FF000C
.text C:\WINDOWS\system32\winlogon.exe[1976] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00FF100C
.text C:\WINDOWS\system32\winlogon.exe[1976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF200C
.text C:\WINDOWS\system32\winlogon.exe[1976] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00FF300C
.text C:\WINDOWS\system32\winlogon.exe[1976] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 00FF700C
.text C:\WINDOWS\system32\winlogon.exe[1976] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 00FF500C
.text C:\WINDOWS\system32\winlogon.exe[1976] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 00FF600C
.text C:\WINDOWS\system32\winlogon.exe[1976] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 00FF800C
.text C:\WINDOWS\system32\winlogon.exe[1976] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00FF400C
.text C:\WINDOWS\system32\winlogon.exe[1976] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 00FFA00C
.text C:\WINDOWS\system32\winlogon.exe[1976] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00FF900C
.text C:\WINDOWS\system32\lsass.exe[2032] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E4000C
.text C:\WINDOWS\system32\lsass.exe[2032] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00E4100C
.text C:\WINDOWS\system32\lsass.exe[2032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E4200C
.text C:\WINDOWS\system32\lsass.exe[2032] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00E4300C
.text C:\WINDOWS\system32\lsass.exe[2032] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 00E4700C
.text C:\WINDOWS\system32\lsass.exe[2032] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 00E4500C
.text C:\WINDOWS\system32\lsass.exe[2032] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 00E4600C
.text C:\WINDOWS\system32\lsass.exe[2032] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 00E4800C
.text C:\WINDOWS\system32\lsass.exe[2032] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00E4400C
.text C:\WINDOWS\system32\lsass.exe[2032] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 00E4A00C
.text C:\WINDOWS\system32\lsass.exe[2032] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00E4900C
.text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[2564] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0092000C
.text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[2564] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0092100C
.text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[2564] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0092200C
.text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[2564] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0092300C
.text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[2564] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0092400C
.text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[2564] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 0092A00C
.text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[2564] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 0092700C
.text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[2564] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 0092500C
.text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[2564] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 0092600C
.text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[2564] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0092800C
.text C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe[2564] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 0092900C
.text C:\WINDOWS\System32\alg.exe[2584] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B4000C
.text C:\WINDOWS\System32\alg.exe[2584] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00B4100C
.text C:\WINDOWS\System32\alg.exe[2584] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B4200C
.text C:\WINDOWS\System32\alg.exe[2584] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00B4300C
.text C:\WINDOWS\System32\alg.exe[2584] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00B4400C
.text C:\WINDOWS\System32\alg.exe[2584] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 00B4A00C
.text C:\WINDOWS\System32\alg.exe[2584] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 00B4700C
.text C:\WINDOWS\System32\alg.exe[2584] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 00B4500C
.text C:\WINDOWS\System32\alg.exe[2584] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 00B4600C
.text C:\WINDOWS\System32\alg.exe[2584] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 00B4800C
.text C:\WINDOWS\System32\alg.exe[2584] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00B4900C
.text C:\WINDOWS\vsnpstd3.exe[2616] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009C000C
.text C:\WINDOWS\vsnpstd3.exe[2616] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 009C100C
.text C:\WINDOWS\vsnpstd3.exe[2616] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C200C
.text C:\WINDOWS\vsnpstd3.exe[2616] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 009C300C
.text C:\WINDOWS\vsnpstd3.exe[2616] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 009C700C
.text C:\WINDOWS\vsnpstd3.exe[2616] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 009C500C
.text C:\WINDOWS\vsnpstd3.exe[2616] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 009C600C
.text C:\WINDOWS\vsnpstd3.exe[2616] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 009C800C
.text C:\WINDOWS\vsnpstd3.exe[2616] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 009C400C
.text C:\WINDOWS\vsnpstd3.exe[2616] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 009C900C
.text C:\WINDOWS\vsnpstd3.exe[2616] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 009CA00C
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CF000C
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00CF100C
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF200C
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00CF300C
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 00CF700C
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 00CF500C
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 00CF600C
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 00CF800C
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00CF400C
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 00CFA00C
.text C:\Program Files\Windows Defender\MSASCui.exe[2724] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00CF900C
.text C:\WINDOWS\system32\RUNDLL32.EXE[2896] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009C000C
.text C:\WINDOWS\system32\RUNDLL32.EXE[2896] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 009C100C
.text C:\WINDOWS\system32\RUNDLL32.EXE[2896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C200C
.text C:\WINDOWS\system32\RUNDLL32.EXE[2896] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 009C300C
.text C:\WINDOWS\system32\RUNDLL32.EXE[2896] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 009C400C
.text C:\WINDOWS\system32\RUNDLL32.EXE[2896] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 009CA00C
.text C:\WINDOWS\system32\RUNDLL32.EXE[2896] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 009C700C
.text C:\WINDOWS\system32\RUNDLL32.EXE[2896] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 009C500C
.text C:\WINDOWS\system32\RUNDLL32.EXE[2896] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 009C600C
.text C:\WINDOWS\system32\RUNDLL32.EXE[2896] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 009C800C
.text C:\WINDOWS\system32\RUNDLL32.EXE[2896] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 009C900C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3532] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0089000C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3532] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0089100C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0089200C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3532] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0089300C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3532] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0089400C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3532] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 0089A00C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3532] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 0089700C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3532] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 0089500C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3532] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 0089600C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3532] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0089800C
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3532] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 0089900C
.text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[3908] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0096000C
.text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[3908] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0096100C
.text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[3908] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0096200C
.text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[3908] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0096300C
.text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[3908] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 0096700C
.text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[3908] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 0096500C
.text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[3908] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 0096600C
.text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[3908] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0096800C
.text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[3908] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0096400C
.text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[3908] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 0096A00C
.text C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe[3908] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 0096900C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3936] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BB000C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3936] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BB100C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB200C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3936] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00BB300C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3936] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00BB400C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3936] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 00BBA00C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3936] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 00BB700C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3936] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 00BB500C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3936] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 00BB600C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3936] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 00BB800C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3936] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00BB900C
.text C:\WINDOWS\system32\NOTEPAD.EXE[6092] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008C000C
.text C:\WINDOWS\system32\NOTEPAD.EXE[6092] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 008C100C
.text C:\WINDOWS\system32\NOTEPAD.EXE[6092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008C200C
.text C:\WINDOWS\system32\NOTEPAD.EXE[6092] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 008C300C
.text C:\WINDOWS\system32\NOTEPAD.EXE[6092] ADVAPI32.dll!CloseServiceHandle 77DE6CE5 5 Bytes JMP 008C700C
.text C:\WINDOWS\system32\NOTEPAD.EXE[6092] ADVAPI32.dll!OpenServiceW 77DE6FFD 5 Bytes JMP 008C500C
.text C:\WINDOWS\system32\NOTEPAD.EXE[6092] ADVAPI32.dll!ControlService 77DF4A09 5 Bytes JMP 008C600C
.text C:\WINDOWS\system32\NOTEPAD.EXE[6092] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 008C800C
.text C:\WINDOWS\system32\NOTEPAD.EXE[6092] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 008C400C
.text C:\WINDOWS\system32\NOTEPAD.EXE[6092] USER32.dll!DdeConnect 7E4581C3 5 Bytes JMP 008CA00C
.text C:\WINDOWS\system32\NOTEPAD.EXE[6092] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 008C900C

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA9040] sppy.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA913C] sppy.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA90BE] sppy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA97FC] sppy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA96D2] sppy.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB9048] sppy.sys
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\aqly4aig.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A7E11F8
Device \FileSystem\Fastfat \FatCdrom 89F24500
Device \Driver\sptd \Device\3242299220 sppy.sys
Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\usbuhci \Device\USBPDO-0 8A5F21F8
Device \Driver\usbuhci \Device\USBPDO-1 8A5F21F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A8521F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A8521F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A8521F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A8521F8
Device \Driver\usbehci \Device\USBPDO-2 8A5FD500
Device \Driver\usbuhci \Device\USBPDO-3 8A5F21F8
Device \Driver\PCI_PNP2970 \Device\00000054 sppy.sys
Device \Driver\usbuhci \Device\USBPDO-4 8A5F21F8
Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\usbuhci \Device\USBPDO-5 8A5F21F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{62B3E19C-1160-4139-9E2A-50FC77FA6EA9} 8A0A61F8
Device \Driver\usbehci \Device\USBPDO-6 8A5FD500
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7E41F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A7E41F8
Device \Driver\Cdrom \Device\CdRom0 8A604500
Device \Driver\atapi \Device\Ide\IdePort0 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B7DFCB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8A604500
Device \Driver\Cdrom \Device\CdRom2 8A604500
Device \Driver\Cdrom \Device\CdRom3 8A604500
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A0A61F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E34710F4-CA8E-4849-A9B5-057E0271652A} 8A0A61F8
Device \Driver\NetBT \Device\NetbiosSmb 8A0A61F8
Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\usbuhci \Device\USBFDO-0 8A5F21F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{8B16B5E2-8206-4D12-A913-6E36CFC8FECC} 8A0A61F8
Device \Driver\usbuhci \Device\USBFDO-1 8A5F21F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89F401F8
Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\usbehci \Device\USBFDO-2 8A5FD500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89F401F8
Device \Driver\usbuhci \Device\USBFDO-3 8A5F21F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{272A0899-EBBC-4883-B1C3-296EF62F5EAE} 8A0A61F8
Device \Driver\usbuhci \Device\USBFDO-4 8A5F21F8
Device \Driver\Ftdisk \Device\FtControl 8A7E41F8
Device \Driver\usbuhci \Device\USBFDO-5 8A5F21F8
Device \Driver\usbehci \Device\USBFDO-6 8A5FD500
Device \Driver\aqly4aig \Device\Scsi\aqly4aig1Port5Path0Target0Lun0 8A600500
Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target0Lun0 8A7E21F8
Device \Driver\aqly4aig \Device\Scsi\aqly4aig1 8A600500
Device \Driver\aqly4aig \Device\Scsi\aqly4aig1Port5Path0Target1Lun0 8A600500
Device \Driver\JRAID \Device\Scsi\JRAID1 8A7E21F8
Device \Driver\aqly4aig \Device\Scsi\aqly4aig1Port5Path0Target2Lun0 8A600500
Device \FileSystem\Fastfat \Fat 89F24500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89F01500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0x4C 0xED 0x37 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\0[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\0[email protected] 0x4A 0x8C 0x26 0x08 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf4[email protected] 0xA8 0x4E 0x0C 0x0D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0[email protected] 0x98 0x7D 0x57 0x3D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0[email protected] 0x8B 0x64 0x72 0x0B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0[email protected] 0x8B 0x64 0x72 0x0B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] 0x4C 0xED 0x37 0x0E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\0[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\0[email protected] 0x4A 0x8C 0x26 0x08 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0[email protected] 0xA8 0x4E 0x0C 0x0D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0[email protected] 0x98 0x7D 0x57 0x3D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0[email protected] 0x8B 0x64 0x72 0x0B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0[email protected] 0x8B 0x64 0x72 0x0B ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0995ED72-ACF0-2D5E-3F38-3D6F7DDBBECC}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A28E97D5-6D20-5F21-1381-D1AC0A27F670}

---- EOF - GMER 1.0.15 ----
  • 0

#7
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
  • 0

#8
Voland

Voland

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
ComboFix 09-11-18.01 - Owner 11/17/2009 12:46.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1529 [GMT -5:00]
Running from: C:\ComboFix.exe
AV: F-Secure Internet Security 2010 10.00 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2010 10.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
C:\install.exe
G:\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SWAPM
-------\Legacy_WINDRIVER


((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-17 16:24 . 2006-07-05 12:55 43392 ----a-r- c:\windows\system32\drivers\jraid_2.sys
2009-11-17 16:24 . 2008-04-14 04:10 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-17 16:24 . 2008-04-14 04:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-17 16:15 . 2009-11-17 17:45 3565366 ----a-r- C:\ComboFix.exe
2009-11-17 00:48 . 2009-11-17 00:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2009-11-17 00:48 . 2009-11-17 16:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2009-11-16 18:31 . 2009-11-16 18:31 291840 ----a-w- C:\7rc9409h.exe
2009-11-12 16:03 . 2009-11-12 16:03 -------- d-----w- c:\program files\Packet Tracer 5.1
2009-11-08 20:17 . 2009-11-12 22:47 -------- d-----w- c:\documents and settings\Owner\Tracing
2009-11-08 20:15 . 2009-11-08 20:15 -------- d-----w- c:\program files\Microsoft
2009-11-08 20:15 . 2009-11-08 20:15 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-08 19:48 . 2009-11-08 19:48 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-02 01:25 . 2009-11-02 01:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\TechSmith
2009-11-01 01:41 . 2009-11-01 01:41 -------- d-----w- c:\program files\ERUNT
2009-11-01 01:31 . 2009-11-01 01:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-01 01:31 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 01:31 . 2009-11-01 01:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 01:31 . 2009-11-01 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-01 01:31 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 15:31 . 2009-10-29 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-10-19 12:23 . 2009-10-19 12:23 10628032 ----a-w- c:\documents and settings\Owner\Application Data\Azureus\tmp\AZU3921346080206028608.tmp\Vuze_4.2.0.8b_win32.exe
2009-10-19 07:07 . 2009-10-19 07:07 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-19 07:01 . 2009-10-19 07:01 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-17 16:18 . 2009-07-16 16:37 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-11-17 16:17 . 2009-09-26 18:58 -------- d-----w- c:\documents and settings\Owner\Application Data\IGN_DLM
2009-11-17 16:13 . 2009-01-09 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-11-17 16:13 . 2009-01-09 14:49 -------- d-----w- c:\program files\Electronic Arts
2009-11-17 15:41 . 2008-09-16 18:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-16 18:47 . 2008-10-20 14:14 -------- d-----w- c:\documents and settings\Owner\Application Data\MyScribe
2009-11-16 18:43 . 2008-11-29 19:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-16 18:20 . 2009-09-21 01:59 -------- d-----w- c:\program files\ProxyFirewall
2009-11-12 22:50 . 2008-12-16 06:51 -------- d-----w- c:\program files\World of Warcraft
2009-11-11 14:46 . 2008-10-28 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-08 20:14 . 2008-10-06 18:46 -------- d-----w- c:\program files\Windows Live
2009-11-04 18:06 . 2008-12-29 20:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Download Manager
2009-10-31 13:47 . 2008-09-16 16:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-29 15:32 . 2008-11-29 00:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-29 15:31 . 2009-06-08 19:10 -------- d-----w- c:\program files\NVIDIA Corporation
2009-10-29 15:16 . 2009-09-19 18:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-19 22:56 . 2008-09-26 15:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-10-19 17:09 . 2009-09-27 21:31 -------- d-----w- c:\program files\Hotspot Shield
2009-10-17 01:18 . 2009-10-03 17:51 -------- d-----w- c:\program files\iCall
2009-10-16 19:40 . 2009-10-16 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2009-10-14 13:08 . 2008-09-16 16:36 -------- d-----w- c:\program files\F-Secure Internet Security
2009-10-10 20:22 . 2008-11-07 14:20 -------- d-----w- c:\program files\Cheat Engine
2009-10-08 19:57 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57 . 2004-08-12 13:25 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56 . 2004-08-12 13:25 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-01 14:33 . 2009-10-01 14:33 -------- d-----w- c:\program files\Emicsoft Studio
2009-10-01 14:29 . 2009-10-07 23:00 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-30 12:19 . 2008-09-16 16:30 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-27 22:20 . 2009-09-27 22:20 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 22:20 . 2009-09-27 22:20 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-09-27 22:19 . 2009-09-27 22:19 3166208 ----a-w- c:\windows\system32\nvwss.dll
2009-09-27 22:19 . 2009-09-27 22:19 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-27 22:19 . 2009-09-27 22:19 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-09-27 22:19 . 2009-09-27 22:19 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-27 22:19 . 2009-09-27 22:19 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-27 22:19 . 2009-09-27 22:19 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-27 22:19 . 2009-09-27 22:19 4935680 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 22:19 . 2009-09-27 22:19 172100 ----a-w- c:\windows\system32\nvsvc32.exe
2009-09-27 22:19 . 2009-09-27 22:19 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-09-27 22:19 . 2009-09-27 22:19 13918208 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-27 22:19 . 2009-09-27 22:19 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-09-27 21:32 . 2009-09-27 21:32 0 ----a-w- c:\windows\system32\cd.dat
2009-09-27 20:12 . 2009-09-27 20:12 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 20:12 . 2009-09-27 20:12 1604482 ----a-w- c:\windows\system32\nvdata.bin
2009-09-27 20:12 . 2009-02-09 05:18 2194024 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 20:12 . 2008-09-16 18:31 490088 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-27 20:12 . 2008-09-16 17:03 5900416 ----a-w- c:\windows\system32\nv4_disp.dll
2009-09-27 20:12 . 2008-09-16 16:57 7655872 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-09-27 20:12 . 2008-05-16 18:01 888832 ----a-w- c:\windows\system32\nvapi.dll
2009-09-27 20:12 . 2008-05-16 18:01 2007040 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 20:12 . 2008-05-16 18:01 170600 ----a-w- c:\windows\system32\nvcodins.dll
2009-09-27 20:12 . 2008-05-16 18:01 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 20:12 . 2008-05-16 18:01 10756096 ----a-w- c:\windows\system32\nvoglnt.dll
2009-09-26 21:26 . 2009-09-26 21:26 -------- d-----w- c:\program files\NCsoft
2009-09-25 20:51 . 2009-09-25 20:51 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2009-09-25 20:51 . 2009-09-25 20:51 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-09-25 20:51 . 2008-10-01 19:13 -------- d-----w- c:\program files\Zune
2009-09-25 16:01 . 2008-11-29 00:55 -------- d-----w- c:\program files\Ventrilo1
2009-09-25 02:59 . 2009-09-25 02:59 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-09-24 13:24 . 2008-09-16 18:31 490088 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-21 17:19 . 2009-09-21 17:19 -------- d-----w- c:\program files\SystemRequirementsLab
2009-09-21 01:36 . 2009-09-21 01:36 -------- d-----w- c:\program files\SocksCapV2
2009-09-19 01:09 . 2008-09-16 16:46 -------- d-----w- c:\documents and settings\Owner\Application Data\F-Secure
2009-09-19 00:07 . 2008-10-31 10:59 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2009-09-19 00:00 . 2008-09-16 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2009-09-15 20:04 . 2009-09-27 21:31 37376 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-09-15 20:04 . 2009-09-15 20:04 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-09-11 14:18 . 2004-08-12 13:23 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 02:43 . 2008-09-16 16:19 74656 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 21:44 . 2009-09-19 18:29 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 21:44 . 2009-09-19 18:29 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 21:44 . 2009-09-19 18:29 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 21:29 . 2009-09-19 18:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 21:29 . 2009-09-19 18:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 21:29 . 2009-09-19 18:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 21:29 . 2009-09-19 18:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 21:29 . 2009-09-19 18:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-04 21:03 . 2004-08-12 13:22 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 17:17 . 2009-09-04 17:17 447216 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2009-09-04 17:16 . 2009-09-04 17:16 58592 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2009-09-04 16:39 . 2009-09-04 16:39 167648 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-02 04:28 . 2009-09-02 04:28 40832 ----a-w- c:\windows\system32\drivers\zumbus.sys
2009-08-29 08:08 . 2004-08-12 13:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-12 13:30 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-10-19 17:07 204248 ----a-w- c:\program files\Hotspot Shield\HssIE\HssIE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 22:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 22:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 22:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 22:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 22:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 22:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 22:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 22:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 22:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-18 843776]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-06-02 385024]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-11 151552]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-8-29 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-10-1 221247]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spywareguard

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [10/31/2008 5:59 AM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [9/16/2008 11:37 AM 80000]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure Internet Security\HIPS\drivers\fshs.sys [9/16/2008 11:36 AM 68064]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [9/16/2008 11:36 AM 101496]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure Internet Security\ORSP Client\fsorsp.exe [9/16/2008 11:36 AM 55928]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 5:06 AM 21632]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys [9/16/2008 11:36 AM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys [9/16/2008 11:36 AM 25184]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-17 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-SECU~1\ANTI-V~1\fsav.exe [2008-09-16 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.devryu.net/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
Trusted Zone: wachovia.com\onlinebanking2
TCP: {8B16B5E2-8206-4D12-A913-6E36CFC8FECC} = 10.16.112.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\5inukvb5.default\
FF - prefs.js: browser.startup.homepage - hxxp://comments-submit.nasa.gov/commenting/Comment.do?location=http://polls.nasa.gov/voteform.html&siteID=245486071&username=guest&[email protected]&comment=XENU
FF - component: c:\program files\F-Secure Internet Security\NRS\[email protected]\components\litmus-ff.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - c:\program files\NVIDIA Corporation\nView\nwiz.exe
SafeBoot-86f9b8df.sys
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 13:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-602162358-1284227242-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0995ED72-ACF0-2D5E-3F38-3D6F7DDBBECC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-602162358-1284227242-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A28E97D5-6D20-5F21-1381-D1AC0A27F670}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-602162358-1284227242-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:59,59,9a,25,8b,72,19,4d,3e,99,03,f1,31,bc,a2,8e,92,77,cd,88,af,26,6e,
0a,05,bd,8b,b1,67,f3,29,63,30,85,06,3a,b0,c5,a1,ce,5f,1d,7a,fe,7a,1e,dd,83,\
"??"=hex:aa,d3,ad,10,3e,21,e1,5a,ee,a5,d7,2f,8a,be,03,83
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(160)
c:\program files\f-secure internet security\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(244)
c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
c:\program files\f-secure internet security\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(4016)
c:\windows\system32\WININET.dll
c:\program files\f-secure internet security\hips\fshook32.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure Internet Security\Common\FSMA32.EXE
c:\program files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\F-Secure Internet Security\Common\FSHDLL32.EXE
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fssm32.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fsav32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2009-11-17 13:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-17 18:00

Pre-Run: 226,704,756,736 bytes free
Post-Run: 226,645,127,168 bytes free

- - End Of File - - 83961F7D5B0B90ABF5918C835FA312A7



Wow all that time and it only found a few things. Where do we go from here? also I couldent get F-secure to completly shut down nomatter what i did so oh well.
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No problem how are things running?
  • 0

#10
Voland

Voland

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
What do you mean no problem? Are you telling me that there is absolutly nothing remotely supicious or dodgy about any of these extreamly extencive logs?

Things run just fine...

Except for that fact that everything I set my SATA config to RAID I get a blue screen...

I want to restore my data redundancy, if whatever nasty zalgo virus I had is gone or undetectable something is still prevent me from booting C in raid 1 configuration and then running a rebuild on G drive.

This all started when I went on anonib which has loads of trojans on it but most of which never gave anybody i know any problems before. F-secure veiws it as a safe site dispite the fact that you are gurenteed a free trojan upon entering the domain.
  • 0

Advertisements


#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I was saying that in response to this that you said:

also I couldent get F-secure to completly shut down nomatter what i did so oh well.


I do not see any malware left on your system.

Except for that fact that everything I set my SATA config to RAID I get a blue screen...

Are you trying to do this with an existing installation.
Meaning the Windows that you are using now?
  • 0

#12
Voland

Voland

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Well yes...

In the past before problems happen I could easily go into bios and change my 2 HDs from a raid 1 array to 2 seperate IDE drives so I could have extra storage space.. Then when I would see fit to restore them to RAID 1 I would set them to RAID instead of IDE and then after booting I would right click Matrix Data Storage on my action bar and click rebuild and it would then take maybe 5 hrs to completly rebuild the degradded second drive so that it was a mirror copy..


Whatever this virus did it is ither still on my computer or it messed up the systems ability to use RAID as a SATA setting.
  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I can tell you that your system is clean there is no other malware present.

Doing what you are doing can cause blue screens.
Raid isn't meant to be done like that typically you install a raid set when you install Windows and leave it.
Not while windows is running.

But either way this issue can be resolved in another forum that deals with it.
You can start a new topic here in this forum : http://www.geekstogo...2003-NT-f5.html
==========
=======Cleanup=======
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
======Next======
  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 17...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
======================Clear out infected System Restore points======================


Then we need to reset your System Restore points.
The link below shows how to do this.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingc...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================
After that your all set. :)


The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...
  • 0

#14
Voland

Voland

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Wait what does this have to do with anything?

Also SATA drive ARE designed to be reconfigured on the fly. The Matrix Storage manager is what your refering to that cant be uninstaled without reformating and is installed with windows.

I baught the SATA drives because of the versitility of being able to change them around without issues.

Why are you asking me to Re do what you told me to do to remove maleware if you say there is none?


I am not going to run anything that include the word uninstall until you tell me EXACTLY what is being uninstalled...
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Sir I am not asking you to undo anything Combofix needs to be uninstalled to remove the threats it found and the files it drops to clean the machine.
This is no longer a malware issue and you need to post in the other forum as instructed above.
The system restore needs to be turned of f then back on again not do a system restore.
Please make sure to read what I post.

Doing the above steps get your system up to date then moves you on to the other forum.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP