Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Suspected Trojan

Started by Anderwolf , May 10 2011 03:20 PM

Please log in to reply

#16
Cold Titanium

Posted 23 May 2011 - 10:26 AM

Trusted Helper

Malware Removal
1,735 posts

Did you put these here? (Note: I couldn't care less what they are. I just want to make sure they aren't infected)

C:\Documents and Settings\Owner\Desktop\www.fooxy.com_02.mpg
C:\Documents and Settings\Owner\Desktop\01.wmv

Run all this and tell me if you are still having problems

Step #1

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
[2010/06/29 16:03:58 | 000,002,425 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\searchplugins\askcom.xml
File not found (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\G18ONKHQ.DEFAULT\EXTENSIONS\[email protected]
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
F3 - HKCU WinNT: Load - () - File not found
F3 - HKCU WinNT: Run - () - File not found
O29 - HKLM SecurityProviders - (digeste.dll) - File not found
O33 - MountPoints2\{55ab965b-980d-11da-921b-806d6172696f}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
O33 - MountPoints2\{f94ae581-9805-11da-b621-806d6172696f}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
O33 - MountPoints2\D\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
MsConfig - StartUpReg: Hsawokitubalikoq - hkey= - key= - File not found
[2011/05/14 20:57:15 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[2011/05/14 20:56:06 | 000,014,254 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\qw0j6rj2eh126b41tbg4561cs4qy0b8ai286q3u8rph5
[2011/05/14 20:56:06 | 000,014,254 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\qw0j6rj2eh126b41tbg4561cs4qy0b8ai286q3u8rph5
[2011/05/10 20:58:57 | 000,000,208 | -HS- | M] () -- C:\WINDOWS\setup_9.0.0.722_10.05.2011_23-44drv.spi
[2011/05/10 18:23:20 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Dqudebaxitiv.dat
[2011/05/10 12:33:20 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Kvenoqud.bin
@Alternate Data Stream - 1333 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:FALBaEW5VBVdSc3MgQp0NqNmLfc
@Alternate Data Stream - 1331 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:KHRbNayPN9qMiv8unsOV1vEs
@Alternate Data Stream - 1299 bytes -> C:\Program Files\Common Files\Microsoft Shared:7zdMWE4a2FF0T79VFetKj3S9
@Alternate Data Stream - 1264 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:2AfbUooKmSk00Oa5eXnD0InqG
@Alternate Data Stream - 1258 bytes -> C:\Program Files\Common Files\System:Lucm28Ug5upzRvxprJOE
@Alternate Data Stream - 1242 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:hf3NxUKJRZPBfremE
@Alternate Data Stream - 1226 bytes -> C:\Documents and Settings\Owner\Local Settings\Application Data\6gQ9gkcse:QsIUr4NjTbFoOG3lN
@Alternate Data Stream - 1225 bytes -> C:\Documents and Settings\Owner\Local Settings\Application Data\6Pv3Ywnb:d0TE8h8aXsIQ47BkvGFhjNw
@Alternate Data Stream - 1215 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:uup9kfxfHHOEiNvH1C4r6aR9Q
@Alternate Data Stream - 1215 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:smbGWmk4j8dU8pnBiIVJWo
@Alternate Data Stream - 1209 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:IPe7FVclDGsgCtQ9Mt6sYTa2zzu
@Alternate Data Stream - 1203 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:n9Z2QUOg9Ggz0JaELnO0WxEEO
@Alternate Data Stream - 1184 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:AQDxTi4UD72gR8aUfxbpX1Df
@Alternate Data Stream - 1161 bytes -> C:\Program Files\WindowsUpdate:rK9WpcDj4LMB2iRF02lLHFsCD
@Alternate Data Stream - 1154 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:5fntgWxAbHQbrbjAYSslr7Q
@Alternate Data Stream - 1143 bytes -> C:\Program Files\Common Files\Microsoft Shared:cHzRzdGjzH1BCpo22eOlKHlyFQS
@Alternate Data Stream - 1113 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:lqzAt1YXfUtWNEVWMYDxKpyNhh5
@Alternate Data Stream - 1111 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:zAnjZntUxoPQtDlNqMh14KBC
@Alternate Data Stream - 1106 bytes -> C:\Documents and Settings\Owner\Cookies:IbjSD4byQVhbp0j1TAZRqvGkL

:Commands
[purity]
[RESETHOSTS]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Step #2

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like to see OTL.txt and the MBAM log in your next reply...

#17
Anderwolf

Posted 25 May 2011 - 07:37 PM

Member

Topic Starter
Member
89 posts

Hello again. Yes I put those files there, they are fine. Also wanted to mention that while doing the MBAM scan, the "objects scanned" jumped from around 19,000 to 40,000 instantly. Not sure if that is important or not just thought I would mention. I am still getting some weird error messages when I boot up the computer about the missing files with square boxes in the names. Ill try to get a copy of the messages for you. Otherwise seems to be working OK so far. Anyway, here are the new logs:

OTL logfile created on: 5/25/2011 08:20:27 PM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner\Desktop\Geeks2Go
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.79 Gb Total Space | 11.33 Gb Free Space | 4.95% Space Free | Partition Type: NTFS
Drive D: | 4.09 Gb Total Space | 2.00 Gb Free Space | 49.00% Space Free | Partition Type: FAT32
Drive E: | 592.42 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 6.60 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: ANDERWOLF | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/13 10:14:04 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\Geeks2Go\OTL.exe
PRC - [2011/05/02 12:13:47 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/21 15:35:16 | 000,494,592 | ---- | M] (CPUID) -- C:\Program Files\CPUID\PC Wizard 2010\pcwizard.dll
PRC - [2008/12/03 23:12:16 | 000,077,824 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) -- C:\Program Files\Digidesign\Drivers\MMERefresh.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/11 12:09:16 | 000,364,544 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe
PRC - [2006/10/09 16:15:38 | 000,348,160 | ---- | M] (Panda Software) -- C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
PRC - [2006/08/08 18:26:18 | 000,151,552 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\PAVSRV51.EXE
PRC - [2006/08/08 18:25:32 | 000,106,496 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
PRC - [2006/08/02 14:05:54 | 000,811,008 | ---- | M] (Panda Software International) -- c:\Program Files\Panda Software\Panda Internet Security 2007\FIREWALL\PNmSrv.exe
PRC - [2006/07/25 18:03:42 | 002,119,360 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
PRC - [2006/07/25 18:03:42 | 000,149,184 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
PRC - [2006/07/25 18:03:42 | 000,100,032 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
PRC - [2006/07/21 12:22:32 | 000,159,744 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\PAVFNSVR.EXE
PRC - [2006/07/04 14:25:34 | 000,102,400 | ---- | M] (Panda Software) -- C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
PRC - [2006/06/29 11:04:42 | 000,069,632 | ---- | M] (Panda Software International) -- c:\Program Files\Panda Software\Panda Internet Security 2007\WebProxy.exe
PRC - [2006/03/31 14:50:52 | 000,411,096 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
PRC - [2006/02/07 13:38:01 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2006/01/31 16:42:04 | 000,073,728 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\SrvLoad.exe
PRC - [2005/07/25 02:02:22 | 000,032,768 | ---- | M] (Panda Software) -- C:\Program Files\Common Files\Panda Software\PavShld\PavPrSrv.exe
PRC - [2005/01/22 18:42:16 | 000,440,832 | ---- | M] (Stardock Systems, Inc) -- C:\Program Files\AlienGUIse\wbload.exe
PRC - [2005/01/19 17:34:16 | 000,128,000 | ---- | M] ( ) -- C:\Program Files\CursorXP\CursorXP.exe
PRC - [2002/12/17 18:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe

========== Modules (SafeList) ==========

MOD - [2011/05/13 10:14:04 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\Geeks2Go\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2006/03/06 18:08:00 | 000,102,400 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\pavoepl.dll
MOD - [2005/01/24 21:48:46 | 000,498,232 | ---- | M] (Stardock.Net, Inc) -- C:\Program Files\AlienGUIse\wblind.dll
MOD - [2005/01/19 17:34:24 | 000,014,848 | ---- | M] ( ) -- C:\Program Files\CursorXP\CurXP0.dll
MOD - [2004/09/18 15:37:00 | 000,028,740 | ---- | M] (Stardock.Net, Inc) -- C:\Program Files\AlienGUIse\wbhelp.dll
MOD - [2000/04/03 18:33:36 | 000,028,160 | ---- | M] (Neil Banfield) -- C:\Program Files\AlienGUIse\anim.dll

========== Win32 Services (SafeList) ==========

SRV - [2008/12/03 23:12:16 | 000,077,824 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Auto | Running] -- C:\Program Files\Digidesign\Drivers\MMERefresh.exe -- (DigiRefresh)
SRV - [2008/12/03 22:25:10 | 000,159,744 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [On_Demand | Stopped] -- C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe -- (digiSPTIService)
SRV - [2006/10/09 16:15:38 | 000,348,160 | ---- | M] (Panda Software) [Auto | Running] -- C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe -- (TPSrv)
SRV - [2006/08/08 18:26:18 | 000,151,552 | ---- | M] (Panda Software International) [Auto | Running] -- C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe -- (PAVSRV)
SRV - [2006/08/02 14:05:54 | 000,811,008 | ---- | M] (Panda Software International) [Auto | Running] -- c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE -- (PNMSRV)
SRV - [2006/07/25 18:03:42 | 002,119,360 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
SRV - [2006/07/25 18:03:42 | 000,100,032 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2006/07/21 12:22:32 | 000,159,744 | ---- | M] (Panda Software International) [Auto | Running] -- C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe -- (PAVFNSVR)
SRV - [2006/07/04 14:25:34 | 000,102,400 | ---- | M] (Panda Software) [Auto | Running] -- C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe -- (PSIMSVC)
SRV - [2006/03/31 14:50:52 | 000,411,096 | ---- | M] (Panda Software International) [Auto | Running] -- C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe -- (pmshellsrv)
SRV - [2006/02/07 13:38:01 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2005/07/25 02:02:22 | 000,032,768 | ---- | M] (Panda Software) [Auto | Running] -- C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe -- (PavPrSrv)
SRV - [2002/12/17 18:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR)
SRV - [2002/12/17 18:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (ComFiltr)
DRV - File not found [File_System | On_Demand | Running] -- -- (AvFlt)
DRV - [2010/09/30 11:19:11 | 000,054,328 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iLokDrvr.sys -- (iLokDrvr)
DRV - [2010/07/09 12:18:56 | 000,020,328 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Running] -- C:\Program Files\CPUID\PC Wizard 2010\pcwiz_x32.sys -- (cpuz134)
DRV - [2009/12/23 11:32:26 | 000,086,016 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\TPkd.sys -- (TPkd)
DRV - [2009/08/22 13:25:00 | 000,009,088 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys -- (RivaTuner32)
DRV - [2009/01/31 12:47:36 | 000,163,712 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\vidstub.sys -- (BootScreen)
DRV - [2009/01/29 23:22:46 | 000,137,992 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PnkBstrK.sys -- (PnkBstrK)
DRV - [2008/12/04 03:02:08 | 000,021,904 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbx2midk.sys -- (MBX2MIDK)
DRV - [2008/12/04 03:02:04 | 000,021,648 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbx2dfu.sys -- (MBX2DFU)
DRV - [2008/12/04 03:02:02 | 000,016,400 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\diginet.sys -- (DigiNet)
DRV - [2008/12/04 03:01:50 | 000,097,808 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Dalwdm.sys -- (dalwdmservice)
DRV - [2008/05/14 21:48:17 | 003,098,112 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/12/20 03:31:12 | 000,278,984 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2007/09/06 14:55:18 | 000,025,416 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2007/09/06 14:42:55 | 000,685,816 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2007/05/27 00:44:32 | 000,025,544 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2007/02/25 21:55:19 | 000,076,560 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2007/01/20 02:11:07 | 000,031,644 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2006/10/10 16:02:46 | 000,141,312 | ---- | M] (Panda Software International) [NDIS Layer] [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\NETFLT.SYS -- (netflt)
DRV - [2006/09/28 15:58:26 | 000,016,256 | ---- | M] (Panda Software International) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\wnmflt.sys -- (WNMFLT)
DRV - [2006/08/24 22:47:00 | 000,002,560 | ---- | M] (Sonic Solutions) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2006/08/24 22:47:00 | 000,002,432 | ---- | M] (Sonic Solutions) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2006/08/03 16:37:56 | 000,044,544 | ---- | M] (Panda Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\APPFLT.SYS -- (APPFLT)
DRV - [2006/08/02 14:15:48 | 000,023,296 | ---- | M] (Panda Software International) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\smsflt.sys -- (SMSFLT)
DRV - [2006/08/02 14:10:18 | 000,185,472 | ---- | M] (Panda Software International) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\idsflt.sys -- (IDSFLT)
DRV - [2006/08/02 14:08:48 | 000,036,864 | ---- | M] (Panda Software International) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dsaflt.sys -- (DSAFLT)
DRV - [2006/07/01 23:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/06/29 22:50:46 | 000,009,216 | ---- | M] (Panda Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fnetmon.sys -- (FNETMON)
DRV - [2006/05/11 22:26:48 | 000,103,936 | ---- | M] (Panda Software) [TDI Layer] [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\netfltdi.sys -- (NETFLTDI)
DRV - [2006/04/25 10:02:48 | 000,165,120 | ---- | M] (Panda Software) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PavProc.sys -- (PavProc)
DRV - [2006/03/27 18:53:28 | 000,167,808 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wg111v2.sys -- (RTLWUSB)
DRV - [2006/02/22 03:43:34 | 000,071,552 | ---- | M] (Panda Software International) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\pavdrv51.sys -- (PAVDRV)
DRV - [2005/09/26 18:07:00 | 003,644,800 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/08/29 07:23:30 | 000,026,752 | ---- | M] (Panda Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ShldDrv.sys -- (ShldDrv)
DRV - [2005/08/12 14:36:56 | 000,016,640 | ---- | M] (Panda Software) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cpoint.sys -- (cpoint)
DRV - [2005/07/29 20:11:04 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/07/29 20:11:02 | 000,034,048 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/03/17 11:51:16 | 001,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/03/17 11:50:36 | 000,221,440 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/03/17 11:50:32 | 000,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/20 20:02:00 | 000,012,544 | R--- | M] (KORG Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\KORGUMDS.SYS -- (KORGUMDS)
DRV - [2003/01/10 16:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 15:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: ""
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.defaulturl: "http://slirsredirect...fftrie7&query="
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..extensions.enabledItems: {c2f863cd-0429-48c7-bb54-db756a951760}:5.20.1.1
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.071303000006
FF - prefs.js..extensions.enabledItems: {45501068-1DB2-4B37-A104-9C301A4F02A4}:1.9.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:3.6.7
FF - prefs.js..extensions.enabledItems: {7694c49c-9fbd-11dc-8314-0800200c9a66}:3.6.7

FF - HKLM\software\mozilla\Firefox\extensions\\{45501068-1DB2-4B37-A104-9C301A4F02A4}: C:\Documents and Settings\Owner\Local Settings\Application Data\{45501068-1DB2-4B37-A104-9C301A4F02A4} [2010/01/15 00:58:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/02 12:13:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/14 00:02:40 | 000,000,000 | ---D | M]

[2010/05/25 13:59:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/05/25 13:59:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\[email protected]
[2011/05/15 10:30:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions
[2010/07/23 11:31:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/22 10:27:32 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/03/10 00:48:09 | 000,000,000 | ---D | M] (Aquatint Black) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\{7694c49c-9fbd-11dc-8314-0800200c9a66}
[2011/03/10 00:48:16 | 000,000,000 | ---D | M] (Virtus Search Opt-in) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\[email protected]
[2009/11/17 13:58:08 | 000,000,000 | ---D | M] (Move Media Player) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\[email protected]
[2011/03/10 00:48:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\[email protected]\chrome
[2011/03/10 00:48:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\[email protected]\defaults
[2011/03/10 00:48:10 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\{7694c49c-9fbd-11dc-8314-0800200c9a66}\chrome\win\mozapps\extensions
[2009/03/23 17:53:46 | 000,001,739 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\searchplugins\aim-search.xml
[2011/03/25 20:14:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/06/09 16:08:37 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/05/02 16:25:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/07/30 16:23:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
File not found (No name found) --
() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\G18ONKHQ.DEFAULT\EXTENSIONS\{0545B830-F0AA-4D7E-8820-50A4629A56FE}.XPI
File not found (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\G18ONKHQ.DEFAULT\EXTENSIONS\[email protected]
[2009/08/05 16:07:49 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/05/02 12:13:46 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/08/09 02:11:22 | 010,437,264 | ---- | M] (PDFTron Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\PDFNetC.dll
[2009/08/09 02:30:36 | 000,107,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ScorchPDFWrapper.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/25 19:47:47 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [APVXDWIN] C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE (Panda Software International)
O4 - HKLM..\Run: [BootSkin Startup Jobs] C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe ()
O4 - HKLM..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe (Digidesign, A Division of Avid Technology, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RivaTunerStartupDaemon] C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe ()
O4 - HKLM..\Run: [SCANINICIO] C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe (Panda Software International)
O4 - HKLM..\Run: [SunJavaUpdateSched] File not found
O4 - HKCU..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe ( )
O4 - HKCU..\Run: [DAEMON Tools Pro Agent] C:\Program Files\DAEMON Tools Pro\DTProAgent.exe (DT Soft Ltd.)
F3 - HKCU WinNT: Load - () - File not found
F3 - HKCU WinNT: Run - () - File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_21.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - c:\program files\panda software\panda internet security 2007\pavlsp.dll (Panda Software International)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - c:\program files\panda software\panda internet security 2007\pavlsp.dll (Panda Software International)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - c:\program files\panda software\panda internet security 2007\pavlsp.dll (Panda Software International)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - c:\program files\panda software\panda internet security 2007\pavlsp.dll (Panda Software International)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.t...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoft...free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avldr: DllName - avldr.dll - C:\WINDOWS\System32\avldr.dll (Panda Software)
O20 - Winlogon\Notify\WB: DllName - C:\PROGRA~1\ALIENG~1\fastload.dll - C:\Program Files\AlienGUIse\fastload.dll (Stardock)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/09 20:13:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [1997/09/30 13:25:44 | 000,173,568 | R--- | M] (EA Sports ) - E:\AUTORUN.EXE -- [ CDFS ]
O32 - AutoRun File - [1997/09/14 15:41:28 | 000,000,054 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2011/04/19 13:09:27 | 000,000,059 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{314c8792-b0e2-11dc-b9ad-0015583757e9}\Shell - "" = AutoRun
O33 - MountPoints2\{314c8792-b0e2-11dc-b9ad-0015583757e9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{314c8792-b0e2-11dc-b9ad-0015583757e9}\Shell\AutoRun\command - "" = F:\Setup.exe -- [2011/04/19 13:09:27 | 000,596,187 | R--- | M] (Valve )
O33 - MountPoints2\{a2986cfd-a9f1-11dd-ba55-0015583757e9}\Shell - "" = AutoRun
O33 - MountPoints2\{a2986cfd-a9f1-11dd-ba55-0015583757e9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a2986cfd-a9f1-11dd-ba55-0015583757e9}\Shell\AutoRun\command - "" = N:\LaunchU3.exe -a
O33 - MountPoints2\{b04c7287-aed2-11dc-b9ac-0015583757e9}\Shell - "" = AutoRun
O33 - MountPoints2\{b04c7287-aed2-11dc-b9ac-0015583757e9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b04c7287-aed2-11dc-b9ac-0015583757e9}\Shell\AutoRun\command - "" = L:\Autorun.exe
O33 - MountPoints2\{b04c7289-aed2-11dc-b9ac-0015583757e9}\Shell - "" = AutoRun
O33 - MountPoints2\{b04c7289-aed2-11dc-b9ac-0015583757e9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b04c7289-aed2-11dc-b9ac-0015583757e9}\Shell\AutoRun\command - "" = N:\Autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/25 19:41:39 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/05/23 00:46:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\SKIDROW
[2011/05/23 00:43:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Valve
[2011/05/22 23:44:08 | 000,000,000 | ---D | C] -- C:\Program Files\EA Sports
[2011/05/18 12:03:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Phone Stuff
[2011/05/17 11:56:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Geeks2Go
[2011/05/14 20:57:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Combined Community Codec Pack
[2011/05/14 20:57:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2011/05/14 00:10:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/05/12 11:49:31 | 000,114,176 | ---- | C] (CPUID) -- C:\WINDOWS\System32\PCWizard.cpl
[2011/05/12 11:49:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CPUID
[2011/05/12 11:49:27 | 000,000,000 | ---D | C] -- C:\Program Files\CPUID
[2011/05/12 02:47:42 | 000,000,000 | ---D | C] -- C:\1c80e9306499ed317d57f2b03d
[2011/05/12 02:21:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
[2011/05/12 02:20:53 | 000,000,000 | ---D | C] -- C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
[2011/05/11 09:53:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Owl City ---- Ocean Eyes --- Deluxe Edition
[2011/05/09 22:27:17 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2011/05/09 22:25:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\2K Games
[2011/05/09 22:07:48 | 000,000,000 | ---D | C] -- C:\Program Files\2K Games
[2011/05/08 23:22:51 | 000,000,000 | ---D | C] -- C:\Program Files\Paradox Interactive
[2011/05/07 14:49:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\BioWare
[2011/05/07 14:47:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Dragon Age II
[2011/05/07 14:35:38 | 000,000,000 | ---D | C] -- C:\Program Files\Dragon Age 2
[2011/05/07 14:35:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\BioWare
[2010/09/17 17:43:30 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Owner\Application Data\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2011/05/25 20:16:41 | 000,809,824 | ---- | M] () -- C:\WINDOWS\System32\drivers\APPFCONT.DAT
[2011/05/25 20:16:41 | 000,001,132 | ---- | M] () -- C:\WINDOWS\System32\drivers\APPFLTR.CFG
[2011/05/25 20:15:44 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/25 20:14:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/25 20:14:43 | 2145,964,032 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/23 00:43:14 | 000,001,635 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Portal 2.lnk
[2011/05/23 00:09:00 | 000,094,208 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/22 10:12:08 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2011/05/14 21:28:01 | 000,000,221 | RHS- | M] () -- C:\boot.ini
[2011/05/13 11:22:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/12 14:54:48 | 004,734,976 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\www.fooxy.com_02.mpg
[2011/05/11 20:31:54 | 002,733,480 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\01.wmv
[2011/05/08 23:16:09 | 000,000,023 | ---- | M] () -- C:\WINDOWS\BlendSettings.ini
[2011/05/08 08:17:10 | 000,006,793 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Gander.jpg
[2011/04/29 20:00:43 | 000,471,289 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\EVERY SONG.wpl
[2011/04/27 19:14:15 | 005,318,321 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\KATIE COLE-GRAVITY .mp3

========== Files Created - No Company Name ==========

[2011/05/23 00:43:14 | 000,001,635 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Portal 2.lnk
[2011/05/22 10:12:08 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2011/05/14 20:48:26 | 2145,964,032 | -HS- | C] () -- C:\hiberfil.sys
[2011/05/12 14:54:42 | 004,734,976 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\www.fooxy.com_02.mpg
[2011/05/11 20:31:51 | 002,733,480 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\01.wmv
[2011/05/08 08:17:10 | 000,006,793 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Gander.jpg
[2011/04/27 19:14:06 | 005,318,321 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\KATIE COLE-GRAVITY .mp3
[2011/02/22 13:59:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2011/02/22 13:58:39 | 000,887,724 | R--- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2011/02/22 13:58:37 | 003,107,788 | R--- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2011/01/19 13:58:21 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\drivers\wnmsav.dat
[2011/01/09 22:40:34 | 000,000,260 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2010/12/06 22:47:20 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\sypfrq.sys
[2010/09/17 17:43:30 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\inst.exe
[2010/09/17 17:43:30 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\pcouffin.cat
[2010/09/17 17:43:30 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\pcouffin.inf
[2010/09/16 19:29:14 | 000,001,057 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\vso_ts_preview.xml
[2010/03/14 20:36:26 | 000,000,030 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/03/10 09:50:43 | 000,058,516 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/02/11 07:15:50 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/08/31 18:24:57 | 000,000,054 | ---- | C] () -- C:\WINDOWS\Composer.INI
[2009/02/26 13:47:56 | 000,042,320 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2009/01/28 22:55:47 | 000,066,936 | -HS- | C] () -- C:\WINDOWS\dlinfo_0.drv
[2009/01/28 22:55:05 | 000,061,440 | ---- | C] () -- C:\WINDOWS\diabunin.exe
[2009/01/13 19:04:52 | 000,000,604 | ---- | C] () -- C:\WINDOWS\Thps3.INI
[2009/01/11 21:50:23 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2008/06/27 11:08:52 | 000,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2008/06/05 06:32:13 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\AtomicAlarmClock.ini
[2008/06/05 06:32:13 | 000,000,525 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\alarms.ini
[2008/04/14 16:20:35 | 000,001,131 | ---- | C] () -- C:\WINDOWS\Monitor.ini
[2007/12/29 20:04:01 | 000,001,994 | ---- | C] () -- C:\WINDOWS\checkip.dat
[2007/12/20 03:59:31 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/12/03 01:54:33 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/11/13 23:22:10 | 000,137,992 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2007/11/13 23:22:05 | 000,201,816 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2007/11/13 23:21:58 | 000,066,872 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2007/11/02 14:05:51 | 000,086,528 | ---- | C] () -- C:\WINDOWS\bnetunin.exe
[2007/09/06 14:55:19 | 000,278,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2007/09/06 14:55:18 | 000,025,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2007/08/21 21:50:45 | 000,809,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\APPFCONT.DAT
[2007/08/21 16:51:16 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ATIODE.exe
[2007/08/21 14:36:12 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ATIODCLI.exe
[2007/07/09 14:07:50 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/06/27 09:54:39 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\qtmlClient.dll
[2007/05/24 06:57:17 | 000,000,024 | ---- | C] () -- C:\WINDOWS\LogonStudio.ini
[2007/05/24 00:00:18 | 000,187,392 | ---- | C] () -- C:\WINDOWS\System32\JPGUtils.dll
[2007/04/29 13:26:13 | 000,000,471 | ---- | C] () -- C:\WINDOWS\vsp.ini
[2007/04/28 12:54:35 | 000,000,259 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Gangsters2Setup.lnk
[2007/04/11 21:09:27 | 000,001,366 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/03/23 09:26:48 | 000,001,441 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/02/18 07:12:49 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2007/02/02 14:40:11 | 003,107,788 | R--- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2007/01/31 19:39:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\CMMGR32.EXE
[2007/01/26 00:28:32 | 000,000,638 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2007/01/20 02:40:43 | 000,000,287 | ---- | C] () -- C:\WINDOWS\EReg072.dat
[2006/10/14 04:03:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2006/10/14 01:13:58 | 000,000,118 | ---- | C] () -- C:\WINDOWS\wb.ini
[2006/10/01 12:14:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/09/28 01:13:48 | 000,000,067 | ---- | C] () -- C:\WINDOWS\AudioMidRecorder.INI
[2006/09/22 02:04:17 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2006/09/22 02:00:20 | 000,172,033 | R--- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2006/09/13 16:29:00 | 000,163,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\vidstub.sys
[2006/09/07 03:41:52 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2006/09/07 00:57:38 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2006/09/06 14:42:53 | 000,000,004 | ---- | C] () -- C:\WINDOWS\info147.sys
[2006/08/26 03:33:22 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2006/08/26 03:33:22 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2006/08/26 03:33:22 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2006/08/26 00:27:58 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/08/22 04:28:09 | 000,094,208 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/08/19 20:27:19 | 000,034,027 | ---- | C] () -- C:\WINDOWS\scunin.dat
[2006/08/19 19:52:49 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/02/07 13:34:32 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/02/07 13:33:54 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2006/02/07 13:33:29 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2006/02/07 13:33:26 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/02/07 13:33:11 | 000,000,004 | ---- | C] () -- C:\WINDOWS\Pix11.dat
[2006/02/07 13:27:53 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/07 13:06:56 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/02/07 13:06:55 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/02/07 13:06:55 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/02/07 13:06:53 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/02/07 13:06:51 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/02/07 13:06:51 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/02/07 13:06:51 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/02/07 13:06:50 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/02/07 13:06:47 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/02/07 13:06:47 | 000,393,216 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/02/07 13:06:47 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/08/06 00:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/01/12 12:38:00 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/01/12 11:51:23 | 000,352,256 | ---- | C] () -- C:\WINDOWS\System32\HotlineClient.exe
[2005/01/09 20:17:55 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/01/09 20:07:25 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/01/09 18:49:16 | 000,001,220 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/01/09 18:49:16 | 000,000,491 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2005/01/09 18:48:24 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/01/09 18:48:21 | 000,462,662 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/01/09 18:48:21 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/01/09 18:48:21 | 000,080,266 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/01/09 18:48:21 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/01/09 18:48:20 | 000,005,151 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/01/09 18:48:18 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/01/09 18:48:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/01/09 18:48:07 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/01/09 18:48:07 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/01/09 18:48:01 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/01/09 18:47:52 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/01/09 12:00:34 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/01/09 11:59:39 | 001,564,640 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/02/07 15:27:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2007/04/26 17:50:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2007/12/22 18:10:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
[2010/08/26 14:23:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2007/08/20 13:55:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2007/07/26 12:37:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Laconic Software
[2006/11/25 17:06:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2011/01/14 19:56:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
[2007/06/27 10:25:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
[2007/08/22 18:24:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2007/02/28 12:13:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2007/08/19 03:27:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/02/05 20:54:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Test Drive Unlimited
[2010/03/27 19:37:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/06/09 21:31:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/02/12 12:36:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/09/04 11:56:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/01/07 13:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\acccore
[2010/12/07 00:38:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Amazon
[2011/05/23 00:06:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Azureus
[2011/04/21 00:02:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\BA3E7170422E423163D8E01BD1D38265
[2009/01/07 13:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\BitTorrent
[2009/09/25 17:31:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Cakewalk
[2010/10/13 14:09:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1
[2007/04/15 13:12:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Command & Conquer 3 Tiberium Wars
[2007/12/20 03:52:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DAEMON Tools Pro
[2011/04/30 07:17:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Digidesign
[2010/10/04 08:19:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FOG Downloader
[2008/06/02 15:30:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Games
[2009/09/27 10:47:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GetRightToGo
[2007/08/20 15:44:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Grisoft
[2006/10/10 00:34:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\IrfanView
[2006/09/05 19:53:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2007/02/28 12:18:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\NetMedia Providers
[2009/08/05 16:10:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OpenOffice.org
[2011/01/14 19:56:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PACE Anti-Piracy
[2009/01/11 15:54:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Propellerhead Software
[2007/02/28 12:18:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Publish Providers
[2009/03/02 19:44:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Red Alert 3
[2006/02/07 13:48:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2007/07/26 12:43:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sony
[2010/03/15 22:53:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Structure
[2008/10/28 02:04:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2010/03/15 23:02:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Trillium Lane
[2010/04/14 20:33:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Turbine
[2007/02/19 16:44:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\UseNeXT
[2010/09/17 17:43:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Vso
[2007/07/14 13:30:28 | 000,000,194 | ---- | M] () -- C:\WINDOWS\Tasks\shutdown.job

========== Purity Check ==========

< End of report >

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6681

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/25/2011 08:32:07 PM
mbam-log-2011-05-25 (20-32-07).txt

Scan type: Quick scan
Objects scanned: 169239
Time elapsed: 4 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#18
Cold Titanium

Posted 26 May 2011 - 11:57 AM

Trusted Helper

Malware Removal
1,735 posts

Step #1

Re-run OTL
Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top make sure it is set to Standard Output.
Ensure the None is selected for Extra Registry
Under the Custom Scans/Fixes box at the bottom, paste in the following

/md5start
sptd.sys
atapi.sys
/md5stop
Click the Run Scan button. Do not change any settings unless otherwise told to do so.
Post the log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Step #2

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

Zip up MBR.dat off your desktop and send it to me in a Private Message. I'll scan it myself...I'm trying not to have to reset your MBR.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Step #3

Double-Click gmer.exe
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish. (Please be patient as it can take some time to complete)

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

After it finishes scanning

Click on the [Save..] button, and in the File name area, type in "ark.txt"
Save it to your desktop

Post ark.txt in your next reply

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post OTL.txt, the aswMBR scan, and ark.txt and make sure to PM me MBR.dat

#19
Anderwolf

Posted 30 May 2011 - 10:13 PM

Member

Topic Starter
Member
89 posts

Hello sorry for the delay, very busy weekend. Here are the logs and I will PM you with MBR.dat afterwards. Also wanted to mention that every time I run these scans it seems like immediately after more spyware pops up. I am assuming that is the virus/trojan attempting to re-establish itself after being roughed up by the scans. For instance, after running these scans, I have a new program running in the task manager called "msltus4032.exe" this is a new process that I haven't seen before. I'm assuming its spyware. Whats your take on it?

Logs:

OTL logfile created on: 5/30/2011 08:44:02 PM - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner\Desktop\Geeks2Go
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.79 Gb Total Space | 11.31 Gb Free Space | 4.94% Space Free | Partition Type: NTFS
Drive D: | 4.09 Gb Total Space | 2.01 Gb Free Space | 49.07% Space Free | Partition Type: FAT32
Drive E: | 592.42 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 6.60 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 1.89 Gb Total Space | 1.13 Gb Free Space | 59.63% Space Free | Partition Type: FAT

Computer Name: ANDERWOLF | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/29 17:58:41 | 000,776,704 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\wscsvc32.exe
PRC - [2011/05/29 17:58:41 | 000,776,704 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\msltus4032.exe
PRC - [2011/05/13 10:14:04 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\Geeks2Go\OTL.exe
PRC - [2008/12/03 23:12:16 | 000,077,824 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) -- C:\Program Files\Digidesign\Drivers\MMERefresh.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/11 12:09:16 | 000,364,544 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe
PRC - [2006/10/09 16:15:38 | 000,348,160 | ---- | M] (Panda Software) -- C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
PRC - [2006/08/08 18:26:18 | 000,151,552 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\PAVSRV51.EXE
PRC - [2006/08/08 18:25:32 | 000,106,496 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
PRC - [2006/08/02 14:05:54 | 000,811,008 | ---- | M] (Panda Software International) -- c:\Program Files\Panda Software\Panda Internet Security 2007\FIREWALL\PNmSrv.exe
PRC - [2006/07/25 18:03:42 | 000,100,032 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
PRC - [2006/07/21 12:22:32 | 000,159,744 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\PAVFNSVR.EXE
PRC - [2006/07/04 14:25:34 | 000,102,400 | ---- | M] (Panda Software) -- C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
PRC - [2006/06/29 11:04:42 | 000,069,632 | ---- | M] (Panda Software International) -- c:\Program Files\Panda Software\Panda Internet Security 2007\WebProxy.exe
PRC - [2006/03/31 14:50:52 | 000,411,096 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
PRC - [2006/02/07 13:38:01 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2006/01/31 16:42:04 | 000,073,728 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\SrvLoad.exe
PRC - [2005/07/25 02:02:22 | 000,032,768 | ---- | M] (Panda Software) -- C:\Program Files\Common Files\Panda Software\PavShld\PavPrSrv.exe
PRC - [2005/01/22 18:42:16 | 000,440,832 | ---- | M] (Stardock Systems, Inc) -- C:\Program Files\AlienGUIse\wbload.exe
PRC - [2005/01/19 17:34:16 | 000,128,000 | ---- | M] ( ) -- C:\Program Files\CursorXP\CursorXP.exe
PRC - [2002/12/17 18:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe

========== Modules (SafeList) ==========

MOD - [2011/05/13 10:14:04 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\Geeks2Go\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2006/09/26 16:26:44 | 000,245,760 | ---- | M] (Panda Software) -- C:\WINDOWS\system32\PavSHook.dll
MOD - [2006/07/21 14:35:28 | 000,139,264 | ---- | M] (Panda Software) -- C:\WINDOWS\system32\TpUtil.dll
MOD - [2006/06/27 19:36:40 | 000,101,888 | ---- | M] (Panda Software) -- C:\WINDOWS\system32\SYSTOOLS.DLL
MOD - [2006/06/16 14:44:34 | 000,057,344 | ---- | M] (Panda Software) -- C:\WINDOWS\system32\pavipc.dll
MOD - [2006/03/06 18:08:00 | 000,102,400 | ---- | M] (Panda Software International) -- C:\Program Files\Panda Software\Panda Internet Security 2007\pavoepl.dll
MOD - [2005/01/24 21:48:46 | 000,498,232 | ---- | M] (Stardock.Net, Inc) -- C:\Program Files\AlienGUIse\wblind.dll
MOD - [2005/01/19 17:34:24 | 000,014,848 | ---- | M] ( ) -- C:\Program Files\CursorXP\CurXP0.dll
MOD - [2004/09/18 15:37:00 | 000,028,740 | ---- | M] (Stardock.Net, Inc) -- C:\Program Files\AlienGUIse\wbhelp.dll
MOD - [2000/04/03 18:33:36 | 000,028,160 | ---- | M] (Neil Banfield) -- C:\Program Files\AlienGUIse\anim.dll

========== Win32 Services (SafeList) ==========

SRV - [2011/05/29 17:58:41 | 000,776,704 | ---- | M] (CrypKey Inc.) [Auto | Running] -- C:\WINDOWS\system32\msltus4032.exe -- (UPS32)
SRV - [2008/12/03 23:12:16 | 000,077,824 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Auto | Running] -- C:\Program Files\Digidesign\Drivers\MMERefresh.exe -- (DigiRefresh)
SRV - [2008/12/03 22:25:10 | 000,159,744 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [On_Demand | Stopped] -- C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe -- (digiSPTIService)
SRV - [2006/10/09 16:15:38 | 000,348,160 | ---- | M] (Panda Software) [Auto | Running] -- C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe -- (TPSrv)
SRV - [2006/08/08 18:26:18 | 000,151,552 | ---- | M] (Panda Software International) [Auto | Running] -- C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe -- (PAVSRV)
SRV - [2006/08/02 14:05:54 | 000,811,008 | ---- | M] (Panda Software International) [Auto | Running] -- c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE -- (PNMSRV)
SRV - [2006/07/25 18:03:42 | 002,119,360 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
SRV - [2006/07/25 18:03:42 | 000,100,032 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2006/07/21 12:22:32 | 000,159,744 | ---- | M] (Panda Software International) [Auto | Running] -- C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe -- (PAVFNSVR)
SRV - [2006/07/04 14:25:34 | 000,102,400 | ---- | M] (Panda Software) [Auto | Running] -- C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe -- (PSIMSVC)
SRV - [2006/03/31 14:50:52 | 000,411,096 | ---- | M] (Panda Software International) [Auto | Running] -- C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe -- (pmshellsrv)
SRV - [2006/02/07 13:38:01 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2005/07/25 02:02:22 | 000,032,768 | ---- | M] (Panda Software) [Auto | Running] -- C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe -- (PavPrSrv)
SRV - [2002/12/17 18:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR)
SRV - [2002/12/17 18:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (PavTPK.sys)
DRV - File not found [Kernel | On_Demand | Running] -- -- (ComFiltr)
DRV - File not found [File_System | On_Demand | Running] -- -- (AvFlt)
DRV - [2010/09/30 11:19:11 | 000,054,328 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iLokDrvr.sys -- (iLokDrvr)
DRV - [2010/07/09 12:18:56 | 000,020,328 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Program Files\CPUID\PC Wizard 2010\pcwiz_x32.sys -- (cpuz134)
DRV - [2009/12/23 11:32:26 | 000,086,016 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\TPkd.sys -- (TPkd)
DRV - [2009/08/22 13:25:00 | 000,009,088 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys -- (RivaTuner32)
DRV - [2009/01/31 12:47:36 | 000,163,712 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\vidstub.sys -- (BootScreen)
DRV - [2009/01/29 23:22:46 | 000,137,992 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PnkBstrK.sys -- (PnkBstrK)
DRV - [2008/12/04 03:02:08 | 000,021,904 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbx2midk.sys -- (MBX2MIDK)
DRV - [2008/12/04 03:02:04 | 000,021,648 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbx2dfu.sys -- (MBX2DFU)
DRV - [2008/12/04 03:02:02 | 000,016,400 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\diginet.sys -- (DigiNet)
DRV - [2008/12/04 03:01:50 | 000,097,808 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Dalwdm.sys -- (dalwdmservice)
DRV - [2008/05/14 21:48:17 | 003,098,112 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/12/20 03:31:12 | 000,278,984 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2007/09/06 14:55:18 | 000,025,416 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2007/09/06 14:42:55 | 000,685,816 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2007/05/27 00:44:32 | 000,025,544 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2007/02/25 21:55:19 | 000,076,560 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2007/01/20 02:11:07 | 000,031,644 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2006/10/10 16:02:46 | 000,141,312 | ---- | M] (Panda Software International) [NDIS Layer] [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\NETFLT.SYS -- (netflt)
DRV - [2006/09/28 15:58:26 | 000,016,256 | ---- | M] (Panda Software International) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\wnmflt.sys -- (WNMFLT)
DRV - [2006/08/24 22:47:00 | 000,002,560 | ---- | M] (Sonic Solutions) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2006/08/24 22:47:00 | 000,002,432 | ---- | M] (Sonic Solutions) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2006/08/03 16:37:56 | 000,044,544 | ---- | M] (Panda Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\APPFLT.SYS -- (APPFLT)
DRV - [2006/08/02 14:15:48 | 000,023,296 | ---- | M] (Panda Software International) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\smsflt.sys -- (SMSFLT)
DRV - [2006/08/02 14:10:18 | 000,185,472 | ---- | M] (Panda Software International) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\idsflt.sys -- (IDSFLT)
DRV - [2006/08/02 14:08:48 | 000,036,864 | ---- | M] (Panda Software International) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dsaflt.sys -- (DSAFLT)
DRV - [2006/07/01 23:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/06/29 22:50:46 | 000,009,216 | ---- | M] (Panda Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fnetmon.sys -- (FNETMON)
DRV - [2006/05/11 22:26:48 | 000,103,936 | ---- | M] (Panda Software) [TDI Layer] [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\netfltdi.sys -- (NETFLTDI)
DRV - [2006/04/25 10:02:48 | 000,165,120 | ---- | M] (Panda Software) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PavProc.sys -- (PavProc)
DRV - [2006/03/27 18:53:28 | 000,167,808 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wg111v2.sys -- (RTLWUSB)
DRV - [2006/02/22 03:43:34 | 000,071,552 | ---- | M] (Panda Software International) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\pavdrv51.sys -- (PAVDRV)
DRV - [2005/09/26 18:07:00 | 003,644,800 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/08/29 07:23:30 | 000,026,752 | ---- | M] (Panda Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ShldDrv.sys -- (ShldDrv)
DRV - [2005/08/12 14:36:56 | 000,016,640 | ---- | M] (Panda Software) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cpoint.sys -- (cpoint)
DRV - [2005/07/29 20:11:04 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/07/29 20:11:02 | 000,034,048 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/03/17 11:51:16 | 001,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/03/17 11:50:36 | 000,221,440 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/03/17 11:50:32 | 000,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/20 20:02:00 | 000,012,544 | R--- | M] (KORG Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\KORGUMDS.SYS -- (KORGUMDS)
DRV - [2003/01/10 16:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 15:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = C9 A4 B9 41 A0 7F E6 47 96 F8 2C 78 22 31 8C 97 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: ""
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.defaulturl: "http://slirsredirect...fftrie7&query="
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..extensions.enabledItems: {c2f863cd-0429-48c7-bb54-db756a951760}:5.20.1.1
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.071303000006
FF - prefs.js..extensions.enabledItems: {45501068-1DB2-4B37-A104-9C301A4F02A4}:1.9.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:3.6.7
FF - prefs.js..extensions.enabledItems: {7694c49c-9fbd-11dc-8314-0800200c9a66}:3.6.7

FF - HKLM\software\mozilla\Firefox\extensions\\{45501068-1DB2-4B37-A104-9C301A4F02A4}: C:\Documents and Settings\Owner\Local Settings\Application Data\{45501068-1DB2-4B37-A104-9C301A4F02A4} [2010/01/15 00:58:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/02 12:13:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/14 00:02:40 | 000,000,000 | ---D | M]

[2010/05/25 13:59:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/05/25 13:59:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\[email protected]
[2011/05/29 17:58:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions
[2010/07/23 11:31:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/22 10:27:32 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/03/10 00:48:09 | 000,000,000 | ---D | M] (Aquatint Black) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\{7694c49c-9fbd-11dc-8314-0800200c9a66}
[2011/05/30 14:21:30 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\{9b48f8c5-e8a2-4150-bbee-d70407cf130b}
[2011/03/10 00:48:16 | 000,000,000 | ---D | M] (Virtus Search Opt-in) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\[email protected]
[2009/11/17 13:58:08 | 000,000,000 | ---D | M] (Move Media Player) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\[email protected]
[2011/03/10 00:48:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\[email protected]\chrome
[2011/03/10 00:48:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\[email protected]\defaults
[2011/03/10 00:48:10 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\extensions\{7694c49c-9fbd-11dc-8314-0800200c9a66}\chrome\win\mozapps\extensions
[2009/03/23 17:53:46 | 000,001,739 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g18onkhq.default\searchplugins\aim-search.xml
[2011/03/25 20:14:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/06/09 16:08:37 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/05/02 16:25:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/07/30 16:23:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
File not found (No name found) --
() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\G18ONKHQ.DEFAULT\EXTENSIONS\{0545B830-F0AA-4D7E-8820-50A4629A56FE}.XPI
[2009/08/05 16:07:49 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/05/02 12:13:46 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/08/09 02:11:22 | 010,437,264 | ---- | M] (PDFTron Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\PDFNetC.dll
[2009/08/09 02:30:36 | 000,107,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ScorchPDFWrapper.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/25 19:47:47 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {41B9A4C9-7FA0-47E6-96F8-2C7822318C97} - C:\WINDOWS\system32\atiiiexx32.dll ()
O2 - BHO: (44387339) - {43CB8033-D0FF-6A03-6264-519FA52E73F9} - C:\WINDOWS\system32\imeshare32.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [APVXDWIN] C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE (Panda Software International)
O4 - HKLM..\Run: [BootSkin Startup Jobs] C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe ()
O4 - HKLM..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe (Digidesign, A Division of Avid Technology, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RivaTunerStartupDaemon] C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe ()
O4 - HKLM..\Run: [SCANINICIO] C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe (Panda Software International)
O4 - HKLM..\Run: [SunJavaUpdateSched] File not found
O4 - HKCU..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe ( )
O4 - HKCU..\Run: [DAEMON Tools Pro Agent] C:\Program Files\DAEMON Tools Pro\DTProAgent.exe (DT Soft Ltd.)
F3 - HKCU WinNT: Load - () - File not found
F3 - HKCU WinNT: Run - () - File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_21.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - c:\program files\panda software\panda internet security 2007\pavlsp.dll (Panda Software International)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - c:\program files\panda software\panda internet security 2007\pavlsp.dll (Panda Software International)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - c:\program files\panda software\panda internet security 2007\pavlsp.dll (Panda Software International)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - c:\program files\panda software\panda internet security 2007\pavlsp.dll (Panda Software International)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.t...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoft...free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3
O20 - AppInit_DLLs: (C:\WINDOWS\system32\imeshare32.dll) - C:\WINDOWS\system32\imeshare32.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avldr: DllName - avldr.dll - C:\WINDOWS\System32\avldr.dll (Panda Software)
O20 - Winlogon\Notify\WB: DllName - C:\PROGRA~1\ALIENG~1\fastload.dll - C:\Program Files\AlienGUIse\fastload.dll (Stardock)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/09 20:13:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [1997/09/30 13:25:44 | 000,173,568 | R--- | M] (EA Sports ) - E:\AUTORUN.EXE -- [ CDFS ]
O32 - AutoRun File - [1997/09/14 15:41:28 | 000,000,054 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2011/04/19 13:09:27 | 000,000,059 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{314c8792-b0e2-11dc-b9ad-0015583757e9}\Shell - "" = AutoRun
O33 - MountPoints2\{314c8792-b0e2-11dc-b9ad-0015583757e9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{314c8792-b0e2-11dc-b9ad-0015583757e9}\Shell\AutoRun\command - "" = F:\Setup.exe -- [2011/04/19 13:09:27 | 000,596,187 | R--- | M] (Valve )
O33 - MountPoints2\{a2986cfd-a9f1-11dd-ba55-0015583757e9}\Shell - "" = AutoRun
O33 - MountPoints2\{a2986cfd-a9f1-11dd-ba55-0015583757e9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a2986cfd-a9f1-11dd-ba55-0015583757e9}\Shell\AutoRun\command - "" = N:\LaunchU3.exe -a
O33 - MountPoints2\{b04c7287-aed2-11dc-b9ac-0015583757e9}\Shell - "" = AutoRun
O33 - MountPoints2\{b04c7287-aed2-11dc-b9ac-0015583757e9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b04c7287-aed2-11dc-b9ac-0015583757e9}\Shell\AutoRun\command - "" = L:\Autorun.exe
O33 - MountPoints2\{b04c7289-aed2-11dc-b9ac-0015583757e9}\Shell - "" = AutoRun
O33 - MountPoints2\{b04c7289-aed2-11dc-b9ac-0015583757e9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b04c7289-aed2-11dc-b9ac-0015583757e9}\Shell\AutoRun\command - "" = N:\Autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/29 17:58:46 | 000,776,704 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\wscsvc32.exe
[2011/05/29 17:58:44 | 000,776,704 | ---- | C] (CrypKey Inc.) -- C:\WINDOWS\System32\msltus4032.exe
[2011/05/25 19:41:39 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/05/23 00:46:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\SKIDROW
[2011/05/23 00:43:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Valve
[2011/05/22 23:44:08 | 000,000,000 | ---D | C] -- C:\Program Files\EA Sports
[2011/05/18 12:03:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Phone Stuff
[2011/05/17 11:56:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Geeks2Go
[2011/05/14 20:57:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Combined Community Codec Pack
[2011/05/14 20:57:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2011/05/14 00:10:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/05/12 11:49:31 | 000,114,176 | ---- | C] (CPUID) -- C:\WINDOWS\System32\PCWizard.cpl
[2011/05/12 11:49:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CPUID
[2011/05/12 11:49:27 | 000,000,000 | ---D | C] -- C:\Program Files\CPUID
[2011/05/12 02:47:42 | 000,000,000 | ---D | C] -- C:\1c80e9306499ed317d57f2b03d
[2011/05/12 02:21:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
[2011/05/12 02:20:53 | 000,000,000 | ---D | C] -- C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
[2011/05/11 09:53:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Owl City ---- Ocean Eyes --- Deluxe Edition
[2011/05/09 22:27:17 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2011/05/09 22:25:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\2K Games
[2011/05/09 22:07:48 | 000,000,000 | ---D | C] -- C:\Program Files\2K Games
[2011/05/08 23:22:51 | 000,000,000 | ---D | C] -- C:\Program Files\Paradox Interactive
[2011/05/07 14:49:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\BioWare
[2011/05/07 14:47:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Dragon Age II
[2011/05/07 14:35:38 | 000,000,000 | ---D | C] -- C:\Program Files\Dragon Age 2
[2011/05/07 14:35:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\BioWare
[2010/09/17 17:43:30 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Owner\Application Data\pcouffin.sys
[1 C:\Documents and Settings\Owner\*.tmp files -> C:\Documents and Settings\Owner\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/30 14:30:41 | 000,000,019 | ---- | M] () -- C:\WINDOWS\System32\64cb246b
[2011/05/29 17:58:49 | 000,811,996 | ---- | M] () -- C:\WINDOWS\System32\drivers\APPFCONT.DAT
[2011/05/29 17:58:46 | 000,167,936 | ---- | M] () -- C:\WINDOWS\System32\imeshare32.dll
[2011/05/29 17:58:46 | 000,000,091 | ---- | M] () -- C:\WINDOWS\System32\1323643931
[2011/05/29 17:58:41 | 000,776,704 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\wscsvc32.exe
[2011/05/29 17:58:41 | 000,776,704 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\System32\msltus4032.exe
[2011/05/29 17:58:41 | 000,365,568 | ---- | M] () -- C:\WINDOWS\System32\atiiiexx32.dll
[2011/05/28 20:08:38 | 000,058,164 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/05/28 17:34:46 | 000,001,132 | ---- | M] () -- C:\WINDOWS\System32\drivers\APPFLTR.CFG
[2011/05/28 17:33:58 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/28 17:32:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/28 17:32:16 | 2145,964,032 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/27 21:42:19 | 000,094,720 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/26 12:15:25 | 001,509,462 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\02.wmv
[2011/05/25 20:27:10 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/23 00:43:14 | 000,001,635 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Portal 2.lnk
[2011/05/22 10:12:08 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2011/05/14 21:28:01 | 000,000,221 | RHS- | M] () -- C:\boot.ini
[2011/05/13 11:22:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/12 14:54:48 | 004,734,976 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\www.fooxy.com_02.mpg
[2011/05/11 20:31:54 | 002,733,480 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\01.wmv
[2011/05/08 23:16:09 | 000,000,023 | ---- | M] () -- C:\WINDOWS\BlendSettings.ini
[2011/05/08 08:17:10 | 000,006,793 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Gander.jpg
[1 C:\Documents and Settings\Owner\*.tmp files -> C:\Documents and Settings\Owner\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/30 12:54:11 | 000,000,019 | ---- | C] () -- C:\WINDOWS\System32\64cb246b
[2011/05/29 17:58:45 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\imeshare32.dll
[2011/05/29 17:58:44 | 000,000,091 | ---- | C] () -- C:\WINDOWS\System32\1323643931
[2011/05/29 17:58:41 | 000,365,568 | ---- | C] () -- C:\WINDOWS\System32\atiiiexx32.dll
[2011/05/26 12:15:21 | 001,509,462 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\02.wmv
[2011/05/25 20:27:09 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/23 00:43:14 | 000,001,635 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Portal 2.lnk
[2011/05/22 10:12:08 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2011/05/14 20:48:26 | 2145,964,032 | -HS- | C] () -- C:\hiberfil.sys
[2011/05/12 14:54:42 | 004,734,976 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\www.fooxy.com_02.mpg
[2011/05/11 20:31:51 | 002,733,480 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\01.wmv
[2011/05/08 08:17:10 | 000,006,793 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Gander.jpg
[2011/02/22 13:59:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2011/02/22 13:58:39 | 000,887,724 | R--- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2011/02/22 13:58:37 | 003,107,788 | R--- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2011/01/19 13:58:21 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\drivers\wnmsav.dat
[2011/01/09 22:40:34 | 000,000,260 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2010/12/06 22:47:20 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\sypfrq.sys
[2010/09/17 17:43:30 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\inst.exe
[2010/09/17 17:43:30 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\pcouffin.cat
[2010/09/17 17:43:30 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\pcouffin.inf
[2010/09/16 19:29:14 | 000,001,057 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\vso_ts_preview.xml
[2010/03/14 20:36:26 | 000,000,030 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/03/10 09:50:43 | 000,058,164 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/02/11 07:15:50 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/08/31 18:24:57 | 000,000,054 | ---- | C] () -- C:\WINDOWS\Composer.INI
[2009/02/26 13:47:56 | 000,042,320 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2009/01/28 22:55:47 | 000,066,936 | -HS- | C] () -- C:\WINDOWS\dlinfo_0.drv
[2009/01/28 22:55:05 | 000,061,440 | ---- | C] () -- C:\WINDOWS\diabunin.exe
[2009/01/13 19:04:52 | 000,000,604 | ---- | C] () -- C:\WINDOWS\Thps3.INI
[2009/01/11 21:50:23 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2008/06/27 11:08:52 | 000,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2008/06/05 06:32:13 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\AtomicAlarmClock.ini
[2008/06/05 06:32:13 | 000,000,525 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\alarms.ini
[2008/04/14 16:20:35 | 000,001,131 | ---- | C] () -- C:\WINDOWS\Monitor.ini
[2007/12/29 20:04:01 | 000,001,994 | ---- | C] () -- C:\WINDOWS\checkip.dat
[2007/12/20 03:59:31 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/12/03 01:54:33 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/11/13 23:22:10 | 000,137,992 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2007/11/13 23:22:05 | 000,201,816 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2007/11/13 23:21:58 | 000,066,872 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2007/11/02 14:05:51 | 000,086,528 | ---- | C] () -- C:\WINDOWS\bnetunin.exe
[2007/09/06 14:55:19 | 000,278,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2007/09/06 14:55:18 | 000,025,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2007/08/21 21:50:45 | 000,811,996 | ---- | C] () -- C:\WINDOWS\System32\drivers\APPFCONT.DAT
[2007/08/21 16:51:16 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ATIODE.exe
[2007/08/21 14:36:12 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ATIODCLI.exe
[2007/07/09 14:07:50 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/06/27 09:54:39 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\qtmlClient.dll
[2007/05/24 06:57:17 | 000,000,024 | ---- | C] () -- C:\WINDOWS\LogonStudio.ini
[2007/05/24 00:00:18 | 000,187,392 | ---- | C] () -- C:\WINDOWS\System32\JPGUtils.dll
[2007/04/29 13:26:13 | 000,000,471 | ---- | C] () -- C:\WINDOWS\vsp.ini
[2007/04/28 12:54:35 | 000,000,259 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Gangsters2Setup.lnk
[2007/04/11 21:09:27 | 000,001,366 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/03/23 09:26:48 | 000,001,441 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/02/18 07:12:49 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2007/02/02 14:40:11 | 003,107,788 | R--- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2007/01/31 19:39:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\CMMGR32.EXE
[2007/01/26 00:28:32 | 000,000,638 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2007/01/20 02:40:43 | 000,000,287 | ---- | C] () -- C:\WINDOWS\EReg072.dat
[2006/10/14 04:03:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2006/10/14 01:13:58 | 000,000,118 | ---- | C] () -- C:\WINDOWS\wb.ini
[2006/10/01 12:14:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/09/28 01:13:48 | 000,000,067 | ---- | C] () -- C:\WINDOWS\AudioMidRecorder.INI
[2006/09/22 02:04:17 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2006/09/22 02:00:20 | 000,172,033 | R--- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2006/09/13 16:29:00 | 000,163,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\vidstub.sys
[2006/09/07 03:41:52 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2006/09/07 00:57:38 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2006/09/06 14:42:53 | 000,000,004 | ---- | C] () -- C:\WINDOWS\info147.sys
[2006/08/26 03:33:22 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2006/08/26 03:33:22 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2006/08/26 03:33:22 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2006/08/26 00:27:58 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/08/22 04:28:09 | 000,094,720 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/08/19 20:27:19 | 000,034,027 | ---- | C] () -- C:\WINDOWS\scunin.dat
[2006/08/19 19:52:49 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/02/07 13:34:32 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/02/07 13:33:54 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2006/02/07 13:33:29 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2006/02/07 13:33:26 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/02/07 13:33:11 | 000,000,004 | ---- | C] () -- C:\WINDOWS\Pix11.dat
[2006/02/07 13:27:53 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/07 13:06:56 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/02/07 13:06:55 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/02/07 13:06:55 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/02/07 13:06:53 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/02/07 13:06:51 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/02/07 13:06:51 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/02/07 13:06:51 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/02/07 13:06:50 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/02/07 13:06:47 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/02/07 13:06:47 | 000,393,216 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/02/07 13:06:47 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/08/06 00:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/01/12 12:38:00 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/01/12 11:51:23 | 000,352,256 | ---- | C] () -- C:\WINDOWS\System32\HotlineClient.exe
[2005/01/09 20:17:55 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/01/09 20:07:25 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/01/09 18:49:16 | 000,001,220 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/01/09 18:49:16 | 000,000,491 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2005/01/09 18:48:24 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/01/09 18:48:21 | 000,462,662 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/01/09 18:48:21 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/01/09 18:48:21 | 000,080,266 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/01/09 18:48:21 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/01/09 18:48:20 | 000,005,151 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/01/09 18:48:18 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/01/09 18:48:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/01/09 18:48:07 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/01/09 18:48:07 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/01/09 18:48:01 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/01/09 18:47:52 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/01/09 12:00:34 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/01/09 11:59:39 | 001,564,640 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========

< MD5 for: ATAPI.SYS >
[2004/08/10 14:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/18 19:26:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/10 14:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2008/08/18 19:26:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 08:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: SPTD.SYS >
[2007/09/06 14:42:55 | 000,685,816 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys

< End of report >

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-30 21:54:04
-----------------------------
21:54:04.359 OS Version: Windows 5.1.2600 Service Pack 3
21:54:04.359 Number of processors: 2 586 0x2B01
21:54:04.359 ComputerName: ANDERWOLF UserName: Owner
21:54:06.640 Initialize success
21:54:08.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-3
21:54:08.312 Disk 0 Vendor: HDT722525DLAT80 V44OA96A Size: 238475MB BusType: 3
21:54:08.312 Disk 0 MBR read error 0
21:54:08.312 Disk 0 MBR scan
21:54:08.312 Disk 0 unknown MBR code
21:54:08.312 MBR BIOS signature not found 0
21:54:08.312 Disk 0 scanning sectors +488392065
21:54:08.312 Disk 0 scanning C:\WINDOWS\system32\drivers
21:54:16.093 Service scanning
21:54:17.390 Disk 0 trace - called modules:
21:54:17.390 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x843718ac]<<
21:54:17.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84212030]
21:54:17.390 3 CLASSPNP.SYS[ba168fd7] -> nt!IofCallDriver -> \Device\000000a7[0x8426bf18]
21:54:17.390 5 ACPI.sys[b9e55620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-3[0x8426a940]
21:54:17.390 Scan finished successfully
21:58:38.937 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
21:58:38.937 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-30 23:03:00
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 HDT722525DLAT80 rev.V44OA96A
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwryypow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS (PandaShield driver/Panda Software) ZwCreateKey [0xBA4121BA]
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS (PandaShield driver/Panda Software) ZwDeleteKey [0xBA4122D6]
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS (PandaShield driver/Panda Software) ZwDeleteValueKey [0xBA41242A]
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS (PandaShield driver/Panda Software) ZwEnumerateKey [0xBA4123B2]
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS (PandaShield driver/Panda Software) ZwEnumerateValueKey [0xBA41258A]
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS (PandaShield driver/Panda Software) ZwOpenKey [0xBA412264]
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS (PandaShield driver/Panda Software) ZwQueryKey [0xBA41233E]
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS (PandaShield driver/Panda Software) ZwQueryValueKey [0xBA412512]
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS (PandaShield driver/Panda Software) ZwSetValueKey [0xBA412498]
SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys (Panda Process Protection driver/Panda Software) ZwTerminateProcess [0xA95B14E8]
SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys (Panda Process Protection driver/Panda Software) ZwTerminateThread [0xA95B0D72]

INT 0xA4 ? FDC88044

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FE8 80504884 8 Bytes CALL F2F9A39D
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? System32\Drivers\ap86bwy4.SYS The system cannot find the path specified. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB90C0000, 0x1985C4, 0xE8000020]
.text USBPORT.SYS!DllUnload B90778AC 5 Bytes JMP 83E45770
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA9A0A300, 0x3AE88, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xAC545300, 0x1B7E, 0xE8000020]
? system32\drivers\av5flt.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\DRIVERS\COMFiltr.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\PavTPK.sys The system cannot find the file specified. !
? C:\DOCUME~1\Owner\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !
.text ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [1D, 5F]
.text ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [3E, 5F]
.text ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [20, 5F]
.text ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [23, 5F]
.text ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [26, 5F]
.text ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [29, 5F]
.text ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [32, 5F]
.text ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [35, 5F]
.text ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [38, 5F]
.text ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [3B, 5F]
.text ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [1A, 5F]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [1D, 5F]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [3E, 5F]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [20, 5F]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [23, 5F]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [26, 5F]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [29, 5F]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [32, 5F]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [35, 5F]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [38, 5F]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [3B, 5F]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [1A, 5F]
.text C:\Program Files\AlienGUIse\wbload.exe[404] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A
.text C:\Program Files\AlienGUIse\wbload.exe[404] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\AlienGUIse\wbload.exe[404] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F070F5A
.text C:\Program Files\AlienGUIse\wbload.exe[404] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [11, 5F]
.text C:\Program Files\AlienGUIse\wbload.exe[404] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\AlienGUIse\wbload.exe[404] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AlienGUIse\wbload.exe[404] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\AlienGUIse\wbload.exe[404] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [1D, 5F]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [3E, 5F]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [20, 5F]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [23, 5F]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [26, 5F]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [29, 5F]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [32, 5F]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [35, 5F]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [38, 5F]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [3B, 5F]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [1A, 5F]
.text C:\WINDOWS\Explorer.EXE[752] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[752] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[752] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Explorer.EXE[752] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [11, 5F]
.text C:\WINDOWS\Explorer.EXE[752] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\Explorer.EXE[752] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[752] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\Explorer.EXE[752] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[752] USER32.dll!GetCursor 7E42A91B 5 Bytes JMP 013B1080 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\WINDOWS\Explorer.EXE[752] USER32.dll!DrawIconEx 7E42CB84 5 Bytes JMP 013B1120 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\WINDOWS\Explorer.EXE[752] USER32.dll!GetIconInfo 7E42D427 5 Bytes JMP 013B1030 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [1D, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [3E, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [20, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [23, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [26, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [29, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [32, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [35, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [38, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [3B, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [1A, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[796] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [1D, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [3E, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [20, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [23, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [26, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [29, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [32, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [35, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [38, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [3B, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [1A, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F070F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [11, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Bonjour\mDNSResponder.exe[980] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [1D, 5F]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [3E, 5F]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [20, 5F]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [23, 5F]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [26, 5F]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [29, 5F]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [32, 5F]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [35, 5F]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [38, 5F]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [3B, 5F]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [1A, 5F]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F070F5A
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [11, 5F]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Digidesign\Drivers\MMERefresh.exe[1104] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [3E, 5F]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [32, 5F]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [35, 5F]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [38, 5F]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [3B, 5F]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\msltus4032.exe[1336] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\msltus4032.exe[1336] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\msltus4032.exe[1336] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\msltus4032.exe[1336] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\msltus4032.exe[1336] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\msltus4032.exe[1336] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\msltus4032.exe[1336] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\msltus4032.exe[1336] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [3E, 5F]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [32, 5F]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [35, 5F]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [38, 5F]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [3B, 5F]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscsvc32.exe[1728] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wscsvc32.exe[1728] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wscsvc32.exe[1728] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\wscsvc32.exe[1728] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscsvc32.exe[1728] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\wscsvc32.exe[1728] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [1D, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [3E, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [20, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [23, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [26, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [29, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [32, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [35, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [38, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [3B, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [1A, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F070F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [11, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1864] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [C5, 03] {LDS EAX, DWORD [EBX]}
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [E6, 03] {OUT 0x3, AL}
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [C8, 03]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [CB, 03]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [CE, 03]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [D1, 03] {ROL DWORD [EBX], 0x1}
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [D4, 03] {AAM 0x3}
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [D7, 03]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [EC, 03]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [DA, 03] {FIADD DWORD [EBX]}
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [DD, 03] {FLD QWORD [EBX]}
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [EF, 03]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [F2, 03]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [E0, 03] {LOOPNZ 0x5}
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [E3, 03] {JECXZ 0x5}
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [F5, 03]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [C2, 03]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 03AC0F5A
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 03B40F5A
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 03AE0F5A
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [B9, 03]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [BF, 03]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [BC, 03]
.text C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe[2104] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 03B10F5A
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [1D, 5F]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [3E, 5F]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [20, 5F]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [23, 5F]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [26, 5F]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [29, 5F]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [32, 5F]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [35, 5F]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [38, 5F]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [3B, 5F]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [1A, 5F]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A
.text C:\Program Files\CursorXP\CursorXP.exe[2160] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\CursorXP\CursorXP.exe[2160] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F070F5A
.text C:\Program Files\CursorXP\CursorXP.exe[2160] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [11, 5F]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\CursorXP\CursorXP.exe[2160] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CursorXP\CursorXP.exe[2160] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\CursorXP\CursorXP.exe[2160] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [1D, 5F]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [3E, 5F]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [20, 5F]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [23, 5F]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [26, 5F]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [29, 5F]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [32, 5F]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [35, 5F]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [38, 5F]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [3B, 5F]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [1A, 5F]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[2504] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe[3536] USER32.dll!GetCursor 7E42A91B 5 Bytes JMP 034A1080 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe[3536] USER32.dll!DrawIconEx 7E42CB84 5 Bytes JMP 034A1120 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe[3536] USER32.dll!GetIconInfo 7E42D427 5 Bytes JMP 034A1030 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [1D, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [3E, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [20, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [23, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [26, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [29, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [32, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [35, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [38, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [3B, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [1A, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F070F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [11, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00EF2420 C:\WINDOWS\system32\imeshare32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EF23AA C:\WINDOWS\system32\imeshare32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] WS2_32.dll!WSASocketW 71AB404E 7 Bytes JMP 00EF22D1 C:\WINDOWS\system32\imeshare32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00EF225B C:\WINDOWS\system32\imeshare32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00EF2334 C:\WINDOWS\system32\imeshare32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00EF23D4 C:\WINDOWS\system32\imeshare32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] WS2_32.dll!WSAAsyncGetHostByName 71ABE99D 5 Bytes JMP 00EF246E C:\WINDOWS\system32\imeshare32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] WS2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 00EF2369 C:\WINDOWS\system32\imeshare32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] USER32.dll!GetCursor 7E42A91B 5 Bytes JMP 07101080 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] USER32.dll!DrawIconEx 7E42CB84 5 Bytes JMP 07101120 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] USER32.dll!GetIconInfo 7E42D427 5 Bytes JMP 07101030 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [1D, 5F]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [3E, 5F]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [20, 5F]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [23, 5F]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [26, 5F]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [29, 5F]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [44, 5F] {INC ESP; POP EDI}
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [32, 5F]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [35, 5F]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [47, 5F] {INC EDI; POP EDI}
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [38, 5F]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [3B, 5F]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] ntdll.dll!LdrLoadDll + 4 7C916331 2 Bytes [1A, 5F]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F070F5A
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [11, 5F]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] USER32.dll!GetCursor 7E42A91B 5 Bytes JMP 01301080 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] USER32.dll!DrawIconEx 7E42CB84 5 Bytes JMP 01301120 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Documents and Settings\Owner\Desktop\Geeks2Go\gmer.exe[5692] USER32.dll!GetIconInfo 7E42D427 5 Bytes JMP 01301030 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs ShldDrv.SYS (PandaShield driver/Panda Software)
Device \FileSystem\Ntfs \Ntfs 843361E8

AttachedDevice \FileSystem\Ntfs \Ntfs pavdrv51.sys (AntiMalware Filter Driver for Windows XP/2003/Panda Software International)
AttachedDevice \FileSystem\Ntfs \Ntfs av5flt.sys

Device \FileSystem\Fastfat \FatCdrom 82CF91E8

AttachedDevice \Driver\Tcpip \Device\Ip NETFLTDI.SYS (Panda TDI Filter/Panda Software)

Device \Driver\usbohci \Device\USBPDO-0 83EDC1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 843C11E8
Device \Driver\dmio \Device\DmControl\DmConfig 843C11E8
Device \Driver\dmio \Device\DmControl\DmPnP 843C11E8
Device \Driver\dmio \Device\DmControl\DmInfo 843C11E8
Device \Driver\usbehci \Device\USBPDO-1 83EF71E8

AttachedDevice \Driver\Tcpip \Device\Tcp NETFLTDI.SYS (Panda TDI Filter/Panda Software)

Device \Driver\Ftdisk \Device\HarddiskVolume1 843521E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 843521E8
Device \Driver\usbstor \Device\000000b0 83DBD3A8
Device \Driver\Cdrom \Device\CdRom0 83F741E8
Device \Driver\atapi \Device\Ide\IdePort0 [B9DEAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9DEAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9DEAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9DEAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort4 [B9DEAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-3 [B9DEAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-1f [B9DEAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 [B9DEAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 83F741E8
Device \Driver\Cdrom \Device\CdRom2 83F741E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{5646A873-7588-4EE4-A716-40ED900FF0C1} 8315F1E8
Device \Driver\usbstor \Device\000000b3 83DBD3A8
Device \Driver\usbstor \Device\000000b4 83DBD3A8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8315F1E8
Device \Driver\usbstor \Device\000000b5 83DBD3A8
Device \Driver\usbstor \Device\000000b6 83DBD3A8
Device \Driver\NetBT \Device\NetbiosSmb 8315F1E8
Device \Driver\PCI_NTPNP7776 \Device\00000086 sptd.sys
Device \Driver\PCI_NTPNP7776 \Device\00000087 sptd.sys

AttachedDevice \Driver\Tcpip \Device\Udp NETFLTDI.SYS (Panda TDI Filter/Panda Software)
AttachedDevice \Driver\Tcpip \Device\RawIp NETFLTDI.SYS (Panda TDI Filter/Panda Software)

Device \Driver\usbohci \Device\USBFDO-0 83EDC1E8
Device \Driver\usbehci \Device\USBFDO-1 83EF71E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 830441E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 830441E8
Device \Driver\Ftdisk \Device\FtControl 843521E8
Device \Driver\ap86bwy4 \Device\Scsi\ap86bwy41Port5Path0Target0Lun0 840A01E8
Device \Driver\ap86bwy4 \Device\Scsi\ap86bwy41 840A01E8
Device \FileSystem\Fastfat \Fat 82CF91E8

AttachedDevice \FileSystem\Fastfat \Fat pavdrv51.sys (AntiMalware Filter Driver for Windows XP/2003/Panda Software International)
AttachedDevice \FileSystem\Fastfat \Fat av5flt.sys

Device \FileSystem\Cdfs \Cdfs 83E3C440

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1848199765
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1873092195
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x16 0xB6 0x7D 0xFF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD5 0xFE 0x58 0xD7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF6 0xE9 0x00 0xA6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0xDE 0x98 0x5B 0x27 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x43 0x2E 0xCB 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0x1D 0x9F 0xAD 0x76 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x63 0x40 0x82 0x73 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x16 0xB6 0x7D 0xFF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD5 0xFE 0x58 0xD7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA0 0x35 0xAF 0x5B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0xDE 0x98 0x5B 0x27 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x43 0x2E 0xCB 0x7F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0x1D 0x9F 0xAD 0x76 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x63 0x40 0x82 0x73 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x16 0xB6 0x7D 0xFF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD5 0xFE 0x58 0xD7 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6D 0x9B 0x22 0xC0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x92 0x77 0xEC 0xB5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xD3 0xB5 0xCC 0xB2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0x9F 0x32 0x67 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x78 0x12 0x71 0x01 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD2 0x85 0xFD 0x8A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7B 0x7B 0x47 0x9F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1B8C62C1-8A4B-AED8-C751-912A26E92366}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E325944E-42CC-FA90-2274-DEB16F4B95C1}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E325944E-42CC-FA90-2274-DEB16F4B95C1}@iabfhapocchoehmlbn 0x6A 0x61 0x6C 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E325944E-42CC-FA90-2274-DEB16F4B95C1}@hahenaofjigboinn 0x6B 0x61 0x67 0x69 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 MBR read error
Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

---- EOF - GMER 1.0.15 ----

#20
Anderwolf

Posted 30 May 2011 - 10:29 PM

Member

Topic Starter
Member
89 posts

So I opened a PM for you but there is no option to attach a file and copy and paste doesn't work either. Something I'm missing?

#21
Cold Titanium

Posted 01 June 2011 - 04:59 PM

Trusted Helper

Malware Removal
1,735 posts

Whats your take on it?

It looks like malware to me.

We need to reset your MBR. Sorry for the ridiculous delay. I had to finish some lovely paperwork for the state

Step #1

Just to be double safe, I want to backup the MBR first

We need to create a bootable CD with MBRTool on it. Go to this page to find out about MBRTool if you like.

Download MBRTool.exe and save it to your desktop.

Double-click MBRTool.exe to install it.
When you click Finish at the end of the installation "MBRTool Bootable Media Builder" will start.

Put a blank CD in your CD-ROM.
Select create Boot CD/DVD
Click Go >>
The CD will then be created.

Put the CD in the CD-ROM on the infected computer.
Reboot the infected computer from the CD (If you don't know how, please read THIS article)

You will be presented with this menu.
Posted Image

Select the Command Prompt

Then type in - MBRTool.exe /BCK /DSK:0 /SEC

Make a note of which sector the backup is written to.

"Backup written to sector x (will be a number from 2-10)"

The MBR should now have been backed up

Power down the machine, remove the CD and boot back to normal mode.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Step #2

We'll let ComboFix install the Recovery Console for us

Download ComboFix from one of these locations: (but don't run it!)

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Download this : BootDisk

Make sure you download it to the desktop as well.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'No' to skip the full ComboFix scan.

Tell me if it successfully installed the Recovery Console.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Step #3

Restart your computer
Before Windows loads, you will be prompted to choose which Operating System to start
Use the up and down arrow key to select Microsoft Windows Recovery Console
You must enter which Windows installation to log onto. Type 1 and press enter.
At the C:\Windows prompt, type the following bolded text, and press Enter:

fixmbr
At the next prompt type the following bolded text, and press Enter:

shutdown -r

Restart the machine in normal mode.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Step #4

Delete the copy of the aswMBR on your desktop. We'll download a fresh copy.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Step #5

Now we run Combofix

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\Combofix.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like to see the aswMBR and ComboFix logs in your next post...

#22
Anderwolf

Posted 02 June 2011 - 01:31 PM

Member

Topic Starter
Member
89 posts

Ok, so I created the back up CD, inserted it and restarted. I noticed in my BIOS that the CD rom drive was already set as the first boot device. There is also another menu called the Boot Menu that I can access by pressing F10. So I selected CDROM from that menu as well, and then it it goes back to the black loading screen, says "boot from cd" at the bottom and then it says

1. FD 1.44MB System Type- (06)

Then some copyright words.

Then it says

Bad or missing Command Interpreter
Enter the full shell command line:
command.com /P /E :256

I tried to enter the command you listed in the post but it just came up with the same error. Not sure what to do next or how to get to the screen that you showed.

#23
Cold Titanium

Posted 02 June 2011 - 03:33 PM

Trusted Helper

Malware Removal
1,735 posts

Replace step number 1 with this

Download here and download Mischel's MBR Backup to your desktop, then click MBRBackup.exe to start the utility.

Save MBR:

Click Save MBR, and save that file to location you can easily return to later. Then close MBR Backup.

(NB - the file is always prenamed MBR_year_month_day.bin - MBR_2011_05_27.bin for example)

Then continue with the rest

#24
Anderwolf

Posted 09 June 2011 - 07:48 PM

Member

Topic Starter
Member
89 posts

Hello again and sorry for the delay. Had to go out of town for a few days.
So I saved the backup and dragged the file to Combofix. Then I clicked "run" and combofix opened and did some sort of loading/scanning process. In the middle of the process an error message popped up saying that "NirCmd" failed and had to be terminated. I clicked "dont send" and then the process continued and when it was finished, the screen flashed and my desktop theme had been removed, but there was nothing about the recovery console being installed. I tried a restart anyways and no options for running it either. Hmmm

#25
Cold Titanium

Posted 10 June 2011 - 10:21 AM

Trusted Helper

Malware Removal
1,735 posts

Do you have your XP installation disk?

#26
Anderwolf

Posted 10 June 2011 - 12:03 PM

Member

Topic Starter
Member
89 posts

I do somewhere, but I am actually right in the middle of moving and it's packed away somewhere. It might be a few days before I am able to find it.

#27
Cold Titanium

Posted 10 June 2011 - 12:37 PM

Trusted Helper

Malware Removal
1,735 posts

Let's try a different way then

Step #1

Go to this link for information on how to burn an iso image:
Download the rc.iso file.
Save it to your desktop.
Put a blank CD in your computer’s burner.
Follow the instructions on the previous link to burn the rc.iso image to a CD
When the disk finishes, eject the CD.
Configure the sick computer to start from the CD-ROM or DVD-ROM drive. For information about how to do this, see your computer documentation, or contact your computer manufacturer.
Insert the Image of rc.iso that you burned to CD into your CD-ROM or DVD-ROM drive, and then restart your computer.
When you receive the "Press any key to boot from CD" message, press a key to start your computer from the Windows XP CD-ROM.
You will be prompted with the following options:

A. To setup Windows XP, press Enter.
B. To repair Windows XP installation using recovery console, press R.

Choose the option, "To repair the Windows XP installation using recovery console", press R. If an Administrator Password have been established, you will be prompted to type it in. If no Administrator Password exists, just press ENTER.
You will be presented with the following:

Microsoft Windows® Recovery Console

The Recovery Console provides system repair and recovery functionality.
Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log onto
(To cancel, press ENTER)?
Press the number 1 on your keyboard and hit Enter.
At the command prompt, type the following command and press Enter:

fixmbr

Type Exit and press Enter. Take the CD out of the drive and let the computer restart.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Step #2

Delete the copy of the aswMBR on your desktop. We'll download a fresh copy.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Step #3

Double-Click gmer.exe
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish. (Please be patient as it can take some time to complete)

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

After it finishes scanning

Click on the [Save..] button, and in the File name area, type in "ark.txt"
Save it to your desktop

Post ark.txt in your next reply

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Step #4

Re-Run OTL
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top make sure it is set to Standard Output.
Ensure the None is selected for Extra Registry
Under the Custom Scans/Fixes box at the bottom, paste in the following

/md5start
sptd.sys
atapi.sys
/md5stop
msconfig
safebootminimal
safebootnetwork
activex
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
hklm\software\clients\startmenuinternet|command /rs
Click the Run Scan button. Do not change any settings unless otherwise told to do so.
Please copy and paste OTL.txt here

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post OTL.txt, the aswMBR scan, and ark.txt

#28
Anderwolf

Posted 16 June 2011 - 05:32 PM

Member

Topic Starter
Member
89 posts

Hello. Just wanted to let you know that I am not abandoning my topic. I had to leave town unexpectadly and havent had access to my computer. I am using my phone right now. I should be returning home in the next couple of days to continue with the steps. Thank you for your time and patience!
Andy

#29
Cold Titanium

Posted 06 July 2011 - 12:24 PM

Trusted Helper

Malware Removal
1,735 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

#30
Anderwolf

Posted 29 July 2011 - 04:46 PM

Member

Topic Starter
Member
89 posts

Hello and sorry again for the delay.
So I burned the RC image to a CD and booted from it. I selected the option to repair with recovery console. However, the drive that it listed was not 1:C:\WINDOWS, instead it said 1: I:\MiniNT which I thought was very weird because I am running XP. Anyway, I thought I would type "fixmbr" anyways and see what happened. So I did that and pressed enter and this is what I got:

"CAUTION:
This computer appears to have a non standard or invalid master boot record. FIXMBR may damage your partition tables if you proceed. This could cause all partitions on the current hard disk to become inaccessible. If you are not having problems accessing your drive, do not continue."

That alarmed me so I did not continue. Since Ive beenback on the internet this virus/trojan has gotten very aggressive an I was having problems even using firefox due to pop ups and fake antivirus programs. I am not sure how much longer I can keep it at bay, so I hope we can figure something out quick! Again, thank you for your time and for reopening my post.
Andy