Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

unable to run antivirus and malware [Solved]

Started by papa_A_D , Nov 23 2011 05:51 PM

This topic is locked

#16
papa_A_D

Posted 11 December 2011 - 10:19 PM

Member

Topic Starter
Member
56 posts

Here is the log for Tdsskiller program

19:59:13.0578 2800 TDSS rootkit removing tool 2.6.22.0 Dec 7 2011 13:21:06
19:59:13.0953 2800 ============================================================
19:59:13.0953 2800 Current date / time: 2011/12/11 19:59:13.0953
19:59:13.0953 2800 SystemInfo:
19:59:13.0953 2800
19:59:13.0953 2800 OS Version: 5.1.2600 ServicePack: 3.0
19:59:13.0953 2800 Product type: Workstation
19:59:13.0953 2800 ComputerName: WALLSTREAT
19:59:13.0953 2800 UserName: Hemphill
19:59:13.0953 2800 Windows directory: C:\WINDOWS
19:59:13.0953 2800 System windows directory: C:\WINDOWS
19:59:13.0953 2800 Processor architecture: Intel x86
19:59:13.0953 2800 Number of processors: 2
19:59:13.0953 2800 Page size: 0x1000
19:59:13.0953 2800 Boot type: Normal boot
19:59:13.0953 2800 ============================================================
19:59:15.0828 2800 Initialize success
19:59:20.0468 4008 ============================================================
19:59:20.0468 4008 Scan started
19:59:20.0468 4008 Mode: Manual;
19:59:20.0468 4008 ============================================================
19:59:22.0453 4008 922a6d98 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\2557291154:1842713191.exe
19:59:22.0468 4008 Suspicious file (Hidden): C:\WINDOWS\2557291154:1842713191.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
19:59:22.0468 4008 922a6d98 ( Rootkit.Win32.PMax.gen ) - infected
19:59:22.0468 4008 922a6d98 - detected Rootkit.Win32.PMax.gen (0)
19:59:22.0546 4008 Abiosdsk - ok
19:59:22.0578 4008 abp480n5 - ok
19:59:22.0640 4008 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:59:22.0640 4008 ACPI - ok
19:59:22.0656 4008 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
19:59:22.0656 4008 ACPIEC - ok
19:59:22.0687 4008 adpu160m - ok
19:59:22.0718 4008 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:59:22.0734 4008 aec - ok
19:59:22.0796 4008 AegisP (accd563bf09c4659b54143fde633b57d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
19:59:22.0796 4008 AegisP - ok
19:59:22.0859 4008 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
19:59:22.0875 4008 AFD - ok
19:59:23.0000 4008 AgereSoftModem (4458fcb8a00da31fdcc086449274c40d) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
19:59:23.0031 4008 AgereSoftModem - ok
19:59:23.0156 4008 Aha154x - ok
19:59:23.0171 4008 aic78u2 - ok
19:59:23.0203 4008 aic78xx - ok
19:59:23.0218 4008 AliIde - ok
19:59:23.0250 4008 amsint - ok
19:59:23.0281 4008 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:59:23.0281 4008 Arp1394 - ok
19:59:23.0296 4008 asc - ok
19:59:23.0328 4008 asc3350p - ok
19:59:23.0343 4008 asc3550 - ok
19:59:23.0406 4008 ASPI32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\ASPI32.sys
19:59:23.0406 4008 ASPI32 - ok
19:59:23.0453 4008 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:59:23.0453 4008 AsyncMac - ok
19:59:23.0531 4008 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:59:23.0531 4008 atapi - ok
19:59:23.0546 4008 Atdisk - ok
19:59:23.0578 4008 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:59:23.0593 4008 Atmarpc - ok
19:59:23.0640 4008 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:59:23.0640 4008 audstub - ok
19:59:23.0671 4008 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:59:23.0671 4008 Beep - ok
19:59:23.0812 4008 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:59:23.0812 4008 cbidf2k - ok
19:59:23.0828 4008 cd20xrnt - ok
19:59:23.0859 4008 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:59:23.0859 4008 Cdaudio - ok
19:59:23.0890 4008 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:59:23.0890 4008 Cdfs - ok
19:59:23.0937 4008 Cdrom (1f983ab32f06ae022c123f7c4ee66e10) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:59:23.0937 4008 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: 1f983ab32f06ae022c123f7c4ee66e10, Fake md5: 1f4260cc5b42272d71f79e570a27a4fe
19:59:23.0937 4008 Cdrom ( Rootkit.Win32.ZAccess.c ) - infected
19:59:23.0937 4008 Cdrom - detected Rootkit.Win32.ZAccess.c (0)
19:59:23.0953 4008 Changer - ok
19:59:24.0000 4008 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
19:59:24.0015 4008 CmBatt - ok
19:59:24.0046 4008 CmdIde - ok
19:59:24.0093 4008 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
19:59:24.0093 4008 Compbatt - ok
19:59:24.0125 4008 Cpqarray - ok
19:59:24.0156 4008 dac2w2k - ok
19:59:24.0171 4008 dac960nt - ok
19:59:24.0203 4008 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:59:24.0203 4008 Disk - ok
19:59:24.0296 4008 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:59:24.0312 4008 dmboot - ok
19:59:24.0468 4008 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:59:24.0468 4008 dmio - ok
19:59:24.0484 4008 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:59:24.0500 4008 dmload - ok
19:59:24.0562 4008 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:59:24.0562 4008 DMusic - ok
19:59:24.0593 4008 dpti2o - ok
19:59:24.0625 4008 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:59:24.0625 4008 drmkaud - ok
19:59:24.0812 4008 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
19:59:24.0828 4008 eeCtrl - ok
19:59:24.0953 4008 EMSCR (66029e6c4b19223c24d8710eed3aaeab) C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
19:59:24.0968 4008 EMSCR - ok
19:59:24.0968 4008 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
19:59:24.0968 4008 EraserUtilRebootDrv - ok
19:59:25.0062 4008 ESDCR (9f0fa60836e1d1148cc0c1b6e67aa6f7) C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
19:59:25.0062 4008 ESDCR - ok
19:59:25.0078 4008 ESMCR (d9da881be71b74b328471ccf28b5f0a9) C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
19:59:25.0078 4008 ESMCR - ok
19:59:25.0156 4008 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:59:25.0171 4008 Fastfat - ok
19:59:25.0218 4008 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
19:59:25.0218 4008 Fdc - ok
19:59:25.0234 4008 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:59:25.0234 4008 Fips - ok
19:59:25.0265 4008 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
19:59:25.0265 4008 Flpydisk - ok
19:59:25.0328 4008 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:59:25.0328 4008 FltMgr - ok
19:59:25.0453 4008 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:59:25.0453 4008 Fs_Rec - ok
19:59:25.0500 4008 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:59:25.0515 4008 Ftdisk - ok
19:59:25.0578 4008 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
19:59:25.0578 4008 GEARAspiWDM - ok
19:59:25.0640 4008 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:59:25.0640 4008 Gpc - ok
19:59:25.0687 4008 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:59:25.0687 4008 HDAudBus - ok
19:59:25.0734 4008 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:59:25.0750 4008 HidUsb - ok
19:59:25.0828 4008 hpn - ok
19:59:25.0906 4008 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:59:25.0906 4008 HTTP - ok
19:59:25.0984 4008 i2omgmt - ok
19:59:26.0015 4008 i2omp - ok
19:59:26.0062 4008 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:59:26.0078 4008 i8042prt - ok
19:59:26.0203 4008 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
19:59:26.0234 4008 ialm - ok
19:59:26.0437 4008 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:59:26.0437 4008 Imapi - ok
19:59:26.0484 4008 ini910u - ok
19:59:26.0812 4008 IntcAzAudAddService (7385944d4f025bd8c498bfd97981e336) C:\WINDOWS\system32\drivers\RtkHDAud.sys
19:59:27.0062 4008 IntcAzAudAddService - ok
19:59:27.0234 4008 IntelIde - ok
19:59:27.0281 4008 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:59:27.0281 4008 intelppm - ok
19:59:27.0328 4008 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:59:27.0328 4008 Ip6Fw - ok
19:59:27.0359 4008 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:59:27.0359 4008 IpFilterDriver - ok
19:59:27.0406 4008 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:59:27.0406 4008 IpInIp - ok
19:59:27.0453 4008 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:59:27.0453 4008 IpNat - ok
19:59:27.0500 4008 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:59:27.0500 4008 IPSec - ok
19:59:27.0671 4008 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:59:27.0671 4008 IRENUM - ok
19:59:27.0718 4008 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:59:27.0718 4008 isapnp - ok
19:59:27.0734 4008 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
19:59:27.0750 4008 Iviaspi - ok
19:59:27.0765 4008 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:59:27.0781 4008 Kbdclass - ok
19:59:27.0812 4008 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:59:27.0812 4008 kbdhid - ok
19:59:27.0859 4008 KLIF (ade4545fe3dd94d2e44678c745477dab) C:\WINDOWS\system32\drivers\klif.sys
19:59:27.0859 4008 KLIF - ok
19:59:27.0906 4008 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:59:27.0921 4008 kmixer - ok
19:59:28.0109 4008 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:59:28.0109 4008 KSecDD - ok
19:59:28.0171 4008 L8042Kbd (3c342af6b920d37fd9155877af2b4b4e) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
19:59:28.0171 4008 L8042Kbd - ok
19:59:28.0203 4008 lbrtfdc - ok
19:59:28.0265 4008 LHidKe (952c825c2a3014d4d1648309c42d8718) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
19:59:28.0281 4008 LHidKe - ok
19:59:28.0328 4008 LHidUsbK (01b150189a1406a67a9489f8c3ee6c23) C:\WINDOWS\system32\Drivers\LHidUsbK.Sys
19:59:28.0343 4008 LHidUsbK - ok
19:59:28.0375 4008 LMouKE (bb9cc32385c3320074009fe4b9b3b3b6) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
19:59:28.0375 4008 LMouKE - ok
19:59:28.0421 4008 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys
19:59:28.0421 4008 meiudf - ok
19:59:28.0578 4008 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
19:59:28.0593 4008 MHNDRV - ok
19:59:28.0625 4008 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:59:28.0625 4008 mnmdd - ok
19:59:28.0687 4008 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:59:28.0687 4008 Modem - ok
19:59:28.0718 4008 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:59:28.0718 4008 Mouclass - ok
19:59:28.0750 4008 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:59:28.0765 4008 mouhid - ok
19:59:28.0796 4008 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:59:28.0796 4008 MountMgr - ok
19:59:28.0843 4008 mraid35x - ok
19:59:28.0875 4008 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:59:28.0875 4008 MRxDAV - ok
19:59:28.0953 4008 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:59:28.0968 4008 MRxSmb - ok
19:59:29.0125 4008 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:59:29.0140 4008 Msfs - ok
19:59:29.0171 4008 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:59:29.0171 4008 MSKSSRV - ok
19:59:29.0203 4008 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:59:29.0203 4008 MSPCLOCK - ok
19:59:29.0234 4008 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:59:29.0234 4008 MSPQM - ok
19:59:29.0281 4008 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:59:29.0281 4008 mssmbios - ok
19:59:29.0343 4008 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
19:59:29.0343 4008 Mup - ok
19:59:29.0515 4008 NAVENG - ok
19:59:29.0531 4008 NAVEX15 - ok
19:59:29.0890 4008 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:59:29.0906 4008 NDIS - ok
19:59:29.0921 4008 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:59:29.0937 4008 NdisTapi - ok
19:59:29.0968 4008 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:59:29.0968 4008 Ndisuio - ok
19:59:29.0984 4008 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:59:30.0000 4008 NdisWan - ok
19:59:30.0046 4008 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:59:30.0062 4008 NDProxy - ok
19:59:30.0078 4008 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:59:30.0093 4008 NetBIOS - ok
19:59:30.0125 4008 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:59:30.0125 4008 NetBT - ok
19:59:30.0296 4008 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
19:59:30.0296 4008 Netdevio - ok
19:59:30.0468 4008 NETw3x32 (f886500c285af271fdd33bf8ba7b32ef) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
19:59:30.0515 4008 NETw3x32 - ok
19:59:30.0703 4008 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:59:30.0718 4008 NIC1394 - ok
19:59:30.0750 4008 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:59:30.0750 4008 Npfs - ok
19:59:30.0812 4008 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:59:30.0828 4008 Ntfs - ok
19:59:30.0859 4008 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:59:30.0859 4008 Null - ok
19:59:30.0906 4008 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:59:30.0906 4008 NwlnkFlt - ok
19:59:30.0937 4008 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:59:30.0937 4008 NwlnkFwd - ok
19:59:31.0031 4008 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:59:31.0031 4008 ohci1394 - ok
19:59:31.0140 4008 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
19:59:31.0140 4008 Parport - ok
19:59:31.0156 4008 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:59:31.0156 4008 PartMgr - ok
19:59:31.0203 4008 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:59:31.0203 4008 ParVdm - ok
19:59:31.0234 4008 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:59:31.0234 4008 PCI - ok
19:59:31.0250 4008 PCIDump - ok
19:59:31.0265 4008 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:59:31.0265 4008 PCIIde - ok
19:59:31.0328 4008 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
19:59:31.0328 4008 Pcmcia - ok
19:59:31.0343 4008 PDCOMP - ok
19:59:31.0375 4008 PDFRAME - ok
19:59:31.0390 4008 PDRELI - ok
19:59:31.0406 4008 PDRFRAME - ok
19:59:31.0437 4008 perc2 - ok
19:59:31.0453 4008 perc2hib - ok
19:59:31.0500 4008 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
19:59:31.0500 4008 Pfc - ok
19:59:31.0562 4008 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:59:31.0562 4008 PptpMiniport - ok
19:59:31.0593 4008 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:59:31.0593 4008 PSched - ok
19:59:31.0609 4008 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:59:31.0625 4008 Ptilink - ok
19:59:31.0640 4008 PxHelp20 - ok
19:59:31.0656 4008 ql1080 - ok
19:59:31.0687 4008 Ql10wnt - ok
19:59:31.0703 4008 ql12160 - ok
19:59:31.0718 4008 ql1240 - ok
19:59:31.0750 4008 ql1280 - ok
19:59:31.0796 4008 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:59:31.0796 4008 RasAcd - ok
19:59:31.0921 4008 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:59:31.0921 4008 Rasl2tp - ok
19:59:32.0015 4008 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:59:32.0015 4008 RasPppoe - ok
19:59:32.0031 4008 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:59:32.0031 4008 Raspti - ok
19:59:32.0093 4008 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:59:32.0093 4008 Rdbss - ok
19:59:32.0109 4008 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:59:32.0109 4008 RDPCDD - ok
19:59:32.0171 4008 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:59:32.0171 4008 rdpdr - ok
19:59:32.0218 4008 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
19:59:32.0234 4008 RDPWD - ok
19:59:32.0281 4008 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:59:32.0281 4008 redbook - ok
19:59:32.0359 4008 rootrepeal - ok
19:59:32.0500 4008 RTLE8023xp (0e74171ee80a8640de564b72dbbb397b) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
19:59:32.0500 4008 RTLE8023xp - ok
19:59:32.0578 4008 s24trans (d4661148e44816b6501be8f4466d65b0) C:\WINDOWS\system32\DRIVERS\s24trans.sys
19:59:32.0578 4008 s24trans - ok
19:59:32.0671 4008 SASKUTIL - ok
19:59:32.0781 4008 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
19:59:32.0796 4008 SAVRT - ok
19:59:32.0812 4008 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
19:59:32.0812 4008 SAVRTPEL - ok
19:59:33.0015 4008 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
19:59:33.0015 4008 sdbus - ok
19:59:33.0078 4008 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:59:33.0078 4008 Secdrv - ok
19:59:33.0140 4008 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
19:59:33.0140 4008 Serial - ok
19:59:33.0187 4008 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:59:33.0187 4008 Sfloppy - ok
19:59:33.0218 4008 Simbad - ok
19:59:33.0250 4008 Sparrow - ok
19:59:33.0468 4008 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
19:59:33.0484 4008 SPBBCDrv - ok
19:59:33.0703 4008 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:59:33.0703 4008 splitter - ok
19:59:33.0765 4008 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:59:33.0781 4008 sr - ok
19:59:33.0859 4008 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:59:33.0875 4008 Srv - ok
19:59:33.0890 4008 SVRPEDRV - ok
19:59:33.0953 4008 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:59:33.0953 4008 swenum - ok
19:59:33.0984 4008 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:59:33.0984 4008 swmidi - ok
19:59:34.0171 4008 symc810 - ok
19:59:34.0187 4008 symc8xx - ok
19:59:34.0281 4008 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS
19:59:34.0296 4008 SymEvent - ok
19:59:34.0343 4008 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
19:59:34.0343 4008 SYMREDRV - ok
19:59:34.0406 4008 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
19:59:34.0406 4008 SYMTDI - ok
19:59:34.0421 4008 sym_hi - ok
19:59:34.0437 4008 sym_u3 - ok
19:59:34.0484 4008 SynTP (a6cc8c28d5aad4179ef32f05bed55e91) C:\WINDOWS\system32\DRIVERS\SynTP.sys
19:59:34.0484 4008 SynTP - ok
19:59:34.0671 4008 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:59:34.0671 4008 sysaudio - ok
19:59:34.0750 4008 tapvpn (27a2c318cd28cfb3eb2200fd96af1e58) C:\WINDOWS\system32\DRIVERS\tapvpn.sys
19:59:34.0750 4008 tapvpn - ok
19:59:34.0812 4008 tbiosdrv (7147b0575bcc93a6ab7d5c90f47c0b9f) C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys
19:59:34.0812 4008 tbiosdrv - ok
19:59:34.0890 4008 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:59:34.0890 4008 Tcpip - ok
19:59:34.0937 4008 TcUsb (fc6fe02f400308606a911640e72326b5) C:\WINDOWS\system32\Drivers\tcusb.sys
19:59:34.0937 4008 TcUsb - ok
19:59:35.0109 4008 tdcmdpst (cc1d7bc6a3632c55ee6d8877e9b936f3) C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys
19:59:35.0109 4008 tdcmdpst - ok
19:59:35.0156 4008 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:59:35.0156 4008 TDPIPE - ok
19:59:35.0187 4008 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:59:35.0187 4008 TDTCP - ok
19:59:35.0234 4008 tdudf (09aa3cf863793f92276b39e74878c386) C:\WINDOWS\system32\DRIVERS\tdudf.sys
19:59:35.0234 4008 tdudf - ok
19:59:35.0265 4008 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:59:35.0265 4008 TermDD - ok
19:59:35.0312 4008 TosIde - ok
19:59:35.0359 4008 tosrfec (cc069342ee0eae55b32a0ae99cf6185c) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
19:59:35.0359 4008 tosrfec - ok
19:59:35.0468 4008 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys
19:59:35.0468 4008 TVALD - ok
19:59:35.0578 4008 Tvs (546dfba6486569120d33f7ad6e94efdd) C:\WINDOWS\system32\DRIVERS\Tvs.sys
19:59:35.0578 4008 Tvs - ok
19:59:35.0609 4008 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:59:35.0609 4008 Udfs - ok
19:59:35.0640 4008 ultra - ok
19:59:35.0703 4008 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:59:35.0718 4008 Update - ok
19:59:35.0781 4008 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:59:35.0781 4008 usbccgp - ok
19:59:35.0828 4008 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:59:35.0828 4008 usbehci - ok
19:59:35.0937 4008 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:59:35.0953 4008 usbhub - ok
19:59:36.0046 4008 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:59:36.0046 4008 USBSTOR - ok
19:59:36.0062 4008 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:59:36.0078 4008 usbuhci - ok
19:59:36.0093 4008 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:59:36.0109 4008 VgaSave - ok
19:59:36.0125 4008 ViaIde - ok
19:59:36.0156 4008 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:59:36.0156 4008 VolSnap - ok
19:59:36.0234 4008 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:59:36.0234 4008 Wanarp - ok
19:59:36.0281 4008 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
19:59:36.0296 4008 wanatw - ok
19:59:36.0359 4008 WDICA - ok
19:59:36.0421 4008 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:59:36.0421 4008 wdmaud - ok
19:59:36.0578 4008 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:59:36.0593 4008 WudfPf - ok
19:59:36.0625 4008 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:59:36.0625 4008 WudfRd - ok
19:59:36.0671 4008 MBR (0x1B8) (09ce7397af23d4c0b331b89d0297cc7e) \Device\Harddisk0\DR0
19:59:36.0859 4008 \Device\Harddisk0\DR0 - ok
19:59:36.0859 4008 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR5
19:59:39.0078 4008 \Device\Harddisk1\DR5 - ok
19:59:39.0109 4008 Boot (0x1200) (a6592f2a48b0a281db0e2bf06cea5495) \Device\Harddisk0\DR0\Partition0
19:59:39.0125 4008 \Device\Harddisk0\DR0\Partition0 - ok
19:59:39.0125 4008 Boot (0x1200) (56cfa743a1b19f4b03ac733e65037a92) \Device\Harddisk1\DR5\Partition0
19:59:39.0125 4008 \Device\Harddisk1\DR5\Partition0 - ok
19:59:39.0125 4008 ============================================================
19:59:39.0125 4008 Scan finished
19:59:39.0125 4008 ============================================================
19:59:39.0156 3848 Detected object count: 2
19:59:39.0156 3848 Actual detected object count: 2
20:09:12.0437 3848 HKLM\SYSTEM\ControlSet003\services\922a6d98 - will be deleted on reboot
20:09:12.0437 3848 HKLM\SYSTEM\ControlSet004\services\922a6d98 - will be deleted on reboot
20:09:12.0453 3848 C:\WINDOWS\2557291154:1842713191.exe - will be deleted on reboot
20:09:12.0453 3848 922a6d98 ( Rootkit.Win32.PMax.gen ) - User select action: Delete
20:09:14.0218 3848 Backup copy found, using it..
20:09:14.0234 3848 C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be cured on reboot
20:09:16.0656 3848 C:\WINDOWS\system32\c_32350.nls - will be deleted on reboot
20:09:18.0546 3848 Cdrom ( Rootkit.Win32.ZAccess.c ) - User select action: Cure
20:10:20.0406 3900 Deinitialize success

#17
papa_A_D

Posted 11 December 2011 - 10:33 PM

Member

Topic Starter
Member
56 posts

Ok, here is the log for aswMBR:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-11 20:28:14
-----------------------------
20:28:14.859 OS Version: Windows 5.1.2600 Service Pack 3
20:28:14.859 Number of processors: 2 586 0xE08
20:28:14.859 ComputerName: WALLSTREAT UserName: Hemphill
20:28:15.531 Initialize success
20:28:43.828 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:28:43.828 Disk 0 Vendor: TOSHIBA_MK8032GSX AS112M Size: 76319MB BusType: 3
20:28:45.875 Disk 0 MBR read successfully
20:28:45.890 Disk 0 MBR scan
20:28:45.890 Disk 0 Windows XP default MBR code
20:28:45.906 Disk 0 scanning sectors +156296385
20:28:45.968 Disk 0 scanning C:\WINDOWS\system32\drivers
20:28:54.187 Service scanning
20:28:55.859 Modules scanning
20:29:02.578 Disk 0 trace - called modules:
20:29:02.609 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:29:02.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f4a730]
20:29:02.625 3 CLASSPNP.SYS[f85a3fd7] -> nt!IofCallDriver -> \Device\00000088[0x82fd0360]
20:29:02.640 5 ACPI.sys[f84e4620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82fd0478]
20:29:02.656 Scan finished successfully
20:29:46.031 Disk 0 MBR has been saved successfully to "C:\Temp\aswMBR\MBR.dat"
20:29:46.046 The log file has been saved successfully to "C:\Temp\aswMBR\aswMBR.txt"

#18
papa_A_D

Posted 11 December 2011 - 10:56 PM

Member

Topic Starter
Member
56 posts

here is the MBRCheck
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 146):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80700000 \WINDOWS\system32\hal.dll
0xF8A43000 \WINDOWS\system32\KDCOM.DLL
0xF8953000 \WINDOWS\system32\BOOTVID.dll
0xF850C000 26427855.sys
0xF84DE000 ACPI.sys
0xF8A45000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF84CD000 pci.sys
0xF8543000 isapnp.sys
0xF8553000 ohci1394.sys
0xF8563000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF8957000 compbatt.sys
0xF895B000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF8B0B000 pciide.sys
0xF87C3000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF84AF000 pcmcia.sys
0xF8573000 MountMgr.sys
0xF8490000 ftdisk.sys
0xF8A47000 dmload.sys
0xF846A000 dmio.sys
0xF895F000 ACPIEC.sys
0xF8B0C000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF87CB000 PartMgr.sys
0xF8583000 VolSnap.sys
0xF8452000 atapi.sys
0xF8593000 disk.sys
0xF85A3000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF8432000 fltmgr.sys
0xF8420000 sr.sys
0xF8409000 KSecDD.sys
0xF837C000 Ntfs.sys
0xF834F000 NDIS.sys
0xF8335000 Mup.sys
0xF7BD2000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF8A3F000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7A95000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF7A81000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7A59000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7A45000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xF78A4000 \SystemRoot\system32\DRIVERS\NETw3x32.sys
0xF888B000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7880000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8893000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7BC2000 \SystemRoot\system32\DRIVERS\EMS7SK.sys
0xF786C000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF7859000 \SystemRoot\system32\DRIVERS\ESM7SK.sys
0xF7BB2000 \SystemRoot\system32\DRIVERS\ESD7SK.sys
0xF85C3000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF85D3000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF830D000 \SystemRoot\system32\DRIVERS\L8042Kbd.sys
0xF88A3000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF782A000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF8A67000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF88AB000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8309000 \SystemRoot\system32\DRIVERS\tdcmdpst.sys
0xF85E3000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF88B3000 \SystemRoot\system32\drivers\iviaspi.sys
0xF8305000 \SystemRoot\system32\drivers\pfc.sys
0xF85F3000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF88BB000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF8B42000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7807000 \SystemRoot\system32\DRIVERS\ks.sys
0xF86A3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF82F1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF77F0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF86B3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF86C3000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF8933000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF77DF000 \SystemRoot\system32\DRIVERS\psched.sys
0xF86D3000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF893B000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF8943000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF77AF000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF86E3000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8A6B000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF7751000 \SystemRoot\system32\DRIVERS\update.sys
0xF7D77000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7D73000 \SystemRoot\system32\DRIVERS\tbiosdrv.sys
0xF8A6D000 \SystemRoot\system32\DRIVERS\NBSMI.sys
0xF86F3000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA9CB7000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA9C93000 \SystemRoot\system32\drivers\portcls.sys
0xF8713000 \SystemRoot\system32\drivers\drmk.sys
0xF8723000 \SystemRoot\system32\DRIVERS\Tvs.sys
0xF87DB000 \SystemRoot\system32\DRIVERS\tsxt_kern_i386.sys
0xF8803000 \SystemRoot\system32\DRIVERS\wowhd_kern_i386.sys
0xF8733000 \SystemRoot\system32\DRIVERS\csiidecoder_kern_i386.sys
0xA9B78000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF880B000 \SystemRoot\System32\Drivers\Modem.SYS
0xF87A3000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA95C3000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
0xA95AF000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
0xF8AAF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8C6F000 \SystemRoot\System32\Drivers\Null.SYS
0xF8AB1000 \SystemRoot\System32\Drivers\Beep.SYS
0xF88FB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF8AB3000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8AB5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA9562000 \SystemRoot\System32\Drivers\meiudf.sys
0xA9551000 \SystemRoot\System32\Drivers\Udfs.SYS
0xF890B000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8903000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF76F4000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA94C6000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA946D000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA9432000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xA940C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA93E4000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA9891000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA93C2000 \SystemRoot\System32\drivers\afd.sys
0xA9798000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA9788000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA92F7000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9287000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA9768000 \SystemRoot\System32\Drivers\Fips.SYS
0xA9229000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA920B000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA9B74000 \SystemRoot\System32\Drivers\ASPI32.SYS
0xA91E7000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA91CF000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8A65000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA94E5000 \SystemRoot\System32\drivers\Dxapi.sys
0xF88E3000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8C17000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBF16E000 \SystemRoot\System32\ATMFD.DLL
0xA9116000 \SystemRoot\system32\DRIVERS\tdudf.sys
0xA9342000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA9509000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA9163000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA9102000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA90FE000 \SystemRoot\system32\DRIVERS\netdevio.sys
0xA8D51000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA8C4C000 \SystemRoot\system32\drivers\wdmaud.sys
0xA8FB6000 \SystemRoot\system32\drivers\sysaudio.sys
0xA89FD000 \SystemRoot\System32\Drivers\HTTP.sys
0xA88B5000 \SystemRoot\system32\DRIVERS\srv.sys
0xA81AA000 \SystemRoot\system32\drivers\kmixer.sys
0xA8BB9000 \??\C:\DOCUME~1\Hemphill\LOCALS~1\Temp\aswMBR.sys
0xF8923000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
832 C:\WINDOWS\system32\smss.exe
896 csrss.exe
932 C:\WINDOWS\system32\winlogon.exe
976 C:\WINDOWS\system32\services.exe
988 C:\WINDOWS\system32\lsass.exe
1156 C:\WINDOWS\system32\svchost.exe
1224 svchost.exe
1264 C:\WINDOWS\system32\svchost.exe
1328 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1464 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1540 svchost.exe
1660 svchost.exe
1876 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1944 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
2020 C:\WINDOWS\explorer.exe
468 C:\WINDOWS\system32\spoolsv.exe
548 C:\WINDOWS\system32\acs.exe
600 svchost.exe
640 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
656 C:\Program Files\Bonjour\mDNSResponder.exe
676 C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
704 C:\Program Files\Symantec AntiVirus\DefWatch.exe
728 C:\WINDOWS\system32\DVDRAMSV.exe
748 C:\WINDOWS\ehome\ehrecvr.exe
856 C:\WINDOWS\ehome\ehSched.exe
1528 C:\WINDOWS\system32\inetsrv\inetinfo.exe
1588 C:\WINDOWS\system32\PSIService.exe
1616 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
1844 C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
2064 C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
2128 C:\WINDOWS\system32\TODDSrv.exe
2776 C:\WINDOWS\system32\dllhost.exe
2976 alg.exe
3172 C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe
3276 C:\WINDOWS\system32\ctfmon.exe
3288 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3324 C:\WINDOWS\system32\RAMASST.exe
4084 C:\WINDOWS\system32\wscntfy.exe
4048 C:\WINDOWS\system32\svchost.exe
3920 C:\Temp\MBRCheck\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK8032GSX, Rev: AS112M

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: 31D100779DE502702C374F7C15687B56FCFD5528

Done!

#19
maliprog

Posted 12 December 2011 - 12:16 AM

Trusted Helper

Malware Removal
6,172 posts

How is your system now? Problems?

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post

#20
papa_A_D

Posted 12 December 2011 - 05:00 PM

Member

Topic Starter
Member
56 posts

I'm still using a HOST computer...my computer still won't pull up any webpages - it's just the IE window on the screen with no graphics at all inside the window, only the border and toolbars. Wireless network connection appears to just perfect. I will try and transfer this scan to my computer and run it. Can you solve this? What kinda virus is this?

#21
papa_A_D

Posted 12 December 2011 - 09:27 PM

Member

Topic Starter
Member
56 posts

This log is from Kaspersky Virus Removal Tool. Still no IE webpages...

Status: Deleted (events: 175)
12/12/2011 3:48:16 PM Deleted Trojan program Backdoor.Win32.ZAccess.ob C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ11.tmp High
12/12/2011 3:48:19 PM Deleted adware not-a-virus:AdWare.Win32.SuperJuan.fqi C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01880000\49DEA92F.VBN Medium
12/12/2011 3:48:19 PM Deleted adware not-a-virus:AdWare.Win32.SuperJuan.fqi C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01880000\49DEA92F.VBN//CryptZ Medium
12/12/2011 3:48:17 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bkgb C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07880000\4FFC6C6F.VBN High
12/12/2011 3:48:17 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bkgb C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07880000\4FFC6C6F.VBN//CryptZ High
12/12/2011 3:48:33 PM Deleted Trojan program Trojan.JS.Fraud.a C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C4000B\47DC09F3.VBN High
12/12/2011 3:48:33 PM Deleted Trojan program Trojan.JS.Fraud.a C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C4000B\47DC09F3.VBN//CryptZ High
12/12/2011 3:48:33 PM Deleted Trojan program Packed.Win32.Krap.hc C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E80009\4FFF3746.VBN High
12/12/2011 3:48:33 PM Deleted Trojan program Packed.Win32.Krap.hc C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E80009\4FFF3746.VBN//CryptZ High
12/12/2011 3:48:34 PM Deleted Trojan program Packed.Win32.Krap.hc C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E80008\4FFF31E1.VBN High
12/12/2011 3:48:34 PM Deleted Trojan program Packed.Win32.Krap.hc C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E80008\4FFF31E1.VBN//CryptZ High
12/12/2011 3:48:48 PM Deleted Trojan program Trojan-Downloader.WMA.Wimad.ag C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\087C0000\497F8BA7.VBN High
12/12/2011 3:48:48 PM Deleted Trojan program Trojan-Downloader.WMA.Wimad.ag C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\087C0000\497F8BA7.VBN//CryptZ High
12/12/2011 3:48:52 PM Deleted Trojan program Trojan-Downloader.WMA.Wimad.ag C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\087C0002\497F8FC0.VBN High
12/12/2011 3:48:52 PM Deleted Trojan program Trojan-Downloader.WMA.Wimad.ag C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\087C0002\497F8FC0.VBN//CryptZ High
12/12/2011 3:48:59 PM Deleted Trojan program Trojan-Downloader.WMA.Wimad.ag C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\087C0001\497F8F2C.VBN High
12/12/2011 3:48:59 PM Deleted Trojan program Trojan-Downloader.WMA.Wimad.ag C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\087C0001\497F8F2C.VBN//CryptZ High
12/12/2011 3:49:03 PM Deleted Trojan program Trojan-Downloader.WMA.Wimad.ag C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\087C0003\497FBCD5.VBN High
12/12/2011 3:49:03 PM Deleted Trojan program Trojan-Downloader.WMA.Wimad.ag C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\087C0003\497FBCD5.VBN//CryptZ High
12/12/2011 3:49:09 PM Deleted Trojan program Backdoor.Win32.Papras.agy C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08940000\4DF720C4.VBN High
12/12/2011 3:49:09 PM Deleted Trojan program Backdoor.Win32.Papras.agy C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08940000\4DF720C4.VBN//CryptZ High
12/12/2011 3:49:09 PM Deleted Trojan program Trojan.Win32.Jorik.Prun.h C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A280000\4B7D3C36.VBN High
12/12/2011 3:49:09 PM Deleted Trojan program Trojan.Win32.Jorik.Prun.h C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A280000\4B7D3C36.VBN//CryptZ High
12/12/2011 3:49:09 PM Deleted Trojan program Trojan.Win32.Jorik.Prun.h C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A280000\4B7D3C36.VBN//CryptZ//PE_Patch.PECompact High
12/12/2011 3:49:09 PM Deleted Trojan program Trojan.Win32.Jorik.Prun.h C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A280000\4B7D3C36.VBN//CryptZ//PE_Patch.PECompact//PecBundle High
12/12/2011 3:49:09 PM Deleted Trojan program Trojan.Win32.Jorik.Prun.h C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A280000\4B7D3C36.VBN//CryptZ//PE_Patch.PECompact//PecBundle//PECompact High
12/12/2011 3:49:08 PM Deleted adware not-a-virus:AdWare.Win32.SuperJuan.fqi C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A280001\4B7D3C8C.VBN Medium
12/12/2011 3:49:08 PM Deleted adware not-a-virus:AdWare.Win32.SuperJuan.fqi C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A280001\4B7D3C8C.VBN//CryptZ Medium
12/12/2011 3:49:16 PM Deleted adware not-a-virus:AdWare.Win32.SuperJuan.fqi C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A280002\4B7D4172.VBN Medium
12/12/2011 3:49:16 PM Deleted adware not-a-virus:AdWare.Win32.SuperJuan.fqi C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A280002\4B7D4172.VBN//CryptZ Medium
12/12/2011 3:49:17 PM Deleted Trojan program Rootkit.Win32.Podnuha.y C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C980000\4FDA424A.VBN High
12/12/2011 3:49:17 PM Deleted Trojan program Rootkit.Win32.Podnuha.y C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C980000\4FDA424A.VBN//CryptZ High
12/12/2011 3:49:48 PM Deleted virus HEUR:Trojan.Script.Generic C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D640000\4D7D5BE9.VBN High
12/12/2011 3:49:48 PM Deleted virus HEUR:Trojan.Script.Generic C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D640000\4D7D5BE9.VBN//CryptZ High
12/12/2011 3:49:49 PM Deleted virus HEUR:Trojan-Downloader.Script.Generic C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E140000\4E3F0FFD.VBN High
12/12/2011 3:49:49 PM Deleted virus HEUR:Trojan-Downloader.Script.Generic C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E140000\4E3F0FFD.VBN//CryptZ High
12/12/2011 3:49:56 PM Deleted Trojan program Trojan-Downloader.WMA.Wimad.ag C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0000\4F6EC110.VBN High
12/12/2011 3:49:56 PM Deleted Trojan program Trojan-Downloader.WMA.Wimad.ag C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0000\4F6EC110.VBN//CryptZ High
12/12/2011 3:50:12 PM Deleted Trojan program Trojan-Downloader.WMA.Wimad.ag C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0001\4F6EC256.VBN High
12/12/2011 3:50:12 PM Deleted Trojan program Trojan-Downloader.WMA.Wimad.ag C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F6C0001\4F6EC256.VBN//CryptZ High
12/12/2011 3:58:45 PM Deleted Trojan program Backdoor.Win32.ZAccess.auj C:\Documents and Settings\Hemphill\Local Settings\Application Data\922a6d98\U\800000cf.@ High
12/12/2011 3:58:46 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\Hemphill\Local Settings\Application Data\922a6d98\X High
12/12/2011 4:05:16 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\391V3BOQ\afr[2].htm High
12/12/2011 4:05:23 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\391V3BOQ\afr[1].htm High
12/12/2011 4:05:22 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CMK9S2JD\ajs[10].php High
12/12/2011 4:05:24 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CMK9S2JD\ajs[9].php High
12/12/2011 4:06:02 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CSEJQB2M\afr[2].htm High
12/12/2011 4:06:02 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CSEJQB2M\afr[1].htm High
12/12/2011 4:06:02 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CSEJQB2M\afr[3].htm High
12/12/2011 4:10:17 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NN6K39WH\ajsCAX9GC8U.php High
12/12/2011 4:10:48 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\T54IK381\afr[1].htm High
12/12/2011 4:10:49 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\T54IK381\afr[2].htm High
12/12/2011 4:10:49 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\T54IK381\ajs[2].php High
12/12/2011 4:11:17 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\TA62WE0X\ajs[6].php High
12/12/2011 4:11:17 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\TA62WE0X\ajs[5].php High
12/12/2011 4:12:59 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WZ4QY2KP\ajs[8].php High
12/12/2011 4:13:00 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WZ4QY2KP\ajs[9].php High
12/12/2011 4:13:51 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9RXFDB00\ajsCA4N4Y8Q.php High
12/12/2011 4:13:54 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9RXFDB00\ajsCAH2QZES.php High
12/12/2011 4:13:55 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9RXFDB00\ajsCAIL0NHU.php High
12/12/2011 4:14:42 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9RXFDB00\ajsCALSR8CA.php High
12/12/2011 4:14:43 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9RXFDB00\ajsCAUJ7DJB.php High
12/12/2011 4:14:49 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9RXFDB00\ajsCAXRKV6O.php High
12/12/2011 4:14:50 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9RXFDB00\ajsCAYI8CMJ.php High
12/12/2011 4:14:52 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9RXFDB00\ajsCAZ89E75.php High
12/12/2011 4:14:54 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9RXFDB00\ajs[1].php High
12/12/2011 4:16:54 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DNXDVHMB\ajsCA1B601U.php High
12/12/2011 4:17:00 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DNXDVHMB\ajsCA0ML5GO.php High
12/12/2011 4:17:00 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DNXDVHMB\ajsCA38JPP7.php High
12/12/2011 4:17:02 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DNXDVHMB\ajsCA66JX4D.php High
12/12/2011 4:17:08 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DNXDVHMB\ajsCA6I7XUX.php High
12/12/2011 4:17:09 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DNXDVHMB\ajsCADJTIAC.php High
12/12/2011 4:17:10 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DNXDVHMB\ajsCADD8I1Z.php High
12/12/2011 4:17:16 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DNXDVHMB\ajsCAJ8A2SQ.php High
12/12/2011 4:17:17 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DNXDVHMB\ajsCAJTVZ3R.php High
12/12/2011 4:17:18 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DNXDVHMB\ajsCAP1J8MS.php High
12/12/2011 4:17:25 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DNXDVHMB\ajsCAQ6PIX9.php High
12/12/2011 4:17:26 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DNXDVHMB\ajsCAY9ZZH7.php High
12/12/2011 4:18:40 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajsCA121XDD.php High
12/12/2011 4:18:49 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajsCA14D8TT.php High
12/12/2011 4:18:50 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajsCA24LR92.php High
12/12/2011 4:18:51 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajsCA25LXI0.php High
12/12/2011 4:18:59 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajsCA8RP583.php High
12/12/2011 4:19:02 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajsCAE2P5T2.php High
12/12/2011 4:19:04 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajsCAG10BPK.php High
12/12/2011 4:19:09 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajsCAJN1EMR.php High
12/12/2011 4:19:36 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajsCAPJ7687.php High
12/12/2011 4:19:38 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajsCAR8ILE9.php High
12/12/2011 4:19:40 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajsCAT0FEYU.php High
12/12/2011 4:20:12 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajsCAVY0L7I.php High
12/12/2011 4:20:16 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajs[1].php High
12/12/2011 4:20:14 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JQKTOF0K\ajs[2].php High
12/12/2011 4:21:01 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OJVFG55K\ajsCA8ZM9T1.php High
12/12/2011 4:21:01 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OJVFG55K\ajsCAA4M361.php High
12/12/2011 4:21:04 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OJVFG55K\ajsCA8MQNFI.php High
12/12/2011 4:21:13 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OJVFG55K\ajsCAODW4DM.php High
12/12/2011 4:21:44 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OJVFG55K\ajsCAQBV9RZ.php High
12/12/2011 4:21:49 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OJVFG55K\ajsCAX3R6KH.php High
12/12/2011 4:21:50 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OJVFG55K\ajsCAX5W3KH.php High
12/12/2011 4:21:50 PM Deleted virus HEUR:Trojan.Script.Iframer C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OJVFG55K\ajs[1].php High
12/12/2011 4:27:57 PM Deleted Trojan program Trojan.Win32.Patched.mf C:\Program Files\Google\Google Updater\GoogleUpdater.exe High
12/12/2011 4:35:48 PM Deleted Trojan program Trojan.Win32.Patched.mf C:\Program Files\QuickTime\QTTask.exe High
12/12/2011 4:47:04 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1224\A0156535.sys High
12/12/2011 4:47:07 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1225\A0156561.sys High
12/12/2011 4:47:05 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1225\A0156624.sys High
12/12/2011 4:48:47 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1225\A0156645.sys High
12/12/2011 4:48:48 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1225\A0156671.sys High
12/12/2011 4:51:46 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1226\A0156697.sys High
12/12/2011 4:52:17 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1226\A0156707.sys High
12/12/2011 4:52:17 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1226\A0156716.sys High
12/12/2011 4:52:18 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1226\A0157716.sys High
12/12/2011 4:57:59 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1226\A0157729.sys High
12/12/2011 4:58:06 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1229\A0157738.sys High
12/12/2011 4:58:05 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1229\A0157742.sys High
12/12/2011 4:58:07 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1229\A0157748.sys High
12/12/2011 4:58:42 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1229\A0157757.sys High
12/12/2011 4:58:37 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1229\A0158757.sys High
12/12/2011 4:58:46 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1229\A0159757.sys High
12/12/2011 4:58:47 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1229\A0159765.sys High
12/12/2011 4:58:51 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1231\A0159790.sys High
12/12/2011 4:59:57 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1232\A0159807.sys High
12/12/2011 5:00:01 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1233\A0159829.sys High
12/12/2011 5:00:02 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1233\A0159833.sys High
12/12/2011 5:00:03 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1233\A0160833.sys High
12/12/2011 5:00:08 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1233\A0161833.sys High
12/12/2011 5:00:09 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1233\A0162833.sys High
12/12/2011 5:00:20 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1235\A0162842.sys High
12/12/2011 5:00:21 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1235\A0162866.sys High
12/12/2011 5:00:25 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1235\A0162878.sys High
12/12/2011 5:00:27 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1235\A0162887.sys High
12/12/2011 5:00:26 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1235\A0162896.sys High
12/12/2011 5:00:40 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1235\A0162905.sys High
12/12/2011 5:00:41 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1237\A0162919.sys High
12/12/2011 5:01:39 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1239\A0163174.sys High
12/12/2011 5:11:49 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1239\A0163175.ini High
12/12/2011 5:11:49 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1239\A0163183.sys High
12/12/2011 5:12:21 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1239\A0163184.ini High
12/12/2011 5:12:23 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1239\A0163193.sys High
12/12/2011 5:12:23 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1239\A0163194.ini High
12/12/2011 5:13:58 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1239\A0163245.sys High
12/12/2011 5:14:24 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1239\A0163246.ini High
12/12/2011 5:14:24 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1239\A0163256.sys High
12/12/2011 5:14:27 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1239\A0163257.ini High
12/12/2011 5:14:29 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1239\A0163265.sys High
12/12/2011 5:14:30 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1239\A0163266.ini High
12/12/2011 5:14:38 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1240\A0163300.sys High
12/12/2011 5:14:39 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1240\A0163301.ini High
12/12/2011 5:14:53 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1243\A0163320.ini High
12/12/2011 5:14:55 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1243\A0163319.sys High
12/12/2011 5:15:39 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1244\A0163347.ini High
12/12/2011 5:15:40 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1244\A0163346.sys High
12/12/2011 5:15:59 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1251\A0163365.sys High
12/12/2011 5:16:00 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1251\A0163366.ini High
12/12/2011 5:15:58 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1251\A0163370.sys High
12/12/2011 5:17:21 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1251\A0163371.ini High
12/12/2011 5:17:22 PM Deleted Trojan program Rootkit.Win32.ZAccess.g C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1251\A0163379.sys High
12/12/2011 5:19:59 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1251\A0163380.ini High
12/12/2011 5:20:25 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1251\A0164379.sys High
12/12/2011 5:20:26 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1251\A0164380.ini High
12/12/2011 5:20:26 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1251\A0164384.sys High
12/12/2011 5:24:10 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1251\A0164385.ini High
12/12/2011 5:24:12 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1251\A0165384.sys High
12/12/2011 5:24:13 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1251\A0165385.ini High
12/12/2011 5:24:23 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1255\A0165401.ini High
12/12/2011 5:24:24 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1255\A0165400.sys High
12/12/2011 5:24:48 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1258\A0165415.ini High
12/12/2011 5:24:58 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1258\A0165414.sys High
12/12/2011 5:25:07 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1259\A0165468.sys High
12/12/2011 5:25:08 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1259\A0165469.ini High
12/12/2011 5:25:46 PM Deleted Trojan program Rootkit.Win32.ZAccess.c C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1259\A0165565.sys High
12/12/2011 5:25:47 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1259\A0165566.ini High
12/12/2011 5:25:47 PM Deleted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1261\A0165581.exe High
12/12/2011 5:25:56 PM Deleted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1261\A0165582.exe High
12/12/2011 5:35:03 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini High
12/12/2011 6:26:24 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP1261\A0165583.ini High

#22
maliprog

Posted 13 December 2011 - 12:36 AM

Trusted Helper

Malware Removal
6,172 posts

Hi papa_A_D,

I see that infection is still there. This is very very delicate infection and we need to take everything in calculation.

Some notes before you begin... Remove your version of Combofix and download new one.

Also note that I need to see print screen from Disk management not log file.

Step 1

Win XP

Go to start > run and type:

compmgmt.msc

From the left panel click Disk management and maximize the window. Take a snapshot of it and post it here

To print screen please download ClickShoot.exe on your desktop
Run the program and when you are ready press [Print Screen] button on your keyboard
Post ClickShoot_HHMMSS.jpg it creates here for me.

Step 2

If you can't disable real-time scanner for your antivirus I would like you to uninstall it from your system untill and of this fix. Before you remove it make sure you have your license key by your side so you can install it again.

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Step 3

Please don't forget to include these items in your reply:

Print screen log
Combofix log

It would be helpful if you could post each log in separate post

#23
papa_A_D

Posted 13 December 2011 - 05:23 PM

Member

Topic Starter
Member
56 posts

maliprog
Hi, I'm still using a HOST computer and transfering back and forth with a memory stick (USB) so I can't run Step 1 the way it is listed. I'll try something else...

I have been trying to cut & and paste, attach or copy a .bmp file of Disk management and the ie7 window (there are no longer any graphics or text on the ie window screen, only the toolbars) taken from my computer. So far - no success.

Completely removing my antivirus (Step 2) isn't something I can do. Your link above regarding "how to disable your security programs" isn't working.What do I need to do different, please?

papa_A_D

Edited by papa_A_D, 13 December 2011 - 08:43 PM.

#24
maliprog

Posted 14 December 2011 - 12:18 AM

Trusted Helper

Malware Removal
6,172 posts

Let's try this step.

We need to download Recovery console manually then.

Click on the following link to go to Microsoft's Web site:

http://support.microsoft.com/kb/310994
At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. You are using Windows XP Service Pack 3 (SP3) and you need to select the Service Pack 2 download.
Once the Microsoft file has finished downloading restart your PC in Safe mode

Please restart in safe mode:
- If the computer is running, shut down Windows, and then turn off the power
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
Drag Microsoft file on top of the ComboFix icon and let your mouse button go. This is shown in the following image.
ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer. Please press Yes button and continue as I described before.

If it ask you to disable your antivirus program just press Continue with the scan.

#25
papa_A_D

Posted 14 December 2011 - 12:23 AM

Member

Topic Starter
Member
56 posts

Hello, again. Here is the ComboFix log. Also, I removed my Antivirus beforehand.

I just saw your post above after running ComboFix. Do you want me to run that now-again?

ComboFix 11-12-13.03 - Hemphill 12/13/2011 21:21:53.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.241 [GMT -8:00]
Running from: c:\documents and settings\Hemphill\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\pswi_preloaded.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Hemphill\Application Data\883A.096
c:\documents and settings\Hemphill\Desktop\Windows Explorer.exe
c:\documents and settings\Hemphill\Local Settings\Application Data\922a6d98\U
c:\documents and settings\Hemphill\Local Settings\Application Data\922a6d98\U\80000000.@
c:\documents and settings\Hemphill\Local Settings\Application Data\922a6d98\U\800000cb.@
c:\documents and settings\Hemphill\WINDOWS
c:\program files\DictionaryBoss\bar
c:\program files\DictionaryBoss\bar\Cache\0034AEFF.bmp
c:\program files\DictionaryBoss\bar\Cache\0034B0F3.bmp
c:\program files\DictionaryBoss\bar\Cache\0034B299.bmp
c:\program files\DictionaryBoss\bar\Cache\0034B3D2.bmp
c:\program files\DictionaryBoss\bar\Cache\0034B558.bmp
c:\program files\DictionaryBoss\bar\Cache\0034B681.bmp
c:\program files\DictionaryBoss\bar\Cache\02AD54A4
c:\program files\DictionaryBoss\bar\Cache\02AD562A.bmp
c:\program files\DictionaryBoss\bar\Cache\02AD5724.bmp
c:\program files\DictionaryBoss\bar\Cache\02AD57B1.bmp
c:\program files\DictionaryBoss\bar\Cache\02AD585D.bmp
c:\program files\DictionaryBoss\bar\Cache\02AD5928.bmp
c:\program files\DictionaryBoss\bar\Cache\02AD5A03.bmp
c:\program files\DictionaryBoss\bar\Cache\02AD5A8F.bmp
c:\program files\DictionaryBoss\bar\Cache\02AD5AFD.bmp
c:\program files\DictionaryBoss\bar\Cache\files.ini
c:\program files\DictionaryBoss\bar\History\search3
c:\program files\DictionaryBoss\bar\Settings\prevcfg2.htm
c:\program files\DictionaryBoss\bar\Settings\s_pid.dat
c:\program files\DictionaryBossEI
c:\program files\DictionaryBossEI\Installr\1.bin\NPv4EISb.dll
c:\program files\DictionaryBossEI\Installr\1.bin\v4EIPlug.dll
c:\program files\DictionaryBossEI\Installr\Cache\02AD04CE.exe
c:\program files\DictionaryBossEI\Installr\Cache\files.ini
c:\program files\Shared
c:\windows\$NtUninstallKB77$
c:\windows\$NtUninstallKB77$\2452254104\@
c:\windows\$NtUninstallKB77$\2452254104\L\xtmybwes
c:\windows\$NtUninstallKB77$\2452254104\loader.tlb
c:\windows\$NtUninstallKB77$\2452254104\U\@00000001
c:\windows\$NtUninstallKB77$\2452254104\U\@000000c0
c:\windows\$NtUninstallKB77$\2452254104\U\@000000cb
c:\windows\$NtUninstallKB77$\2452254104\U\@000000cf
c:\windows\$NtUninstallKB77$\2452254104\U\@80000000
c:\windows\$NtUninstallKB77$\2452254104\U\@800000c0
c:\windows\$NtUninstallKB77$\2452254104\U\@800000cb
c:\windows\$NtUninstallKB77$\2452254104\U\@800000cf
c:\windows\$NtUninstallKB77$\2505118498
c:\windows\CSC\d6
c:\windows\kb913800.exe
c:\windows\system32\
c:\windows\system32\Cache
c:\windows\system32\config\systemprofile\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-11-14 to 2011-12-14 )))))))))))))))))))))))))))))))
.
.
2011-12-02 01:05 . 2011-12-02 00:20 302592 ----a-w- C:\is7cwtxh.exe
2011-11-23 23:16 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-22 05:28 . 2011-11-22 05:28 5818 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-11-22 03:44 . 2011-11-22 03:44 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-11-22 03:43 . 2011-11-22 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-11-15 02:02 . 2011-11-15 02:02 -------- d-----w- C:\_OTM
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-12 04:11 . 2004-08-03 22:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-23 23:38 . 2011-11-08 07:25 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-08 07:45 . 2006-07-19 23:24 114688 ----a-w- c:\windows\system32\TODDSrv.exe
2011-11-08 02:19 . 2006-11-03 03:40 174656 ----a-w- c:\windows\system32\PSIService.exe
2011-11-08 00:51 . 2006-07-19 23:11 114688 ----a-w- c:\windows\system32\DVDRAMSV.exe
2011-11-02 22:51 . 2008-04-19 04:22 36864 ----a-w- c:\windows\system32\acs.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-02 364544]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-7-19 155648]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SecureZIP Attachments Status.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SetPoint.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Hemphill^Start Menu^Programs^Startup^DING!.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Hemphill^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Hemphill^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adparatus
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DuhikiToolbarNotifier
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ioloDelayModule
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NotebookHardwareControl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC SpeedScan Pro
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Performance Center
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemGuardAlerter
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDWMon]
2006-04-26 00:57 299008 -c--a-w- c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
2005-07-22 19:03 425984 -c--a-w- c:\program files\Dell Photo AIO Printer 924\dlccmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2007-02-26 09:01 437160 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 -c--a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 22:08 421160 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
2005-12-06 05:06 1077322 ----a-w- c:\program files\TOSHIBA\Touch and Launch\PadExe.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
2005-03-18 00:37 151552 -c--a-w- c:\toshiba\IVP\ISM\pinger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 -c--a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-01-01 20:02 136600 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-06 04:39 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-02 23:02 761948 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
2004-12-30 07:32 65536 ----a-w- c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2005-06-01 04:00 282624 ----a-w- c:\windows\system32\TPSMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
2006-02-02 19:11 73728 -c--a-w- c:\program files\TOSHIBA\Tvs\TvsTray.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Barnes & Noble\\NOOKstudy\\NOOKstudy.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 10:50 AM 98816]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2011-12-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-06 00:51]
.
2011-12-14 c:\windows\Tasks\User_Feed_Synchronization-{A00C3A91-1B39-4F57-A4C7-6A0B0F8DC435}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 01:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:52970
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Save Page As PDF ... - file://c:\program files\Nitro PDF\PDF Download\nitroweb.htm
Trusted Zone: wordpress.com
Trusted Zone: wordpress.com\support
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - (no file)
Toolbar-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - (no file)
Notify-NavLogon - (no file)
Notify-WgaLogon - (no file)
SafeBoot-59169748.sys
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-conhost - c:\documents and settings\Hemphill\Application Data\Microsoft\conhost.exe
MSConfigStartUp-DictionaryBoss Browser Plugin Loader - c:\progra~1\DICTIO~2\bar\1.bin\v4brmon.exe
MSConfigStartUp-Google Quick Search Box - c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
AddRemove-Google Updater - c:\program files\Google\Google Updater\GoogleUpdater.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Hemphill\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-13 21:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\America Online\ygp3]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin2.wsz]
@DACL=(02 0000)
@SACL=
"Prefs"="mute;False;TrackTimeFormat;0;miniModePrevWidth;1280;miniModePrevHeight;774;currentMetadataIconV11;2"
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,01,00,00,00,00,00,12,09,00,00,64,00,00,00,00,00,01,
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,64,00,00,00,00,00,00,00,30,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\1]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,06,00,00,00,00,00,00,00,00,00,9c,00,00,00,00,00,01,
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,9c,00,00,00,00,00,00,00,30,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\2]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,06,00,00,00,00,00,02,00,00,00,9c,00,00,00,00,00,01,
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,9c,00,00,00,00,00,00,00,30,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\3]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,06,00,00,00,00,00,00,00,00,00,9c,00,00,00,00,00,01,
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,9c,00,00,00,00,00,00,00,30,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\4]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,06,00,00,00,00,00,00,00,00,00,9c,00,00,00,00,00,01,
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,9c,00,00,00,00,00,00,00,30,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\5]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,06,00,00,00,00,00,00,00,00,00,9c,00,00,00,00,00,01,
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,9c,00,00,00,00,00,00,00,30,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\6]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,06,00,00,00,00,00,00,00,00,00,90,00,00,00,00,00,01,
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,90,00,00,00,00,00,00,00,30,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\7]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,06,00,00,00,00,00,00,00,00,00,90,00,00,00,00,00,01,
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,90,00,00,00,00,00,00,00,30,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\8]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,06,00,00,00,00,00,00,00,00,00,90,00,00,00,00,00,01,
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,90,00,00,00,00,00,00,00,30,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\9]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,06,00,00,00,00,00,00,00,00,00,9c,00,00,00,00,00,01,
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,9c,00,00,00,00,00,00,00,30,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop]
@DACL=(02 0000)
@SACL=
"Toolbars"=hex:11,00,00,00,00,00,00,00
"TaskbarWinXP"=hex:0c,00,00,00,08,00,00,00,01,00,00,00,00,00,00,00,aa,4f,28,68,
48,6a,d0,11,8c,78,00,c0,4f,d9,18,b4,0c,03,00,00,e0,0c,00,00,00,00,00,00,1e,\
"Upgrade"=dword:00000001
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\Shell\Bags\1]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0]
@DACL=(02 0000)
@SACL=
"0"=hex:14,00,2e,00,20,20,ec,21,ea,3a,69,10,a2,dd,08,00,2b,30,30,9d,00,00
"MRUListEx"=hex:00,00,00,00,02,00,00,00,04,00,00,00,03,00,00,00,05,00,00,00,01,
00,00,00,ff,ff,ff,ff
"1"=hex:19,00,2f,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00
"NodeSlot"=dword:00000003
"2"=hex:19,00,2f,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00
"3"=hex:44,00,2e,00,1e,00,02,00,00,00,48,00,65,00,6d,00,70,00,68,00,69,00,6c,
00,6c,00,00,00,00,00,00,00,00,00,00,00,74,1a,59,5e,96,df,d3,48,8d,67,17,33,\
"4"=hex:32,00,2e,00,0c,00,00,00,00,00,00,00,00,00,00,00,00,00,74,1a,59,5e,96,
df,d3,48,8d,67,17,33,bc,ee,28,ba,47,1a,03,59,72,3f,a7,44,89,c5,55,95,fe,6b,\
"5"=hex:19,00,2f,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0\1]
@DACL=(02 0000)
"NodeSlot"=dword:0000009d
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0\2]
@DACL=(02 0000)
"NodeSlot"=dword:000000a2
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0\3]
@DACL=(02 0000)
"NodeSlot"=dword:00000217
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0\4]
@DACL=(02 0000)
"NodeSlot"=dword:00000466
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\1\0\0\0\10]
@DACL=(02 0000)
"NodeSlot"=dword:00000449
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\1\0\0\0\4]
@DACL=(02 0000)
"NodeSlot"=dword:00000072
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\1\0\0\0\5]
@DACL=(02 0000)
"NodeSlot"=dword:00000073
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\1\0\0\0\6]
@DACL=(02 0000)
"NodeSlot"=dword:000002be
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\1\0\0\0\7]
@DACL=(02 0000)
"0"=hex:5c,00,31,00,00,00,00,00,f3,34,10,15,11,00,53,59,53,54,45,4d,7e,31,00,
00,44,00,03,00,04,00,ef,be,f3,34,40,14,8b,38,01,20,14,00,2e,00,53,00,79,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"NodeSlot"=dword:00000334
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\1\0\0\0\8]
@DACL=(02 0000)
"NodeSlot"=dword:00000343
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\1\0\0\0\9]
@DACL=(02 0000)
"NodeSlot"=dword:00000414
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\1\0\1]
@DACL=(02 0000)
"0"=hex:42,00,31,00,00,00,00,00,4a,3b,8e,3e,10,00,41,53,43,45,4e,54,7e,31,00,
00,2a,00,03,00,04,00,ef,be,4a,3b,8e,3e,4a,3b,8e,3e,14,00,00,00,41,00,73,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\1\1]
@DACL=(02 0000)
"0"=hex:58,00,31,00,00,00,00,00,f2,34,89,9b,11,00,53,54,41,52,54,4d,7e,31,00,
00,40,00,03,00,04,00,ef,be,3a,36,97,a1,3a,36,07,b2,14,00,2a,00,53,00,74,00,\
"MRUListEx"=hex:06,00,00,00,10,00,00,00,01,00,00,00,0a,00,00,00,00,00,00,00,0e,
00,00,00,08,00,00,00,16,00,00,00,14,00,00,00,0c,00,00,00,02,00,00,00,15,00,\
"1"=hex:56,00,31,00,00,00,00,00,3a,36,b9,a1,11,00,46,41,56,4f,52,49,7e,31,00,
00,3e,00,03,00,04,00,ef,be,3a,36,97,a1,3a,36,8a,b8,14,00,28,00,46,00,61,00,\
"NodeSlot"=dword:00000051
"2"=hex:40,00,31,00,00,00,00,00,3a,36,4c,be,11,00,4d,59,4d,55,53,49,7e,31,00,
00,28,00,03,00,04,00,ef,be,3a,36,4c,be,3a,36,4c,be,14,00,00,00,4d,00,79,00,\
"3"=hex:46,00,31,00,00,00,00,00,3a,36,f8,bb,10,00,44,41,44,27,53,46,7e,31,00,
00,2e,00,03,00,04,00,ef,be,3a,36,bb,ba,3a,36,f8,bb,14,00,00,00,44,00,61,00,\
"4"=hex:3c,00,31,00,00,00,00,00,3a,36,24,bd,14,00,43,6f,6f,6b,69,65,73,00,26,
00,03,00,04,00,ef,be,3a,36,97,a1,3a,36,24,bd,14,00,00,00,43,00,6f,00,6f,00,\
"5"=hex:3c,00,31,00,00,00,00,00,3a,36,6c,bb,10,00,46,75,74,75,72,65,73,00,26,
00,03,00,04,00,ef,be,3a,36,66,bb,3b,36,f2,00,14,00,00,00,46,00,75,00,74,00,\
"6"=hex:64,00,31,00,00,00,00,00,3a,36,59,bf,11,00,4d,59,44,4f,43,55,7e,31,00,
00,30,00,03,00,04,00,ef,be,3a,36,97,a1,3b,36,37,36,14,00,00,00,4d,00,79,00,\
"7"=hex:36,00,31,00,00,00,00,00,3e,36,c0,04,10,00,61,64,76,66,6e,00,22,00,03,
00,04,00,ef,be,3e,36,bd,04,3f,36,75,75,14,00,00,00,61,00,64,00,76,00,66,00,\
"8"=hex:4c,00,31,00,00,00,00,00,3b,36,6b,00,12,00,4c,4f,43,41,4c,53,7e,31,00,
00,34,00,03,00,04,00,ef,be,3a,36,97,a1,54,36,c0,12,14,00,00,00,4c,00,6f,00,\
"9"=hex:40,00,31,00,00,00,00,00,69,36,9a,3a,10,00,66,6c,65,78,64,6f,63,6b,00,
00,28,00,03,00,04,00,ef,be,69,36,9a,3a,6a,36,a9,10,14,00,00,00,66,00,6c,00,\
"10"=hex:3c,00,31,00,00,00,00,00,6d,36,cb,28,10,00,44,65,73,6b,74,6f,70,00,26,
00,03,00,04,00,ef,be,3a,36,97,a1,6d,36,cb,28,14,00,00,00,44,00,65,00,73,00,\
"11"=hex:36,00,31,00,00,00,00,00,6a,36,ec,96,10,00,65,74,70,72,6f,00,22,00,03,
00,04,00,ef,be,69,36,98,3a,6d,36,79,1f,14,00,00,00,65,00,74,00,70,00,72,00,\
"12"=hex:3a,00,31,00,00,00,00,00,b2,36,46,3b,13,00,52,65,63,65,6e,74,00,00,24,
00,03,00,04,00,ef,be,3a,36,97,a1,b2,36,46,3b,14,00,00,00,52,00,65,00,63,00,\
"13"=hex:42,00,31,00,00,00,00,00,f2,34,89,9b,12,00,50,52,49,4e,54,48,7e,31,00,
00,2a,00,03,00,04,00,ef,be,3a,36,97,a1,b2,36,0a,1c,14,00,00,00,50,00,72,00,\
"14"=hex:3c,00,31,00,00,00,00,00,f4,34,f2,02,10,00,57,49,4e,44,4f,57,53,00,26,
00,03,00,04,00,ef,be,3a,36,97,a1,d8,36,3d,31,14,00,00,00,57,00,49,00,4e,00,\
"15"=hex:40,00,31,00,00,00,00,00,3c,36,50,31,14,00,55,73,65,72,44,61,74,61,00,
00,28,00,03,00,04,00,ef,be,3c,36,50,31,f7,36,4b,1b,14,00,00,00,55,00,73,00,\
"16"=hex:44,00,31,00,00,00,00,00,f8,36,78,13,10,00,49,4e,43,4f,4d,50,7e,31,00,
00,2c,00,03,00,04,00,ef,be,f8,36,07,13,f8,36,78,13,14,00,00,00,49,00,6e,00,\
"17"=hex:3c,00,31,00,00,00,00,00,4d,36,f6,ab,12,00,4e,65,74,48,6f,6f,64,00,26,
00,03,00,04,00,ef,be,3a,36,97,a1,f8,36,d5,13,14,00,00,00,4e,00,65,00,74,00,\
"18"=hex:3a,00,31,00,00,00,00,00,f8,36,78,13,10,00,53,68,61,72,65,64,00,00,24,
00,03,00,04,00,ef,be,f8,36,12,13,f8,36,78,13,14,00,00,00,53,00,68,00,61,00,\
"19"=hex:3a,00,31,00,00,00,00,00,8a,36,e6,02,13,00,53,65,6e,64,54,6f,00,00,24,
00,03,00,04,00,ef,be,3a,36,97,a1,04,37,47,90,14,00,00,00,53,00,65,00,6e,00,\
"20"=hex:64,00,31,00,00,00,00,00,15,37,21,12,13,00,41,50,50,4c,49,43,7e,31,00,
00,4c,00,03,00,04,00,ef,be,3a,36,97,a1,19,37,96,06,14,00,36,00,41,00,70,00,\
"21"=hex:56,00,31,00,00,00,00,00,3a,38,f3,85,10,00,53,55,4e,44,4f,57,7e,31,00,
00,3e,00,03,00,04,00,ef,be,3a,38,77,85,42,38,ab,ab,14,00,00,00,2e,00,53,00,\
"22"=hex:34,00,31,00,00,00,00,00,6b,39,14,0e,10,00,74,65,6d,70,00,00,20,00,03,
00,04,00,ef,be,6b,39,14,0e,6b,39,49,23,14,00,00,00,74,00,65,00,6d,00,70,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\1\2]
@DACL=(02 0000)
"NodeSlot"=dword:000000b4
"MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff
"0"=hex:4c,00,31,00,00,00,00,00,f2,34,89,9b,12,00,4c,4f,43,41,4c,53,7e,31,00,
00,34,00,03,00,04,00,ef,be,f3,34,38,15,54,36,3b,0f,14,00,00,00,4c,00,6f,00,\
"1"=hex:58,00,31,00,00,00,00,00,f2,34,89,9b,11,00,53,54,41,52,54,4d,7e,31,00,
00,40,00,03,00,04,00,ef,be,f3,34,38,15,8b,38,00,20,14,00,2a,00,53,00,74,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\1\3]
@DACL=(02 0000)
"NodeSlot"=dword:000000d6
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:4c,00,31,00,00,00,00,00,f2,34,89,9b,12,00,4c,4f,43,41,4c,53,7e,31,00,
00,34,00,03,00,04,00,ef,be,f2,34,89,9b,54,36,3d,0f,14,00,00,00,4c,00,6f,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\1\4]
@DACL=(02 0000)
"0"=hex:3c,00,31,00,00,00,00,00,48,38,99,a2,16,20,43,6f,6f,6b,69,65,73,00,26,
00,03,00,04,00,ef,be,f3,34,2e,15,9e,3a,24,26,14,00,00,00,43,00,6f,00,6f,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\1\5]
@DACL=(02 0000)
"0"=hex:3c,00,31,00,00,00,00,00,48,38,50,a7,16,20,43,6f,6f,6b,69,65,73,00,26,
00,03,00,04,00,ef,be,f3,34,2d,15,9d,3a,2f,42,14,00,00,00,43,00,6f,00,6f,00,\
"MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff
"1"=hex:4c,00,31,00,00,00,00,00,f3,34,2d,15,12,00,4c,4f,43,41,4c,53,7e,31,00,
00,34,00,03,00,04,00,ef,be,f3,34,2d,15,9e,3a,24,26,14,00,00,00,4c,00,6f,00,\
"NodeSlot"=dword:0000048f
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\10]
@DACL=(02 0000)
"NodeSlot"=dword:00000071
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\11]
@DACL=(02 0000)
"NodeSlot"=dword:0000008a
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\12]
@DACL=(02 0000)
"NodeSlot"=dword:00000098
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\13]
@DACL=(02 0000)
"NodeSlot"=dword:00000099
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:34,00,31,00,00,00,00,00,3b,36,72,02,10,00,48,65,6c,70,00,00,20,00,03,
00,04,00,ef,be,3b,36,71,02,70,36,92,0d,14,00,00,00,48,00,65,00,6c,00,70,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\14]
@DACL=(02 0000)
"NodeSlot"=dword:000000a8
"MRUListEx"=hex:00,00,00,00,01,00,00,00,ff,ff,ff,ff
"0"=hex:46,00,31,00,00,00,00,00,49,36,69,4c,10,00,49,4e,46,4f,52,4d,7e,31,00,
00,2e,00,03,00,04,00,ef,be,49,36,69,4c,4c,36,ef,2a,14,00,00,00,69,00,6e,00,\
"1"=hex:34,00,31,00,00,00,00,00,42,37,12,94,10,00,68,65,6c,70,00,00,20,00,03,
00,04,00,ef,be,49,36,69,4c,42,37,12,94,14,00,00,00,68,00,65,00,6c,00,70,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\15]
@DACL=(02 0000)
"NodeSlot"=dword:000000e3
"MRUListEx"=hex:03,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff
"0"=hex:3c,00,31,00,00,00,00,00,3c,36,01,1d,10,00,56,53,66,6c,65,78,37,00,26,
00,03,00,04,00,ef,be,3c,36,01,1d,8b,38,03,20,14,00,00,00,56,00,53,00,66,00,\
"1"=hex:3a,00,31,00,00,00,00,00,3c,36,28,1d,10,00,56,53,4f,43,58,36,00,00,24,
00,03,00,04,00,ef,be,3c,36,28,1d,8b,38,03,20,14,00,00,00,56,00,53,00,4f,00,\
"2"=hex:40,00,31,00,00,00,00,00,3c,36,48,1d,10,00,56,53,53,50,45,4c,4c,36,00,
00,28,00,03,00,04,00,ef,be,3c,36,48,1d,8b,38,03,20,14,00,00,00,56,00,53,00,\
"3"=hex:3c,00,31,00,00,00,00,00,3c,36,54,1d,10,00,56,73,56,49,45,57,36,00,26,
00,03,00,04,00,ef,be,3c,36,52,1d,8b,38,c7,2b,14,00,00,00,56,00,73,00,56,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\16]
@DACL=(02 0000)
"NodeSlot"=dword:000000e4
"MRUListEx"=hex:02,00,00,00,03,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff
"0"=hex:30,00,31,00,00,00,00,00,3c,36,72,1a,10,00,42,49,4e,00,1e,00,03,00,04,
00,ef,be,3c,36,70,1a,54,36,31,b2,14,00,00,00,42,00,49,00,4e,00,00,00,12,00,\
"1"=hex:40,00,31,00,00,00,00,00,3c,36,81,1a,10,00,45,58,41,4d,50,4c,45,53,00,
00,28,00,03,00,04,00,ef,be,3c,36,7b,1a,54,36,36,b2,14,00,00,00,45,00,58,00,\
"2"=hex:3a,00,31,00,00,00,00,00,3c,36,6f,1a,10,00,49,4d,41,47,45,53,00,00,24,
00,03,00,04,00,ef,be,3c,36,6e,1a,63,36,db,7b,14,00,00,00,49,00,4d,00,41,00,\
"3"=hex:34,00,31,00,00,00,00,00,3c,36,87,1a,10,00,48,45,4c,50,00,00,20,00,03,
00,04,00,ef,be,3c,36,83,1a,48,38,64,03,14,00,00,00,48,00,45,00,4c,00,50,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\17]
@DACL=(02 0000)
"NodeSlot"=dword:00000127
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\18]
@DACL=(02 0000)
"0"=hex:40,00,31,00,00,00,00,00,00,00,00,00,10,00,48,65,6d,70,68,69,6c,6c,00,
00,28,00,03,00,04,00,ef,be,00,00,00,00,00,00,00,00,14,00,00,00,48,00,65,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\19]
@DACL=(02 0000)
"0"=hex:3c,00,31,00,00,00,00,00,3d,36,53,15,10,00,44,72,69,76,65,72,73,00,26,
00,03,00,04,00,ef,be,3d,36,53,15,96,36,a5,a5,14,00,00,00,44,00,72,00,69,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"NodeSlot"=dword:00000341
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\2\0\0]
@DACL=(02 0000)
"0"=hex:4a,00,31,00,00,00,00,00,b3,3c,96,ab,10,00,50,52,4f,47,52,41,7e,31,00,
00,32,00,03,00,04,00,ef,be,b3,3c,96,ab,b3,3c,96,ab,14,00,00,00,70,00,72,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\2\10]
@DACL=(02 0000)
"NodeSlot"=dword:00000507
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\2\2]
@DACL=(02 0000)
"NodeSlot"=dword:00000068
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\2\3]
@DACL=(02 0000)
"NodeSlot"=dword:00000097
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\2\4]
@DACL=(02 0000)
"0"=hex:ef,00,31,00,00,00,00,00,49,36,98,64,10,00,73,68,61,72,65,64,00,00,24,
00,03,00,04,00,ef,be,f3,34,bd,14,18,37,0d,98,14,00,00,00,73,00,68,00,61,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\2\5]
@DACL=(02 0000)
"NodeSlot"=dword:00000296
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\2\6]
@DACL=(02 0000)
"NodeSlot"=dword:000002c1
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\2\7]
@DACL=(02 0000)
"NodeSlot"=dword:00000344
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\2\8]
@DACL=(02 0000)
"NodeSlot"=dword:0000035e
"MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff
"0"=hex:46,00,31,00,00,00,00,00,de,38,f2,12,10,00,43,4f,4e,46,4c,49,43,54,2e,
31,00,00,2c,00,03,00,04,00,ef,be,de,38,ee,12,de,38,f2,12,14,00,00,00,43,00,\
"1"=hex:36,00,31,00,00,00,00,00,62,36,d6,31,10,00,57,65,62,45,78,00,22,00,03,
00,04,00,ef,be,62,36,d6,31,d6,38,50,1d,14,00,00,00,57,00,65,00,62,00,45,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\2\9]
@DACL=(02 0000)
"NodeSlot"=dword:0000045b
"MRUListEx"=hex:00,00,00,00,01,00,00,00,ff,ff,ff,ff
"0"=hex:40,00,31,00,00,00,00,00,23,3a,b5,12,10,00,31,2d,32,2d,32,30,30,39,00,
00,28,00,03,00,04,00,ef,be,23,3a,b3,12,4e,3a,08,04,14,00,00,00,31,00,2d,00,\
"1"=hex:42,00,31,00,00,00,00,00,4e,3a,e0,0d,10,00,32,2d,31,33,2d,32,7e,31,00,
00,2a,00,03,00,04,00,ef,be,4e,3a,db,0d,4e,3a,e0,0d,14,00,00,00,32,00,2d,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\20]
@DACL=(02 0000)
"NodeSlot"=dword:000001cd
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\21]
@DACL=(02 0000)
"NodeSlot"=dword:000001d4
"MRUListEx"=hex:02,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff
"0"=hex:7c,00,31,00,00,00,00,00,9a,36,94,1c,10,00,7b,39,46,35,46,42,7e,31,00,
00,64,00,03,00,04,00,ef,be,49,36,ce,51,b6,36,00,11,14,00,00,00,7b,00,39,00,\
"1"=hex:34,00,31,00,00,00,00,00,6b,39,92,02,10,00,37,36,2d,68,00,00,20,00,03,
00,04,00,ef,be,6b,39,91,02,6b,39,92,02,14,00,00,00,37,00,36,00,2d,00,68,00,\
"2"=hex:34,00,31,00,00,00,00,00,6b,39,f6,0d,10,00,37,34,2d,68,00,00,20,00,03,
00,04,00,ef,be,6b,39,f4,0d,6b,39,f6,0d,14,00,00,00,37,00,34,00,2d,00,68,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\22]
@DACL=(02 0000)
"NodeSlot"=dword:000001de
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\23]
@DACL=(02 0000)
"NodeSlot"=dword:00000203
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:34,00,31,00,00,00,00,00,67,39,3a,04,10,00,37,36,2d,68,00,00,20,00,03,
00,04,00,ef,be,67,39,37,04,67,39,3a,04,14,00,00,00,37,00,36,00,2d,00,68,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\24]
@DACL=(02 0000)
"NodeSlot"=dword:00000208
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:3c,00,31,00,00,00,00,00,54,36,59,18,10,00,41,63,72,6f,62,61,74,00,26,
00,03,00,04,00,ef,be,54,36,59,18,03,37,c1,16,14,00,00,00,41,00,63,00,72,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\25]
@DACL=(02 0000)
"NodeSlot"=dword:00000210
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\26]
@DACL=(02 0000)
"NodeSlot"=dword:00000293
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:36,00,31,00,00,00,00,00,2e,38,ac,13,10,00,46,6f,72,65,78,00,22,00,03,
00,04,00,ef,be,2e,38,ac,13,31,38,90,2b,14,00,00,00,46,00,6f,00,72,00,65,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\27]
@DACL=(02 0000)
"0"=hex:4c,00,31,00,00,00,00,00,38,38,f2,26,10,00,53,59,53,54,45,4d,7e,31,00,
00,34,00,03,00,04,00,ef,be,38,38,91,26,38,38,f2,26,14,00,00,00,53,00,79,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"NodeSlot"=dword:000002aa
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\28]
@DACL=(02 0000)
"NodeSlot"=dword:000002af
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\29]
@DACL=(02 0000)
"NodeSlot"=dword:000002cc
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:30,00,31,00,00,00,00,00,4e,38,ae,25,10,00,62,69,6e,00,1e,00,03,00,04,
00,ef,be,48,38,b2,13,4e,38,ae,25,14,00,00,00,62,00,69,00,6e,00,00,00,12,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\30]
@DACL=(02 0000)
"NodeSlot"=dword:000002cd
"MRUListEx"=hex:00,00,00,00,01,00,00,00,ff,ff,ff,ff
"0"=hex:3c,00,31,00,00,00,00,00,48,38,e8,13,10,00,46,75,74,75,72,65,73,00,26,
00,03,00,04,00,ef,be,48,38,db,13,48,38,e8,13,14,00,00,00,46,00,75,00,74,00,\
"1"=hex:48,00,31,00,00,00,00,00,48,38,da,13,10,00,46,55,54,55,52,45,7e,31,00,
00,30,00,03,00,04,00,ef,be,48,38,b3,13,48,38,da,13,14,00,00,00,46,00,75,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\31]
@DACL=(02 0000)
"NodeSlot"=dword:000002e6
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:3a,00,31,00,00,00,00,00,3f,38,0f,ae,10,00,53,4f,53,36,2e,30,00,00,24,
00,03,00,04,00,ef,be,3f,38,0f,ae,4d,38,0e,16,14,00,00,00,53,00,4f,00,53,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\32]
@DACL=(02 0000)
"NodeSlot"=dword:00000302
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:54,00,31,00,00,00,00,00,66,38,07,9e,10,00,4a,54,52,41,44,45,7e,31,00,
00,3c,00,03,00,04,00,ef,be,66,38,07,9e,66,38,07,9e,14,00,00,00,4a,00,54,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\33]
@DACL=(02 0000)
"NodeSlot"=dword:00000345
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\34]
@DACL=(02 0000)
"NodeSlot"=dword:000003e1
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\35]
@DACL=(02 0000)
"NodeSlot"=dword:000003e2
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\36]
@DACL=(02 0000)
"NodeSlot"=dword:00000446
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\37]
@DACL=(02 0000)
"NodeSlot"=dword:00000452
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:40,00,31,00,00,00,00,00,96,39,81,2b,10,00,46,69,78,49,45,44,65,66,00,
00,28,00,03,00,04,00,ef,be,96,39,7b,2b,4a,3a,34,0f,14,00,00,00,46,00,69,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\38]
@DACL=(02 0000)
"NodeSlot"=dword:0000045a
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\39]
@DACL=(02 0000)
"NodeSlot"=dword:0000045e
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:34,00,31,00,00,00,00,00,96,39,85,2b,10,00,54,65,6d,70,00,00,20,00,03,
00,04,00,ef,be,96,39,71,2b,4f,3a,b2,02,14,00,00,00,54,00,65,00,6d,00,70,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\40]
@DACL=(02 0000)
"NodeSlot"=dword:0000048a
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\41]
@DACL=(02 0000)
"NodeSlot"=dword:000004bf
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:a4,00,b1,00,00,00,00,00,1f,3b,02,39,16,00,53,2d,31,2d,35,2d,7e,32,00,
00,72,00,03,00,04,00,ef,be,3a,36,34,a2,1f,3b,02,39,14,00,00,00,53,00,2d,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\42]
@DACL=(02 0000)
"NodeSlot"=dword:000004f2
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:36,00,31,00,00,00,00,00,06,3b,5c,59,10,00,61,6d,64,36,34,00,22,00,03,
00,04,00,ef,be,06,3b,5c,59,8a,3b,84,ac,14,00,00,00,61,00,6d,00,64,00,36,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\9]
@DACL=(02 0000)
"0"=hex:3c,00,31,00,00,00,00,00,0b,35,1c,a7,10,00,50,69,63,61,73,61,32,00,26,
00,03,00,04,00,ef,be,0b,35,1b,a7,3b,36,ab,1b,14,00,00,00,50,00,69,00,63,00,\
"MRUListEx"=hex:2d,00,00,00,31,00,00,00,6e,00,00,00,2e,00,00,00,24,00,00,00,6d,
00,00,00,20,00,00,00,69,00,00,00,0a,00,00,00,06,00,00,00,14,00,00,00,63,00,\
"NodeSlot"=dword:0000006f
"1"=hex:46,00,31,00,00,00,00,00,f4,34,d2,0e,10,00,4d,63,41,66,65,65,2e,63,6f,
6d,00,00,2c,00,03,00,04,00,ef,be,f4,34,c0,0e,3d,36,e1,0a,14,00,00,00,4d,00,\
"2"=hex:3a,00,31,00,00,00,00,00,f4,34,d5,0e,10,00,4d,63,41,66,65,65,00,00,24,
00,03,00,04,00,ef,be,f4,34,d5,0e,3d,36,e1,0a,14,00,00,00,4d,00,63,00,41,00,\
"3"=hex:4e,00,31,00,00,00,00,00,f3,34,2d,14,10,00,4f,4e,4c,49,4e,45,7e,31,00,
00,36,00,03,00,04,00,ef,be,f3,34,2d,14,3d,36,d5,0d,14,00,00,00,4f,00,6e,00,\
"4"=hex:5c,00,31,00,00,00,00,00,3b,36,21,02,10,00,4f,50,54,49,4f,4e,7e,31,00,
00,44,00,03,00,04,00,ef,be,3b,36,1c,02,3d,36,d6,0d,14,00,00,00,6f,00,70,00,\
"5"=hex:3c,00,31,00,00,00,00,00,3d,36,02,0e,10,00,52,65,67,43,75,72,65,00,26,
00,03,00,04,00,ef,be,3d,36,ad,0d,3d,36,02,0e,14,00,00,00,52,00,65,00,67,00,\
"6"=hex:36,00,31,00,00,00,00,00,f3,34,3c,b8,10,00,6c,74,6d,6f,68,00,22,00,03,
00,04,00,ef,be,f3,34,3c,b8,3d,36,cb,0d,14,00,00,00,6c,00,74,00,6d,00,6f,00,\
"7"=hex:4e,00,31,00,00,00,00,00,f3,34,13,14,10,00,4d,53,4e,47,41,4d,7e,31,00,
00,36,00,03,00,04,00,ef,be,f3,34,13,14,3d,36,d5,0d,14,00,00,00,4d,00,53,00,\
"8"=hex:40,00,31,00,00,00,00,00,3d,36,b6,15,10,00,53,65,74,50,6f,69,6e,74,00,
00,28,00,03,00,04,00,ef,be,3d,36,9a,15,3d,36,6f,20,14,00,00,00,53,00,65,00,\
"9"=hex:48,00,31,00,00,00,00,00,53,36,6e,0b,10,00,51,55,4f,54,45,54,7e,31,00,
00,30,00,03,00,04,00,ef,be,4f,36,96,0a,53,36,1c,14,14,00,00,00,51,00,75,00,\
"10"=hex:3a,00,31,00,00,00,00,00,54,36,4c,04,10,00,69,54,75,6e,65,73,00,00,24,
00,03,00,04,00,ef,be,54,36,3d,04,54,36,6f,0c,14,00,00,00,69,00,54,00,75,00,\
"11"=hex:4a,00,31,00,00,00,00,00,3f,36,31,17,10,00,4d,41,52,4b,45,54,7e,31,00,
00,32,00,03,00,04,00,ef,be,3f,36,31,17,68,36,58,06,14,00,00,00,4d,00,61,00,\
"12"=hex:42,00,31,00,00,00,00,00,66,36,c9,3a,10,00,4d,42,54,52,41,44,7e,31,00,
00,2a,00,03,00,04,00,ef,be,66,36,c9,3a,68,36,70,06,14,00,00,00,4d,00,42,00,\
"13"=hex:42,00,31,00,00,00,00,00,f3,34,2e,18,10,00,4d,45,53,53,45,4e,7e,31,00,
00,2a,00,03,00,04,00,ef,be,f3,34,13,14,68,36,58,06,14,00,00,00,4d,00,65,00,\
"14"=hex:4a,00,31,00,00,00,00,00,5a,36,73,2b,10,00,4f,50,45,4e,49,4e,7e,31,00,
00,32,00,03,00,04,00,ef,be,56,36,2e,1b,68,36,56,06,14,00,00,00,4f,00,70,00,\
"15"=hex:46,00,31,00,00,00,00,00,49,36,54,6c,10,00,54,48,49,4e,4b,4f,7e,31,00,
00,2e,00,03,00,04,00,ef,be,49,36,4a,6c,68,36,58,06,14,00,00,00,74,00,68,00,\
"16"=hex:40,00,31,00,00,00,00,00,3c,36,b3,36,10,00,4c,61,76,61,73,6f,66,74,00,
00,28,00,03,00,04,00,ef,be,3c,36,b3,36,68,36,ec,23,14,00,00,00,4c,00,61,00,\
"17"=hex:3c,00,31,00,00,00,00,00,41,36,23,31,10,00,47,65,6e,65,73,69,73,00,26,
00,03,00,04,00,ef,be,41,36,1b,31,68,36,58,06,14,00,00,00,47,00,65,00,6e,00,\
"18"=hex:4c,00,31,00,00,00,00,00,65,36,27,b8,10,00,48,4f,54,53,50,4f,7e,31,00,
00,34,00,03,00,04,00,ef,be,65,36,1b,b8,70,36,9c,0d,14,00,00,00,48,00,6f,00,\
"19"=hex:46,00,31,00,00,00,00,00,f3,34,3d,be,10,00,45,4e,47,4c,49,53,7e,31,00,
00,2e,00,03,00,04,00,ef,be,f3,34,3c,be,70,36,59,0d,14,00,00,00,45,00,6e,00,\
"20"=hex:4e,00,31,00,00,00,00,00,4a,36,3c,30,10,00,46,55,4c,4c,54,49,7e,31,00,
00,36,00,03,00,04,00,ef,be,3c,36,d0,0e,70,36,99,0d,14,00,00,00,46,00,75,00,\
"21"=hex:42,00,31,00,00,00,00,00,f4,34,c1,05,10,00,47,45,4d,4d,41,53,7e,31,00,
00,2a,00,03,00,04,00,ef,be,f4,34,c0,05,70,36,54,0d,14,00,00,00,47,00,65,00,\
"22"=hex:3c,00,31,00,00,00,00,00,f3,34,73,b9,10,00,44,56,44,2d,52,41,4d,00,26,
00,03,00,04,00,ef,be,f3,34,73,b9,70,36,7a,0d,14,00,00,00,44,00,56,00,44,00,\
"23"=hex:7c,00,31,00,00,00,00,00,6e,36,78,43,12,00,49,4e,53,54,41,4c,7e,31,00,
00,64,00,03,00,04,00,ef,be,f3,34,c1,b6,70,36,a0,0d,14,00,00,00,49,00,6e,00,\
"24"=hex:34,00,31,00,00,00,00,00,52,36,ba,ba,10,00,69,6f,6c,6f,00,00,20,00,03,
00,04,00,ef,be,52,36,ba,ba,70,36,70,0c,14,00,00,00,69,00,6f,00,6c,00,6f,00,\
"25"=hex:34,00,31,00,00,00,00,00,f4,34,08,15,10,00,52,65,61,6c,00,00,20,00,03,
00,04,00,ef,be,f4,34,08,15,70,36,ca,0d,14,00,00,00,52,00,65,00,61,00,6c,00,\
"26"=hex:50,00,31,00,00,00,00,00,81,36,e4,2a,10,00,4d,49,43,52,4f,53,7e,32,00,
00,38,00,03,00,04,00,ef,be,f3,34,77,15,81,36,e4,2a,14,00,00,00,4d,00,69,00,\
"27"=hex:4e,00,31,00,00,00,00,00,f4,34,37,13,10,00,4d,49,43,52,4f,53,7e,34,00,
00,36,00,03,00,04,00,ef,be,f4,34,1a,13,8d,36,ca,18,14,00,00,00,4d,00,69,00,\
"28"=hex:64,00,31,00,00,00,00,00,94,36,6a,bf,10,00,4d,49,36,35,44,33,7e,31,00,
00,4c,00,03,00,04,00,ef,be,94,36,6a,bf,94,36,6a,bf,14,00,00,00,4d,00,69,00,\
"29"=hex:34,00,31,00,00,00,00,00,69,36,b6,31,10,00,4a,61,76,61,00,00,20,00,03,
00,04,00,ef,be,f4,34,90,0e,96,36,76,b9,14,00,00,00,4a,00,61,00,76,00,61,00,\
"30"=hex:50,00,31,00,00,00,00,00,4d,36,93,ac,10,00,57,49,46,44,31,46,7e,31,00,
00,38,00,03,00,04,00,ef,be,4d,36,93,ac,97,36,42,0e,14,00,00,00,57,00,69,00,\
"31"=hex:44,00,31,00,00,00,00,00,f3,34,67,14,10,00,4e,45,54,4d,45,45,7e,31,00,
00,2c,00,03,00,04,00,ef,be,f3,34,61,14,97,36,42,0e,14,00,00,00,4e,00,65,00,\
"32"=hex:42,00,31,00,00,00,00,00,f3,34,38,b7,10,00,53,59,4e,41,50,54,7e,31,00,
00,2a,00,03,00,04,00,ef,be,f3,34,38,b7,97,36,42,0e,14,00,00,00,53,00,79,00,\
"33"=hex:34,00,31,00,00,00,00,00,3d,36,c6,10,10,00,44,65,6c,6c,00,00,20,00,03,
00,04,00,ef,be,3d,36,c6,10,97,36,91,24,14,00,00,00,44,00,65,00,6c,00,6c,00,\
"34"=hex:6a,00,31,00,00,00,00,00,9e,36,6a,3e,10,00,53,43,48,41,45,46,7e,31,00,
00,52,00,03,00,04,00,ef,be,9c,36,e4,b1,a1,36,52,1d,14,00,00,00,53,00,63,00,\
"35"=hex:5e,00,31,00,00,00,00,00,3c,36,c3,1b,10,00,4d,49,43,52,4f,53,7e,33,00,
00,46,00,03,00,04,00,ef,be,3c,36,8e,1b,bb,36,34,9d,14,00,00,00,4d,00,69,00,\
"36"=hex:34,00,31,00,00,00,00,00,b7,36,95,2c,10,00,69,50,6f,64,00,00,20,00,03,
00,04,00,ef,be,b7,36,95,2c,bb,36,32,9d,14,00,00,00,69,00,50,00,6f,00,64,00,\
"37"=hex:40,00,31,00,00,00,00,00,f8,36,a1,03,10,00,4d,6f,72,70,68,65,75,73,00,
00,28,00,03,00,04,00,ef,be,f8,36,88,03,f8,36,a2,03,14,00,00,00,4d,00,6f,00,\
"38"=hex:46,00,31,00,00,00,00,00,f8,36,a2,03,10,00,4d,4f,52,50,48,45,7e,31,00,
00,2e,00,03,00,04,00,ef,be,f8,36,a2,03,f8,36,a2,03,14,00,00,00,4d,00,6f,00,\
"39"=hex:40,00,31,00,00,00,00,00,f8,36,f7,12,10,00,4c,69,6d,65,57,69,72,65,00,
00,28,00,03,00,04,00,ef,be,f8,36,f1,12,f8,36,f7,12,14,00,00,00,4c,00,69,00,\
"40"=hex:4c,00,31,00,00,00,00,00,f8,36,50,12,10,00,47,4e,55,54,45,4c,7e,31,00,
00,34,00,03,00,04,00,ef,be,f8,36,63,11,f8,36,50,12,14,00,00,00,47,00,6e,00,\
"41"=hex:52,00,31,00,00,00,00,00,d0,36,a1,4b,10,00,49,4e,54,45,52,4e,7e,31,00,
00,3a,00,03,00,04,00,ef,be,f3,34,5d,14,f8,36,04,0d,14,00,00,00,49,00,6e,00,\
"42"=hex:5a,00,31,00,00,00,00,00,f3,34,41,15,12,00,55,4e,49,4e,53,54,7e,31,00,
00,42,00,03,00,04,00,ef,be,f3,34,41,15,f8,36,f1,13,14,00,00,00,55,00,6e,00,\
"43"=hex:46,00,31,00,00,00,00,00,f3,34,64,14,10,00,4d,4f,56,49,45,4d,7e,31,00,
00,2e,00,03,00,04,00,ef,be,f3,34,1c,14,18,37,95,a2,14,00,00,00,4d,00,6f,00,\
"44"=hex:3a,00,31,00,00,00,00,00,3b,36,a0,1d,10,00,59,61,68,6f,6f,21,00,00,24,
00,03,00,04,00,ef,be,f4,34,0e,12,18,37,95,a2,14,00,00,00,59,00,61,00,68,00,\
"45"=hex:58,00,31,00,00,00,00,00,61,36,39,33,10,00,57,49,4e,44,4f,57,7e,33,00,
00,40,00,03,00,04,00,ef,be,f3,34,24,14,28,37,c4,05,14,00,00,00,57,00,69,00,\
"46"=hex:44,00,31,00,00,00,00,00,1a,37,39,13,10,00,49,4e,43,4f,4d,50,7e,31,00,
00,2c,00,03,00,04,00,ef,be,1a,37,36,13,44,37,a2,b9,14,00,00,00,49,00,6e,00,\
"47"=hex:3a,00,31,00,00,00,00,00,4f,37,2e,a1,10,00,53,68,61,72,65,64,00,00,24,
00,03,00,04,00,ef,be,4e,37,49,2b,4f,37,82,be,14,00,00,00,53,00,68,00,61,00,\
"48"=hex:50,00,31,00,00,00,00,00,8c,37,47,0f,10,00,56,49,52,54,55,41,7e,31,00,
00,38,00,03,00,04,00,ef,be,8c,37,43,0f,8f,37,6c,1c,14,00,00,00,56,00,69,00,\
"49"=hex:5e,00,31,00,00,00,00,00,61,36,39,33,10,00,57,49,34,44,46,36,7e,31,00,
00,46,00,03,00,04,00,ef,be,61,36,39,33,98,37,41,98,14,00,00,00,57,00,69,00,\
"50"=hex:6a,00,31,00,00,00,00,00,2e,38,aa,13,10,00,54,45,43,48,4e,49,7e,31,00,
00,52,00,03,00,04,00,ef,be,2e,38,aa,13,2f,38,dc,2e,14,00,00,00,54,00,65,00,\
"51"=hex:3a,00,31,00,00,00,00,00,30,38,26,a6,10,00,50,4b,57,41,52,45,00,00,24,
00,03,00,04,00,ef,be,30,38,26,a6,30,38,28,a6,14,00,00,00,50,00,4b,00,57,00,\
"52"=hex:52,00,31,00,00,00,00,00,33,38,85,91,10,00,44,41,53,53,41,55,7e,31,00,
00,3a,00,03,00,04,00,ef,be,33,38,85,91,33,38,99,91,14,00,00,00,44,00,61,00,\
"53"=hex:40,00,31,00,00,00,00,00,0b,35,8b,a8,10,00,44,61,74,61,4c,6f,64,65,00,
00,28,00,03,00,04,00,ef,be,0b,35,8b,a8,33,38,22,95,14,00,00,00,44,00,61,00,\
"54"=hex:4e,00,31,00,00,00,00,00,e5,36,63,41,10,00,4d,4f,5a,49,4c,4c,7e,31,00,
00,36,00,03,00,04,00,ef,be,e5,36,29,3e,33,38,22,95,14,00,00,00,4d,00,6f,00,\
"55"=hex:50,00,31,00,00,00,00,00,33,38,8b,90,10,00,4e,4f,42,4c,45,44,7e,31,00,
00,38,00,03,00,04,00,ef,be,31,38,a7,29,33,38,8b,90,14,00,00,00,4e,00,6f,00,\
"56"=hex:3c,00,31,00,00,00,00,00,11,35,8f,8e,10,00,54,4f,53,48,49,42,41,00,26,
00,03,00,04,00,ef,be,f3,34,26,b6,33,38,b3,a1,14,00,00,00,54,00,4f,00,53,00,\
"57"=hex:3a,00,31,00,00,00,00,00,34,38,7a,0d,10,00,48,51,75,6f,74,65,00,00,24,
00,03,00,04,00,ef,be,34,38,65,0d,34,38,0a,1a,14,00,00,00,48,00,51,00,75,00,\
"58"=hex:44,00,31,00,00,00,00,00,34,38,95,9c,10,00,43,4f,4e,56,45,52,7e,31,00,
00,2c,00,03,00,04,00,ef,be,34,38,94,9c,34,38,95,9c,14,00,00,00,43,00,6f,00,\
"60"=hex:36,00,31,00,00,00,00,00,bb,36,b1,a4,10,00,43,6f,72,65,6c,00,22,00,03,
00,04,00,ef,be,9b,36,c1,14,35,38,35,0f,14,00,00,00,43,00,6f,00,72,00,65,00,\
"61"=hex:50,00,31,00,00,00,00,00,37,38,ec,4c,10,00,53,55,50,45,52,41,7e,31,00,
00,38,00,03,00,04,00,ef,be,37,38,8b,44,38,38,81,0d,14,00,00,00,53,00,55,00,\
"62"=hex:40,00,31,00,00,00,00,00,54,36,ec,18,10,00,53,79,6d,61,6e,74,65,63,00,
00,28,00,03,00,04,00,ef,be,54,36,d5,18,38,38,59,0d,14,00,00,00,53,00,79,00,\
"63"=hex:54,00,31,00,00,00,00,00,38,38,af,0d,10,00,53,59,4d,41,4e,54,7e,31,00,
00,3c,00,03,00,04,00,ef,be,54,36,d0,18,38,38,af,0d,14,00,00,00,53,00,79,00,\
"64"=hex:46,00,31,00,00,00,00,00,37,38,99,25,10,00,54,52,45,4e,44,4d,7e,31,00,
00,2e,00,03,00,04,00,ef,be,37,38,99,25,39,38,4f,85,14,00,00,00,54,00,72,00,\
"65"=hex:52,00,31,00,00,00,00,00,39,38,a8,8e,10,00,45,53,45,54,4f,4e,7e,31,00,
00,3a,00,03,00,04,00,ef,be,39,38,45,8e,39,38,a2,8e,14,00,00,00,45,00,73,00,\
"66"=hex:3c,00,31,00,00,00,00,00,37,38,5a,2d,10,00,47,72,69,73,6f,66,74,00,26,
00,03,00,04,00,ef,be,37,38,5a,2d,3b,38,a6,80,14,00,00,00,47,00,72,00,69,00,\
"67"=hex:4a,00,31,00,00,00,00,00,0b,35,0b,aa,10,00,44,45,53,4b,54,4f,7e,31,00,
00,32,00,03,00,04,00,ef,be,0b,35,0b,aa,3b,38,ef,81,14,00,00,00,44,00,65,00,\
"68"=hex:5a,00,31,00,00,00,00,00,6e,36,88,42,10,00,56,41,4c,55,45,4c,7e,31,00,
00,42,00,03,00,04,00,ef,be,6e,36,88,42,3b,38,ef,81,14,00,00,00,56,00,61,00,\
"69"=hex:4c,00,31,00,00,00,00,00,3b,38,0b,5a,10,00,53,50,59,57,41,52,7e,31,00,
00,34,00,03,00,04,00,ef,be,3b,38,07,5a,3b,38,50,8b,14,00,00,00,53,00,70,00,\
"70"=hex:54,00,31,00,00,00,00,00,3e,38,da,05,10,00,52,45,47,49,53,54,7e,31,2e,
30,00,00,3a,00,03,00,04,00,ef,be,3e,38,6d,03,3e,38,95,a3,14,00,00,00,52,00,\
"71"=hex:5c,00,31,00,00,00,00,00,45,38,8d,2e,10,00,42,41,53,45,4d,45,7e,31,00,
00,44,00,03,00,04,00,ef,be,45,38,8d,2e,45,38,8d,2e,14,00,00,00,42,00,61,00,\
"72"=hex:3a,00,31,00,00,00,00,00,92,36,52,29,10,00,43,69,74,72,69,78,00,00,24,
00,03,00,04,00,ef,be,92,36,52,29,48,38,47,03,14,00,00,00,43,00,69,00,74,00,\
"73"=hex:48,00,31,00,00,00,00,00,45,38,92,15,10,00,4d,4c,44,4f,57,4e,7e,31,00,
00,30,00,03,00,04,00,ef,be,44,38,aa,33,47,38,9d,26,14,00,00,00,4d,00,4c,00,\
"74"=hex:4c,00,31,00,00,00,00,00,4d,38,0c,25,10,00,47,45,43,4b,4f,53,7e,31,00,
00,34,00,03,00,04,00,ef,be,4d,38,0c,25,4d,38,0d,25,14,00,00,00,47,00,65,00,\
"75"=hex:40,00,31,00,00,00,00,00,3c,36,c5,1a,10,00,56,42,36,43,43,52,53,45,00,
00,28,00,03,00,04,00,ef,be,3c,36,c3,1a,4d,38,bc,12,14,00,00,00,56,00,42,00,\
"76"=hex:5a,00,31,00,00,00,00,00,5d,38,2b,89,10,00,54,55,4e,45,55,50,7e,31,00,
00,42,00,03,00,04,00,ef,be,3e,38,29,06,5d,38,2b,89,14,00,00,00,54,00,75,00,\
"77"=hex:4e,00,31,00,00,00,00,00,67,38,28,a0,10,00,4d,45,44,49,41,52,7e,31,00,
00,36,00,03,00,04,00,ef,be,36,38,5c,2f,69,38,d6,1c,14,00,00,00,4d,00,65,00,\
"78"=hex:4c,00,31,00,00,00,00,00,69,38,c5,26,10,00,47,49,50,4f,40,55,7e,31,00,
00,34,00,03,00,04,00,ef,be,69,38,c5,26,69,38,c5,26,14,00,00,00,47,00,69,00,\
"79"=hex:4e,00,31,00,00,00,00,00,9c,37,6d,7f,10,00,4d,49,43,52,4f,53,7e,31,2e,
4e,45,54,00,00,32,00,03,00,04,00,ef,be,9c,37,6d,7f,8b,38,1d,1f,14,00,00,00,\
"80"=hex:4c,00,31,00,00,00,00,00,67,38,24,2c,10,00,41,4c,57,49,4c,53,7e,31,00,
00,34,00,03,00,04,00,ef,be,67,38,24,2c,8b,38,c2,2b,14,00,00,00,41,00,6c,00,\
"81"=hex:56,00,31,00,00,00,00,00,66,38,56,9c,10,00,50,41,54,53,4a,54,7e,31,00,
00,3e,00,03,00,04,00,ef,be,64,38,8d,a4,8b,38,c3,2b,14,00,00,00,50,00,41,00,\
"82"=hex:44,00,31,00,00,00,00,00,3a,36,5a,9f,10,00,49,4e,54,45,52,56,7e,31,00,
00,2c,00,03,00,04,00,ef,be,0b,35,30,ac,a2,38,01,2c,14,00,00,00,49,00,6e,00,\
"83"=hex:4a,00,31,00,00,00,00,00,9c,37,d7,2d,10,00,41,43,45,52,45,41,7e,31,00,
00,32,00,03,00,04,00,ef,be,9c,37,d4,2d,a2,38,c1,2c,14,00,00,00,41,00,63,00,\
"84"=hex:50,00,31,00,00,00,00,00,3c,36,f7,1c,10,00,56,49,44,45,4f,53,7e,31,00,
00,38,00,03,00,04,00,ef,be,3c,36,ed,1c,c3,38,db,0b,14,00,00,00,56,00,69,00,\
"85"=hex:30,00,31,00,00,00,00,00,1e,39,85,9b,10,00,44,4e,41,00,1e,00,03,00,04,
00,ef,be,d6,38,50,1c,63,39,81,15,14,00,00,00,44,00,4e,00,41,00,00,00,12,00,\
"86"=hex:3a,00,31,00,00,00,00,00,63,39,64,2c,10,00,57,69,6e,52,41,52,00,00,24,
00,03,00,04,00,ef,be,63,39,50,2b,63,39,64,2c,14,00,00,00,57,00,69,00,6e,00,\
"87"=hex:5c,00,31,00,00,00,00,00,64,39,3d,26,10,00,42,45,41,52,53,48,7e,31,00,
00,44,00,03,00,04,00,ef,be,64,39,3d,26,64,39,3d,26,14,00,00,00,42,00,65,00,\
"88"=hex:c9,00,31,00,00,00,00,00,e8,38,55,1b,10,00,41,64,6f,62,65,00,22,00,03,
00,04,00,ef,be,f4,34,09,07,65,39,d6,3b,14,00,00,00,41,00,64,00,6f,00,62,00,\
"89"=hex:3a,00,31,00,00,00,00,00,65,39,36,2a,10,00,57,69,6e,61,6d,70,00,00,24,
00,03,00,04,00,ef,be,65,39,e0,29,67,39,84,4b,14,00,00,00,57,00,69,00,6e,00,\
"90"=hex:56,00,31,00,00,00,00,00,a8,36,97,0d,10,00,4d,49,43,52,4f,53,7e,31,00,
00,3e,00,03,00,04,00,ef,be,f3,34,bd,14,67,39,77,54,14,00,00,00,6d,00,69,00,\
"91"=hex:36,00,31,00,00,00,00,00,f3,34,bd,14,10,00,78,65,72,6f,78,00,22,00,03,
00,04,00,ef,be,f3,34,bd,14,92,39,50,90,14,00,00,00,78,00,65,00,72,00,6f,00,\
"92"=hex:3a,00,31,00,00,00,00,00,94,39,08,9a,10,00,54,56,41,6e,74,73,00,00,24,
00,03,00,04,00,ef,be,94,39,01,9a,94,39,08,9a,14,00,00,00,54,00,56,00,41,00,\
"93"=hex:64,00,31,00,00,00,00,00,96,39,ea,0b,10,00,4d,41,4c,57,41,52,7e,31,00,
00,4c,00,03,00,04,00,ef,be,96,39,db,0b,99,39,c3,02,14,00,00,00,4d,00,61,00,\
"94"=hex:3c,00,31,00,00,00,00,00,92,39,31,97,10,00,45,53,54,73,6f,66,74,00,26,
00,03,00,04,00,ef,be,92,39,31,97,4d,3a,83,ad,14,00,00,00,45,00,53,00,54,00,\
"95"=hex:30,00,31,00,00,00,00,00,26,3a,dc,91,10,00,4e,4f,53,00,1e,00,03,00,04,
00,ef,be,26,3a,10,2f,4d,3a,63,ae,14,00,00,00,4e,00,4f,00,53,00,00,00,12,00,\
"96"=hex:50,00,31,00,00,00,00,00,4d,3a,94,b3,10,00,41,41,41,53,43,52,7e,31,00,
00,38,00,03,00,04,00,ef,be,4d,3a,94,b3,4d,3a,94,b3,14,00,00,00,41,00,41,00,\
"97"=hex:42,00,31,00,00,00,00,00,4d,3a,cc,b3,10,00,41,44,50,41,52,41,7e,31,00,
00,2a,00,03,00,04,00,ef,be,4d,3a,c3,b3,4d,3a,ce,b3,14,00,00,00,41,00,64,00,\
"98"=hex:3a,00,31,00,00,00,00,00,4d,3a,c3,b3,10,00,44,75,68,69,6b,69,00,00,24,
00,03,00,04,00,ef,be,4d,3a,c3,b3,4d,3a,c3,b3,14,00,00,00,44,00,75,00,68,00,\
"99"=hex:3c,00,31,00,00,00,00,00,93,38,c5,22,10,00,41,74,68,65,72,6f,73,00,26,
00,03,00,04,00,ef,be,93,38,c4,22,57,3a,6f,9e,14,00,00,00,41,00,74,00,68,00,\
"100"=hex:42,00,31,00,00,00,00,00,67,3a,0b,a8,10,00,47,4f,4c,46,4c,4f,7e,31,00,
00,2a,00,03,00,04,00,ef,be,67,3a,0b,a8,69,3a,8e,06,14,00,00,00,47,00,6f,00,\
"101"=hex:30,00,31,00,00,00,00,00,f3,34,0d,14,10,00,4d,53,4e,00,1e,00,03,00,04,
00,ef,be,f3,34,0d,14,75,3a,15,9c,14,00,00,00,4d,00,53,00,4e,00,00,00,12,00,\
"102"=hex:36,00,31,00,00,00,00,00,63,39,c5,44,10,00,45,52,55,4e,54,00,22,00,03,
00,04,00,ef,be,63,39,b9,44,75,3a,15,9c,14,00,00,00,45,00,52,00,55,00,4e,00,\
"103"=hex:5a,00,31,00,00,00,00,00,63,39,0a,45,10,00,4e,54,52,45,47,49,7e,31,00,
00,42,00,03,00,04,00,ef,be,63,39,0a,45,75,3a,15,9c,14,00,00,00,4e,00,54,00,\
"104"=hex:48,00,31,00,00,00,00,00,58,3a,ac,11,10,00,43,4f,4d,4d,4f,4e,7e,31,00,
00,30,00,03,00,04,00,ef,be,f2,34,90,9b,85,3a,6a,09,14,00,00,00,43,00,6f,00,\
"105"=hex:3a,00,31,00,00,00,00,00,92,3a,7a,19,10,20,47,6f,6f,67,6c,65,00,00,24,
00,03,00,04,00,ef,be,f4,34,c4,11,95,3a,35,1f,14,00,00,00,47,00,6f,00,6f,00,\
"106"=hex:62,00,31,00,00,00,00,00,9d,3a,93,40,10,00,4e,4f,54,45,42,4f,7e,31,00,
00,4a,00,03,00,04,00,ef,be,9d,3a,8f,40,9e,3a,fc,23,14,00,00,00,4e,00,6f,00,\
"107"=hex:48,00,31,00,00,00,00,00,3d,38,f2,2b,10,00,53,50,59,57,41,52,7e,32,00,
00,30,00,03,00,04,00,ef,be,3b,38,c6,5a,1a,3b,31,ad,14,00,00,00,53,00,70,00,\
"108"=hex:3a,00,31,00,00,00,00,00,63,3a,11,26,10,00,43,4f,4d,4f,44,4f,00,00,24,
00,03,00,04,00,ef,be,3e,38,fa,a1,2b,3b,27,1d,14,00,00,00,43,00,4f,00,4d,00,\
"109"=hex:3c,00,31,00,00,00,00,00,42,3b,61,34,10,00,42,6f,6e,6a,6f,75,72,00,26,
00,03,00,04,00,ef,be,42,3b,61,34,2c,3c,46,ab,14,00,00,00,42,00,6f,00,6e,00,\
"110"=hex:3a,00,31,00,00,00,00,00,35,3c,45,41,10,00,47,49,4d,50,2d,32,00,00,24,
00,03,00,04,00,ef,be,35,3c,32,41,35,3c,45,41,14,00,00,00,47,00,49,00,4d,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3]
@DACL=(02 0000)
"NodeSlot"=dword:00000045
"MRUListEx"=hex:02,00,00,00,03,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff
"0"=hex:5c,00,31,00,00,00,00,00,3a,36,b9,a1,11,00,4d,59,4d,55,53,49,7e,31,00,
00,28,00,03,00,04,00,ef,be,3a,36,97,a1,3a,36,01,aa,14,00,00,00,4d,00,79,00,\
"1"=hex:46,00,31,00,00,00,00,00,3a,36,b4,ae,10,00,4d,59,4e,4f,54,45,7e,31,00,
00,2e,00,03,00,04,00,ef,be,3a,36,b4,ae,3a,36,c5,bc,14,00,00,00,4d,00,79,00,\
"2"=hex:46,00,31,00,00,00,00,00,6e,36,63,41,10,00,44,41,44,27,53,46,7e,31,00,
00,2e,00,03,00,04,00,ef,be,3c,36,99,16,6e,36,96,41,14,00,00,00,44,00,61,00,\
"3"=hex:36,00,31,00,00,00,00,00,9b,36,0d,06,10,00,57,65,62,45,78,00,22,00,03,
00,04,00,ef,be,9b,36,0d,06,18,37,3a,be,14,00,00,00,57,00,65,00,62,00,45,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\4]
@DACL=(02 0000)
"0"=hex:54,00,31,00,00,00,00,00,f3,34,6a,14,11,00,4d,59,4d,55,53,49,7e,31,00,
00,3c,00,03,00,04,00,ef,be,f3,34,5c,14,3a,36,07,b2,14,00,26,00,4d,00,79,00,\
"MRUListEx"=hex:03,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,ff,ff,ff,ff
"1"=hex:46,00,31,00,00,00,00,00,f3,34,e2,15,10,00,52,45,43,4f,52,44,7e,31,00,
00,2e,00,03,00,04,00,ef,be,f3,34,37,15,3a,36,59,bd,14,00,00,00,52,00,65,00,\
"2"=hex:4a,00,31,00,00,00,00,00,f4,34,d0,14,10,00,41,4f,4c,44,4f,57,7e,31,00,
00,32,00,03,00,04,00,ef,be,f4,34,d0,14,3a,36,93,bd,14,00,00,00,41,00,4f,00,\
"3"=hex:5a,00,31,00,00,00,00,00,f3,34,78,14,11,00,4d,59,50,49,43,54,7e,31,00,
00,42,00,03,00,04,00,ef,be,f3,34,17,14,3a,36,93,bd,14,00,2c,00,4d,00,79,00,\
"NodeSlot"=dword:00000050
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\5]
@DACL=(02 0000)
"0"=hex:84,00,32,00,4e,b3,5a,19,38,36,ca,00,01,00,53,41,56,43,45,5f,7e,32,2e,
5a,49,50,00,00,68,00,03,00,04,00,ef,be,38,36,ca,00,00,00,00,00,14,00,00,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1]
@DACL=(02 0000)
@SACL=
"NodeSlot"=dword:00000022
"MRUListEx"=hex:02,00,00,00,00,00,00,00,08,00,00,00,11,00,00,00,09,00,00,00,12,
00,00,00,14,00,00,00,04,00,00,00,18,00,00,00,0d,00,00,00,0e,00,00,00,15,00,\
"0"=hex:40,00,31,00,00,00,00,00,3b,36,0c,00,10,00,4d,59,4d,55,53,49,7e,31,00,
00,28,00,03,00,04,00,ef,be,3a,36,59,bf,3b,36,a7,1b,14,00,00,00,4d,00,79,00,\
"1"=hex:46,00,31,00,00,00,00,00,3a,36,b4,ae,10,00,4d,59,4e,4f,54,45,7e,31,00,
00,2e,00,03,00,04,00,ef,be,3a,36,b4,ae,3b,36,37,36,14,00,00,00,4d,00,79,00,\
"2"=hex:46,00,31,00,00,00,00,00,3c,36,f1,16,10,00,44,41,44,27,53,46,7e,31,00,
00,2e,00,03,00,04,00,ef,be,3c,36,99,16,3c,36,f2,16,14,00,00,00,44,00,61,00,\
"3"=hex:52,00,31,00,00,00,00,00,f4,34,c5,11,10,20,4d,59,47,4f,4f,47,7e,31,00,
00,3a,00,03,00,04,00,ef,be,3a,36,97,a1,3f,36,85,12,14,00,00,00,4d,00,79,00,\
"4"=hex:62,00,31,00,00,00,00,00,3a,36,b9,a1,11,00,4d,59,50,49,43,54,7e,31,00,
00,2e,00,03,00,04,00,ef,be,3a,36,97,a1,50,36,b7,b4,14,00,00,00,4d,00,79,00,\
"5"=hex:68,00,31,00,00,00,00,00,f4,34,55,16,11,00,4d,59,56,49,44,45,7e,31,00,
00,2a,00,03,00,04,00,ef,be,3a,36,97,a1,55,36,58,20,14,00,00,00,4d,00,79,00,\
"6"=hex:4e,00,31,00,00,00,00,00,f8,36,94,03,10,00,4d,4f,52,50,48,45,7e,31,00,
00,36,00,03,00,04,00,ef,be,f8,36,93,03,f8,36,94,03,14,00,00,00,4d,00,6f,00,\
"7"=hex:54,00,31,00,00,00,00,00,f8,36,94,03,10,00,4d,4f,52,50,48,45,7e,32,00,
00,3c,00,03,00,04,00,ef,be,f8,36,94,03,f8,36,94,03,14,00,00,00,4d,00,6f,00,\
"8"=hex:56,00,31,00,00,00,00,00,3f,36,a6,8a,10,00,4d,59,44,49,47,49,7e,31,00,
00,3e,00,03,00,04,00,ef,be,3f,36,a6,8a,f8,36,c5,03,14,00,00,00,4d,00,79,00,\
"9"=hex:48,00,31,00,00,00,00,00,bb,36,ec,a3,10,00,4d,59,50,53,50,46,7e,31,00,
00,30,00,03,00,04,00,ef,be,9b,36,5a,15,fd,36,9c,bd,14,00,00,00,4d,00,79,00,\
"10"=hex:52,00,31,00,00,00,00,00,9b,36,66,15,10,00,4d,59,53,4e,41,50,7e,31,00,
00,3a,00,03,00,04,00,ef,be,9b,36,66,15,04,37,81,99,14,00,00,00,4d,00,79,00,\
"11"=hex:40,00,31,00,00,00,00,00,68,38,68,10,10,00,4c,69,6d,65,57,69,72,65,00,
00,28,00,03,00,04,00,ef,be,68,38,4c,10,68,38,68,10,14,00,00,00,4c,00,69,00,\
"12"=hex:4e,00,31,00,00,00,00,00,69,38,b9,61,14,00,4d,59,44,41,54,41,7e,31,00,
00,36,00,03,00,04,00,ef,be,69,38,b9,61,71,38,1d,36,14,00,00,00,4d,00,79,00,\
"13"=hex:42,00,31,00,00,00,00,00,d6,38,02,b6,10,00,44,4f,57,4e,4c,4f,7e,31,00,
00,2a,00,03,00,04,00,ef,be,d6,38,02,b6,d6,38,02,b6,14,00,00,00,44,00,6f,00,\
"14"=hex:42,00,31,00,00,00,00,00,61,39,10,46,10,00,4d,59,45,42,4f,4f,7e,31,00,
00,2a,00,03,00,04,00,ef,be,3c,36,d3,16,61,39,30,46,14,00,00,00,4d,00,79,00,\
"15"=hex:42,00,31,00,00,00,00,00,64,39,b4,26,10,00,42,45,41,52,53,48,7e,31,00,
00,2a,00,03,00,04,00,ef,be,64,39,b4,26,67,39,31,4c,14,00,00,00,42,00,65,00,\
"16"=hex:36,00,31,00,00,00,00,00,9b,36,0d,06,10,00,57,65,62,45,78,00,22,00,03,
00,04,00,ef,be,9b,36,0d,06,68,39,47,bd,14,00,00,00,57,00,65,00,62,00,45,00,\
"17"=hex:4a,00,31,00,00,00,00,00,6a,39,c5,ad,10,00,43,4c,41,53,53,49,7e,31,00,
00,32,00,03,00,04,00,ef,be,58,37,b2,b8,6a,39,01,ae,14,00,00,00,43,00,6c,00,\
"18"=hex:34,00,31,00,00,00,00,00,b6,38,f3,13,10,00,54,65,6d,70,00,00,20,00,03,
00,04,00,ef,be,41,38,82,2e,6b,39,cc,1b,14,00,00,00,54,00,65,00,6d,00,70,00,\
"19"=hex:3a,00,31,00,00,00,00,00,8d,39,47,27,10,00,41,75,64,69,6f,73,00,00,24,
00,03,00,04,00,ef,be,8d,39,26,27,8d,39,47,27,14,00,00,00,41,00,75,00,64,00,\
"20"=hex:4c,00,31,00,00,00,00,00,8d,39,47,27,10,00,43,4c,41,53,53,49,7e,32,00,
00,34,00,03,00,04,00,ef,be,8d,39,26,27,8d,39,3c,28,14,00,00,00,43,00,6c,00,\
"21"=hex:52,00,31,00,00,00,00,00,64,39,b4,26,10,00,4d,59,52,45,43,45,7e,31,00,
00,3a,00,03,00,04,00,ef,be,64,39,b4,26,93,39,95,1b,14,00,00,00,4d,00,79,00,\
"22"=hex:4e,00,31,00,00,00,00,00,96,39,6a,07,10,00,53,59,53,52,45,53,7e,31,00,
00,36,00,03,00,04,00,ef,be,96,39,53,07,96,39,fa,10,14,00,00,00,53,00,79,00,\
"23"=hex:42,00,31,00,00,00,00,00,67,3a,1a,a8,10,00,47,4f,4c,46,4c,4f,7e,31,00,
00,2a,00,03,00,04,00,ef,be,67,3a,18,a8,69,3a,e4,02,14,00,00,00,47,00,6f,00,\
"24"=hex:3e,00,31,00,00,00,00,00,65,37,ea,28,10,00,4d,59,57,45,42,53,7e,31,00,
00,26,00,03,00,04,00,ef,be,65,37,ea,28,c9,3a,d0,69,14,00,00,00,4d,00,79,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0]
@DACL=(02 0000)
"NodeSlot"=dword:00000069
"MRUListEx"=hex:01,00,00,00,00,00,00,00,03,00,00,00,02,00,00,00,ff,ff,ff,ff
"0"=hex:48,00,31,00,00,00,00,00,a1,36,8b,1e,10,00,4d,59,50,4c,41,59,7e,31,00,
00,30,00,03,00,04,00,ef,be,a1,36,8b,1e,a1,36,8b,1e,14,00,00,00,4d,00,79,00,\
"1"=hex:3a,00,31,00,00,00,00,00,b7,36,85,2d,10,00,69,54,75,6e,65,73,00,00,24,
00,03,00,04,00,ef,be,54,36,79,0c,04,37,81,99,14,00,00,00,69,00,54,00,75,00,\
"2"=hex:42,00,31,00,00,00,00,00,64,39,b4,26,10,00,42,45,41,52,53,48,7e,31,00,
00,2a,00,03,00,04,00,ef,be,64,39,b4,26,64,39,b4,26,14,00,00,00,42,00,65,00,\
"3"=hex:4a,00,31,00,00,00,00,00,1f,3b,fc,03,10,00,41,4c,42,55,4d,41,7e,31,00,
00,32,00,03,00,04,00,ef,be,1d,3b,dc,33,21,3b,cf,22,14,00,00,00,41,00,6c,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\1]
@DACL=(02 0000)
"NodeSlot"=dword:0000006b
"MRUListEx"=hex:01,00,00,00,03,00,00,00,02,00,00,00,00,00,00,00,ff,ff,ff,ff
"0"=hex:40,00,31,00,00,00,00,00,3a,36,b4,ae,10,00,50,65,72,73,6f,6e,61,6c,00,
00,28,00,03,00,04,00,ef,be,3a,36,b4,ae,3b,36,a7,1b,14,00,00,00,50,00,65,00,\
"1"=hex:3c,00,31,00,00,00,00,00,3a,36,b4,ae,10,00,43,6c,61,73,73,65,73,00,26,
00,03,00,04,00,ef,be,3a,36,b4,ae,03,37,c7,16,14,00,00,00,43,00,6c,00,61,00,\
"2"=hex:40,00,31,00,00,00,00,00,3a,36,b4,ae,10,00,50,72,6f,6a,65,63,74,73,00,
00,28,00,03,00,04,00,ef,be,3a,36,b4,ae,03,37,c7,16,14,00,00,00,50,00,72,00,\
"3"=hex:40,00,31,00,00,00,00,00,91,38,84,a9,10,00,57,68,69,70,6c,61,73,68,00,
00,28,00,03,00,04,00,ef,be,3c,36,a5,16,71,39,ef,3c,14,00,00,00,57,00,68,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\10]
@DACL=(02 0000)
"NodeSlot"=dword:00000209
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\11]
@DACL=(02 0000)
"NodeSlot"=dword:00000305
"MRUListEx"=hex:00,00,00,00,03,00,00,00,01,00,00,00,02,00,00,00,ff,ff,ff,ff
"0"=hex:4e,00,31,00,00,00,00,00,68,38,68,10,10,00,53,54,4f,52,45,50,7e,31,00,
00,36,00,03,00,04,00,ef,be,68,38,68,10,68,38,68,10,14,00,00,00,53,00,74,00,\
"1"=hex:36,00,31,00,00,00,00,00,63,39,5b,be,10,00,53,61,76,65,64,00,22,00,03,
00,04,00,ef,be,5e,39,8d,25,63,39,72,be,14,00,00,00,53,00,61,00,76,00,65,00,\
"2"=hex:44,00,31,00,00,00,00,00,64,39,09,00,10,00,49,4e,43,4f,4d,50,7e,31,00,
00,2c,00,03,00,04,00,ef,be,63,39,13,09,64,39,09,00,14,00,00,00,49,00,6e,00,\
"3"=hex:3a,00,31,00,00,00,00,00,63,39,13,09,10,00,53,68,61,72,65,64,00,00,24,
00,03,00,04,00,ef,be,63,39,13,09,63,39,cd,bb,14,00,00,00,53,00,68,00,61,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\12]
@DACL=(02 0000)
"NodeSlot"=dword:00000320
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\13]
@DACL=(02 0000)
"NodeSlot"=dword:00000356
"MRUListEx"=hex:02,00,00,00,05,00,00,00,01,00,00,00,04,00,00,00,00,00,00,00,03,
00,00,00,ff,ff,ff,ff
"0"=hex:44,00,31,00,00,00,00,00,5f,39,a4,4c,10,00,54,48,45,50,52,49,7e,31,00,
00,2c,00,03,00,04,00,ef,be,5f,39,a4,4c,5f,39,a4,4c,14,00,00,00,54,00,68,00,\
"1"=hex:4c,00,31,00,00,00,00,00,5f,39,59,52,10,00,54,48,45,41,52,54,7e,31,00,
00,34,00,03,00,04,00,ef,be,5f,39,59,52,5f,39,59,52,14,00,00,00,54,00,68,00,\
"2"=hex:3a,00,31,00,00,00,00,00,63,39,d0,06,10,00,4d,6f,76,69,65,73,00,00,24,
00,03,00,04,00,ef,be,63,39,d0,06,63,39,81,15,14,00,00,00,4d,00,6f,00,76,00,\
"3"=hex:52,00,31,00,00,00,00,00,63,39,67,2d,10,00,57,49,4e,52,41,52,7e,31,2e,
36,5f,46,00,00,36,00,03,00,04,00,ef,be,63,39,66,2d,63,39,67,2d,14,00,00,00,\
"4"=hex:4c,00,31,00,00,00,00,00,64,39,9b,2a,10,00,41,54,4c,41,53,53,7e,31,00,
00,34,00,03,00,04,00,ef,be,64,39,9b,2a,64,39,a0,2a,14,00,00,00,41,00,74,00,\
"5"=hex:44,00,31,00,00,00,00,00,92,39,24,95,10,00,52,41,52,4d,4f,56,7e,31,00,
00,2c,00,03,00,04,00,ef,be,92,39,24,95,92,39,24,95,14,00,00,00,72,00,61,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\14]
@DACL=(02 0000)
"NodeSlot"=dword:00000372
"MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff
"0"=hex:40,00,31,00,00,00,00,00,7d,36,5b,8b,10,00,49,6e,74,65,72,6e,65,74,00,
00,28,00,03,00,04,00,ef,be,3c,36,d4,16,61,39,30,46,14,00,00,00,49,00,6e,00,\
"1"=hex:78,00,31,00,00,00,00,00,61,39,59,46,10,00,49,49,4e,48,45,52,7e,31,00,
00,60,00,03,00,04,00,ef,be,3c,36,d5,16,64,39,44,00,14,00,00,00,49,00,20,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\15]
@DACL=(02 0000)
"NodeSlot"=dword:000003b2
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\16]
@DACL=(02 0000)
"NodeSlot"=dword:000003cf
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\17]
@DACL=(02 0000)
"NodeSlot"=dword:000003dc
"MRUListEx"=hex:0f,00,00,00,12,00,00,00,09,00,00,00,00,00,00,00,0d,00,00,00,10,
00,00,00,05,00,00,00,0e,00,00,00,02,00,00,00,04,00,00,00,0c,00,00,00,03,00,\
"0"=hex:44,00,31,00,00,00,00,00,6b,39,5b,bb,10,00,50,48,49,4c,4f,53,7e,31,00,
00,2c,00,03,00,04,00,ef,be,6b,39,d8,ba,6b,39,5b,bb,14,00,00,00,50,00,68,00,\
"1"=hex:44,00,31,00,00,00,00,00,6b,39,ce,bc,10,00,4e,45,57,46,4f,4c,7e,31,00,
00,2c,00,03,00,04,00,ef,be,6b,39,ce,bc,6b,39,ce,bc,14,00,00,00,4e,00,65,00,\
"2"=hex:52,00,31,00,00,00,00,00,6b,39,dd,bc,10,00,44,45,54,45,43,54,7e,31,00,
00,3a,00,03,00,04,00,ef,be,6b,39,dd,bc,6b,39,dd,bc,14,00,00,00,44,00,65,00,\
"3"=hex:42,00,31,00,00,00,00,00,6c,39,13,00,10,00,41,44,56,45,4e,54,7e,31,00,
00,2a,00,03,00,04,00,ef,be,6b,39,12,ba,6c,39,13,00,14,00,00,00,41,00,64,00,\
"4"=hex:4a,00,31,00,00,00,00,00,6b,39,ed,be,10,00,43,52,49,4d,45,46,7e,31,00,
00,32,00,03,00,04,00,ef,be,6b,39,e6,be,6b,39,ed,be,14,00,00,00,43,00,72,00,\
"5"=hex:3a,00,31,00,00,00,00,00,6c,39,43,01,10,00,48,6f,72,72,6f,72,00,00,24,
00,03,00,04,00,ef,be,6c,39,43,01,6c,39,43,01,14,00,00,00,48,00,6f,00,72,00,\
"6"=hex:4e,00,31,00,00,00,00,00,6b,39,16,be,10,00,4d,59,53,54,45,52,7e,32,00,
00,36,00,03,00,04,00,ef,be,6b,39,80,bd,6b,39,16,be,14,00,00,00,4d,00,79,00,\
"7"=hex:42,00,31,00,00,00,00,00,6b,39,bb,ba,10,00,4d,59,53,54,45,52,7e,31,00,
00,2a,00,03,00,04,00,ef,be,6b,39,bb,ba,6b,39,bb,ba,14,00,00,00,4d,00,79,00,\
"8"=hex:50,00,31,00,00,00,00,00,6c,39,c0,00,10,00,48,41,52,56,41,52,7e,31,00,
00,38,00,03,00,04,00,ef,be,6b,39,6a,bf,6c,39,c0,00,14,00,00,00,48,00,61,00,\
"9"=hex:40,00,31,00,00,00,00,00,6b,39,b4,ba,10,00,50,6f,6c,69,74,69,63,73,00,
00,28,00,03,00,04,00,ef,be,6b,39,b4,ba,6b,39,b4,ba,14,00,00,00,50,00,6f,00,\
"10"=hex:4c,00,31,00,00,00,00,00,6c,39,d8,03,10,00,4e,4f,56,45,4c,53,7e,31,00,
00,34,00,03,00,04,00,ef,be,6c,39,d8,03,6c,39,e7,03,14,00,00,00,4e,00,6f,00,\
"11"=hex:54,00,31,00,00,00,00,00,6c,39,0e,04,10,00,4c,49,54,45,52,41,7e,31,00,
00,3c,00,03,00,04,00,ef,be,6c,39,d8,03,6c,39,23,04,14,00,00,00,4c,00,69,00,\
"12"=hex:58,00,31,00,00,00,00,00,6c,39,c0,00,10,00,43,4c,41,53,53,49,7e,31,00,
00,40,00,03,00,04,00,ef,be,6b,39,6a,bf,6c,39,8d,06,14,00,00,00,43,00,6c,00,\
"13"=hex:5c,00,31,00,00,00,00,00,6c,39,0e,04,10,00,4c,49,54,45,52,41,7e,31,00,
00,44,00,03,00,04,00,ef,be,6c,39,d8,03,6c,39,07,07,14,00,00,00,4c,00,69,00,\
"14"=hex:42,00,31,00,00,00,00,00,6c,39,04,03,10,00,45,43,4f,4e,4f,4d,7e,31,00,
00,2a,00,03,00,04,00,ef,be,6c,39,e8,02,6c,39,04,03,14,00,00,00,45,00,63,00,\
"15"=hex:30,00,31,00,00,00,00,00,6c,39,80,03,10,00,57,61,72,00,1e,00,03,00,04,
00,ef,be,6c,39,73,03,6c,39,80,03,14,00,00,00,57,00,61,00,72,00,00,00,12,00,\
"16"=hex:36,00,31,00,00,00,00,00,6c,39,21,09,10,00,48,75,6d,6f,72,00,22,00,03,
00,04,00,ef,be,6c,39,9b,08,6e,39,5d,b8,14,00,00,00,48,00,75,00,6d,00,6f,00,\
"17"=hex:4c,00,31,00,00,00,00,00,6c,39,80,03,10,00,50,4f,4c,49,54,49,7e,31,00,
00,34,00,03,00,04,00,ef,be,6c,39,73,03,6f,39,2f,0c,14,00,00,00,50,00,6f,00,\
"18"=hex:3c,00,31,00,00,00,00,00,6f,39,d2,01,10,00,53,63,69,65,6e,63,65,00,26,
00,03,00,04,00,ef,be,6f,39,c7,01,70,39,39,01,14,00,00,00,53,00,63,00,69,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\18]
@DACL=(02 0000)
"NodeSlot"=dword:000003e3
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:34,00,31,00,00,00,00,00,6b,39,27,1c,10,00,37,34,2d,68,00,00,20,00,03,
00,04,00,ef,be,6b,39,25,1c,6b,39,27,1c,14,00,00,00,37,00,34,00,2d,00,68,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\19]
@DACL=(02 0000)
"NodeSlot"=dword:00000404
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2]
@DACL=(02 0000)
"0"=hex:42,00,31,00,00,00,00,00,3c,36,d4,16,10,00,4d,59,45,42,4f,4f,7e,31,00,
00,2a,00,03,00,04,00,ef,be,3c,36,d3,16,3c,36,d4,16,14,00,00,00,4d,00,79,00,\
"MRUListEx"=hex:14,00,00,00,22,00,00,00,2f,00,00,00,2a,00,00,00,20,00,00,00,02,
00,00,00,2e,00,00,00,23,00,00,00,10,00,00,00,0a,00,00,00,2c,00,00,00,29,00,\
"NodeSlot"=dword:00000084
"1"=hex:48,00,31,00,00,00,00,00,3c,36,a5,16,10,00,57,4f,4f,44,43,41,7e,31,00,
00,30,00,03,00,04,00,ef,be,3c,36,a5,16,3f,36,aa,12,14,00,00,00,57,00,6f,00,\
"2"=hex:3c,00,31,00,00,00,00,00,3c,36,d8,16,10,00,4d,65,64,69,63,61,6c,00,26,
00,03,00,04,00,ef,be,3c,36,d5,16,3f,36,aa,12,14,00,00,00,4d,00,65,00,64,00,\
"3"=hex:3c,00,31,00,00,00,00,00,3c,36,d3,16,10,00,4f,70,74,69,6f,6e,73,00,26,
00,03,00,04,00,ef,be,3c,36,d0,16,3f,36,a9,3b,14,00,00,00,4f,00,70,00,74,00,\
"4"=hex:3c,00,31,00,00,00,00,00,3c,36,e1,16,10,00,46,75,74,75,72,65,73,00,26,
00,03,00,04,00,ef,be,3c,36,dd,16,3f,36,8d,8a,14,00,00,00,46,00,75,00,74,00,\
"5"=hex:40,00,31,00,00,00,00,00,3f,36,4e,8c,10,00,43,75,72,72,65,6e,63,79,00,
00,28,00,03,00,04,00,ef,be,3f,36,01,8c,3f,36,66,a9,14,00,00,00,43,00,75,00,\
"6"=hex:3c,00,31,00,00,00,00,00,3c,36,e1,16,10,00,46,69,6c,74,65,72,73,00,26,
00,03,00,04,00,ef,be,3c,36,e1,16,3f,36,c3,be,14,00,00,00,46,00,69,00,6c,00,\
"7"=hex:3a,00,31,00,00,00,00,00,3c,36,e9,16,10,00,43,61,6e,6e,6f,6e,00,00,24,
00,03,00,04,00,ef,be,3c,36,e8,16,49,36,3a,39,14,00,00,00,43,00,61,00,6e,00,\
"8"=hex:46,00,31,00,00,00,00,00,3c,36,aa,16,10,00,52,45,41,4c,45,53,7e,31,00,
00,2e,00,03,00,04,00,ef,be,3c,36,aa,16,49,36,24,59,14,00,00,00,52,00,65,00,\
"9"=hex:4e,00,31,00,00,00,00,00,3c,36,f0,16,10,00,42,55,53,49,4e,45,7e,31,00,
00,36,00,03,00,04,00,ef,be,3c,36,e9,16,4a,36,b2,2a,14,00,00,00,42,00,75,00,\
"10"=hex:3a,00,31,00,00,00,00,00,3c,36,f2,16,10,00,61,62,6a,6a,61,64,00,00,24,
00,03,00,04,00,ef,be,3c,36,f1,16,4c,36,5b,0e,14,00,00,00,61,00,62,00,6a,00,\
"11"=hex:dc,00,31,00,00,00,00,00,4d,36,5c,bf,10,00,4a,49,4d,43,52,41,7e,31,00,
00,c4,00,03,00,04,00,ef,be,4d,36,5c,bf,54,36,35,b2,14,00,00,00,bb,00,20,00,\
"12"=hex:3a,00,31,00,00,00,00,00,56,36,bd,13,10,00,53,74,6f,63,6b,73,00,00,24,
00,03,00,04,00,ef,be,3c,36,a9,16,56,36,bd,13,14,00,00,00,53,00,74,00,6f,00,\
"13"=hex:a0,00,31,00,00,00,00,00,67,36,8c,30,10,00,44,52,41,41,36,39,7e,31,2e,
4d,41,52,00,00,84,00,03,00,04,00,ef,be,66,36,73,33,69,36,4a,08,14,00,00,00,\
"14"=hex:3c,00,31,00,00,00,00,00,56,36,bd,13,10,00,54,72,61,64,69,6e,67,00,26,
00,03,00,04,00,ef,be,3c,36,a8,16,69,36,b6,12,14,00,00,00,54,00,72,00,61,00,\
"15"=hex:44,00,31,00,00,00,00,00,69,36,37,13,10,00,57,41,4c,4c,53,54,7e,31,00,
00,2c,00,03,00,04,00,ef,be,69,36,37,13,69,36,37,13,14,00,00,00,57,00,61,00,\
"16"=hex:42,00,31,00,00,00,00,00,6e,36,1a,2a,10,00,49,4e,56,45,53,54,7e,31,00,
00,2a,00,03,00,04,00,ef,be,6e,36,1a,2a,6e,36,1a,2a,14,00,00,00,49,00,6e,00,\
"17"=hex:5c,00,31,00,00,00,00,00,56,36,ca,13,10,00,50,41,59,50,41,4c,7e,31,00,
00,44,00,03,00,04,00,ef,be,3c,36,d0,16,6e,36,3d,38,14,00,00,00,50,00,61,00,\
"18"=hex:42,00,31,00,00,00,00,00,6e,36,08,43,10,00,56,41,4c,55,45,4c,7e,31,00,
00,2a,00,03,00,04,00,ef,be,6e,36,37,41,6e,36,08,43,14,00,00,00,56,00,61,00,\
"19"=hex:36,00,31,00,00,00,00,00,56,36,c1,13,10,00,50,6f,6b,65,72,00,22,00,03,
00,04,00,ef,be,3c,36,ab,16,75,36,d4,19,14,00,00,00,50,00,6f,00,6b,00,65,00,\
"20"=hex:42,00,31,00,00,00,00,00,56,36,cf,13,10,00,43,4f,4d,50,55,54,7e,31,00,
00,2a,00,03,00,04,00,ef,be,3c,36,e2,16,7d,36,f5,8a,14,00,00,00,43,00,6f,00,\
"21"=hex:3a,00,31,00,00,00,00,00,56,36,ce,13,10,00,47,72,61,6e,74,73,00,00,24,
00,03,00,04,00,ef,be,3c,36,dd,16,91,36,f2,33,14,00,00,00,47,00,72,00,61,00,\
"22"=hex:44,00,31,00,00,00,00,00,56,36,ce,13,10,00,48,4f,4d,45,2d,42,7e,31,00,
00,2c,00,03,00,04,00,ef,be,3c,36,db,16,94,36,51,26,14,00,00,00,48,00,6f,00,\
"23"=hex:40,00,31,00,00,00,00,00,56,36,bd,13,10,00,57,68,69,70,6c,61,73,68,00,
00,28,00,03,00,04,00,ef,be,3c,36,a5,16,44,37,8e,4d,14,00,00,00,57,00,68,00,\
"24"=hex:ac,00,31,00,00,00,00,00,1a,37,0d,a3,10,00,4d,55,53,49,43,52,7e,31,00,
00,94,00,03,00,04,00,ef,be,1a,37,0c,a3,44,37,8e,4d,14,00,00,00,4d,00,75,00,\
"25"=hex:46,00,31,00,00,00,00,00,4e,37,a7,b4,10,00,43,4f,4d,4d,4f,44,7e,31,00,
00,2e,00,03,00,04,00,ef,be,4e,37,6f,b4,4e,37,a7,b4,14,00,00,00,43,00,6f,00,\
"26"=hex:4c,00,31,00,00,00,00,00,4e,37,fc,bc,10,00,54,52,45,4e,44,46,7e,31,00,
00,34,00,03,00,04,00,ef,be,9b,36,06,1a,4e,37,20,bd,14,00,00,00,54,00,72,00,\
"27"=hex:34,00,31,00,00,00,00,00,5c,37,5c,34,10,00,42,6f,6f,6b,00,00,20,00,03,
00,04,00,ef,be,58,37,b2,b8,61,37,7b,b5,14,00,00,00,42,00,6f,00,6f,00,6b,00,\
"28"=hex:42,00,31,00,00,00,00,00,34,38,03,9b,10,00,4d,45,54,41,53,54,7e,31,00,
00,2a,00,03,00,04,00,ef,be,34,38,b2,9a,34,38,0d,9b,14,00,00,00,4d,00,65,00,\
"29"=hex:4a,00,31,00,00,00,00,00,56,36,cc,13,10,00,4d,41,52,43,48,4d,7e,31,00,
00,32,00,03,00,04,00,ef,be,3c,36,d8,16,35,38,81,00,14,00,00,00,4d,00,61,00,\
"30"=hex:34,00,31,00,00,00,00,00,41,38,82,2e,10,00,54,65,6d,70,00,00,20,00,03,
00,04,00,ef,be,41,38,82,2e,41,38,82,2e,14,00,00,00,54,00,65,00,6d,00,70,00,\
"31"=hex:3c,00,31,00,00,00,00,00,3e,38,35,31,10,00,52,65,73,75,6d,65,73,00,26,
00,03,00,04,00,ef,be,3c,36,aa,16,48,38,ed,30,14,00,00,00,52,00,65,00,73,00,\
"32"=hex:40,00,31,00,00,00,00,00,58,38,5c,1b,10,00,50,69,63,74,75,72,65,73,00,
00,28,00,03,00,04,00,ef,be,58,38,5c,1b,58,38,5c,1b,14,00,00,00,50,00,69,00,\
"33"=hex:44,00,31,00,00,00,00,00,3e,38,34,31,10,00,43,4f,4d,50,54,49,7e,31,00,
00,2c,00,03,00,04,00,ef,be,3c,36,e2,16,88,38,b0,90,14,00,00,00,43,00,6f,00,\
"34"=hex:34,00,31,00,00,00,00,00,3e,38,34,31,10,00,49,72,61,71,00,00,20,00,03,
00,04,00,ef,be,3c,36,d8,16,91,38,e2,6c,14,00,00,00,49,00,72,00,61,00,71,00,\
"35"=hex:40,00,31,00,00,00,00,00,9b,36,5b,92,10,00,57,6f,6f,64,70,69,6c,65,00,
00,28,00,03,00,04,00,ef,be,93,36,bd,1b,cd,38,34,b0,14,00,00,00,57,00,6f,00,\
"36"=hex:44,00,31,00,00,00,00,00,3e,38,35,31,10,00,50,4f,4f,4c,53,2d,7e,31,00,
00,2c,00,03,00,04,00,ef,be,3c,36,aa,16,1c,39,23,79,14,00,00,00,50,00,6f,00,\
"37"=hex:36,00,31,00,00,00,00,00,cd,38,58,b0,10,00,42,6f,6f,6b,73,00,22,00,03,
00,04,00,ef,be,58,37,b2,b8,67,39,3a,4c,14,00,00,00,42,00,6f,00,6f,00,6b,00,\
"38"=hex:4a,00,31,00,00,00,00,00,67,39,f8,5e,10,00,43,4c,41,53,53,49,7e,31,00,
00,32,00,03,00,04,00,ef,be,58,37,b2,b8,67,39,62,6e,14,00,00,00,43,00,6c,00,\
"39"=hex:3a,00,31,00,00,00,00,00,87,39,9d,2c,10,00,41,75,64,69,6f,73,00,00,24,
00,03,00,04,00,ef,be,3c,36,e9,16,87,39,e6,2c,14,00,00,00,41,00,75,00,64,00,\
"40"=hex:52,00,31,00,00,00,00,00,87,39,17,2d,10,00,4d,4f,54,49,56,41,7e,31,00,
00,3a,00,03,00,04,00,ef,be,3c,36,e9,16,8d,39,6c,28,14,00,00,00,4d,00,6f,00,\
"41"=hex:46,00,31,00,00,00,00,00,92,39,70,06,10,00,4d,59,4e,4f,54,45,7e,31,00,
00,2e,00,03,00,04,00,ef,be,3a,36,b4,ae,92,39,f2,06,14,00,00,00,4d,00,79,00,\
"42"=hex:44,00,31,00,00,00,00,00,92,39,86,32,10,00,4d,4f,54,49,56,41,7e,31,00,
00,2c,00,03,00,04,00,ef,be,3c,36,e9,16,93,39,a2,08,14,00,00,00,4d,00,6f,00,\
"43"=hex:5c,00,31,00,00,00,00,00,4a,3a,55,3e,10,00,50,4f,4c,49,54,49,7e,31,00,
00,44,00,03,00,04,00,ef,be,4a,3a,10,3e,4a,3a,55,3e,14,00,00,00,50,00,6f,00,\
"44"=hex:34,00,31,00,00,00,00,00,67,3a,9d,a6,10,00,47,6f,6c,66,00,00,20,00,03,
00,04,00,ef,be,67,3a,9d,a6,67,3a,9d,a6,14,00,00,00,47,00,6f,00,6c,00,66,00,\
"45"=hex:40,00,31,00,00,00,00,00,1d,3b,db,33,11,00,4d,59,4d,55,53,49,7e,31,00,
00,28,00,03,00,04,00,ef,be,1d,3b,51,33,1d,3b,dc,33,14,00,00,00,4d,00,79,00,\
"46"=hex:34,00,31,00,00,00,00,00,0f,3b,31,ba,10,00,42,6c,6f,67,00,00,20,00,03,
00,04,00,ef,be,0f,3b,31,ba,29,3b,2f,39,14,00,00,00,42,00,6c,00,6f,00,67,00,\
"47"=hex:34,00,31,00,00,00,00,00,9d,3c,36,aa,10,00,55,53,4d,43,00,00,20,00,03,
00,04,00,ef,be,9d,3c,51,a7,9d,3c,36,aa,14,00,00,00,55,00,53,00,4d,00,43,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\20]
@DACL=(02 0000)
"NodeSlot"=dword:00000405
"MRUListEx"=hex:03,00,00,00,02,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff
"0"=hex:4c,00,31,00,00,00,00,00,8d,39,47,27,10,00,54,48,45,41,52,54,7e,31,00,
00,34,00,03,00,04,00,ef,be,8d,39,43,27,8d,39,66,27,14,00,00,00,54,00,68,00,\
"1"=hex:4c,00,31,00,00,00,00,00,8d,39,4a,27,10,00,41,54,4c,41,53,53,7e,31,00,
00,34,00,03,00,04,00,ef,be,8d,39,47,27,8e,39,25,26,14,00,00,00,41,00,74,00,\
"2"=hex:44,00,31,00,00,00,00,00,8d,39,43,27,10,00,54,48,45,50,52,49,7e,31,00,
00,2c,00,03,00,04,00,ef,be,8d,39,36,27,93,39,97,1b,14,00,00,00,54,00,68,00,\
"3"=hex:4a,00,31,00,00,00,00,00,8c,3a,e0,2a,10,00,43,4c,41,53,53,49,7e,31,00,
00,32,00,03,00,04,00,ef,be,58,37,b2,b8,96,3a,54,06,14,00,00,00,43,00,6c,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\21]
@DACL=(02 0000)
"NodeSlot"=dword:00000418
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\22]
@DACL=(02 0000)
"NodeSlot"=dword:00000433
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\23]
@DACL=(02 0000)
"NodeSlot"=dword:00000468
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:40,00,31,00,00,00,00,00,67,3a,1a,a8,10,00,43,6f,75,72,73,65,73,30,00,
00,28,00,03,00,04,00,ef,be,67,3a,1a,a8,67,3a,1a,a8,14,00,00,00,43,00,6f,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\24]
@DACL=(02 0000)
"NodeSlot"=dword:000004a4
"MRUListEx"=hex:03,00,00,00,01,00,00,00,02,00,00,00,00,00,00,00,ff,ff,ff,ff
"0"=hex:40,00,31,00,00,00,00,00,65,37,ea,28,10,00,5f,70,72,69,76,61,74,65,00,
00,28,00,03,00,04,00,ef,be,65,37,ea,28,c9,3a,63,4e,14,00,00,00,5f,00,70,00,\
"1"=hex:40,00,31,00,00,00,00,00,65,37,ea,28,12,00,5f,76,74,69,5f,70,76,74,00,
00,28,00,03,00,04,00,ef,be,65,37,ea,28,c9,3a,63,4e,14,00,00,00,5f,00,76,00,\
"2"=hex:40,00,31,00,00,00,00,00,65,37,ea,28,12,00,5f,76,74,69,5f,63,6e,66,00,
00,28,00,03,00,04,00,ef,be,65,37,ea,28,c9,3a,63,4e,14,00,00,00,5f,00,76,00,\
"3"=hex:3a,00,31,00,00,00,00,00,65,37,ea,28,10,00,69,6d,61,67,65,73,00,00,24,
00,03,00,04,00,ef,be,65,37,ea,28,c9,3a,63,4e,14,00,00,00,69,00,6d,00,61,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\3]
@DACL=(02 0000)
"NodeSlot"=dword:00000086
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\4]
@DACL=(02 0000)
"NodeSlot"=dword:000000aa
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:40,00,31,00,00,00,00,00,30,37,f1,a8,10,00,4d,59,4d,55,53,49,7e,31,00,
00,28,00,03,00,04,00,ef,be,3a,36,59,bf,30,37,22,a9,14,00,00,00,4d,00,79,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\5]
@DACL=(02 0000)
"NodeSlot"=dword:000000ef
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
"0"=hex:58,00,31,00,00,00,00,00,64,39,8c,3e,10,00,52,45,41,4c,50,4c,7e,31,00,
00,40,00,03,00,04,00,ef,be,5f,39,39,13,27,3b,5c,1e,14,00,00,00,52,00,65,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\6]
@DACL=(02 0000)
"NodeSlot"=dword:000001f6
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\7]
@DACL=(02 0000)
"NodeSlot"=dword:000001f7
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\8]
@DACL=(02 0000)
"NodeSlot"=dword:000001f8
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\9]
@DACL=(02 0000)
"NodeSlot"=dword:00000207
"MRUListEx"=hex:16,00,00,00,17,00,00,00,15,00,00,00,14,00,00,00,13,00,00,00,12,
00,00,00,11,00,00,00,10,00,00,00,0f,00,00,00,0e,00,00,00,0d,00,00,00,0c,00,\
"0"=hex:3c,00,31,00,00,00,00,00,9b,36,5c,15,10,00,42,72,75,73,68,65,73,00,26,
00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,42,00,72,00,75,00,\
"1"=hex:42,00,31,00,00,00,00,00,9b,36,5c,15,10,00,42,55,4d,50,4d,41,7e,31,00,
00,2a,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,42,00,75,00,\
"2"=hex:4a,00,31,00,00,00,00,00,9b,36,5c,15,10,00,43,4d,59,4b,50,52,7e,31,00,
00,32,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,43,00,4d,00,\
"3"=hex:50,00,31,00,00,00,00,00,9b,36,5c,15,10,00,44,45,46,4f,52,4d,7e,31,00,
00,38,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,44,00,65,00,\
"4"=hex:52,00,31,00,00,00,00,00,9b,36,5c,15,10,00,44,49,53,50,4c,41,7e,31,00,
00,3a,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,44,00,69,00,\
"5"=hex:50,00,31,00,00,00,00,00,9b,36,5c,15,10,00,45,4e,56,49,52,4f,7e,31,00,
00,38,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,45,00,6e,00,\
"6"=hex:42,00,31,00,00,00,00,00,9b,36,5c,15,10,00,47,52,41,44,49,45,7e,31,00,
00,2a,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,47,00,72,00,\
"7"=hex:36,00,31,00,00,00,00,00,9b,36,5c,15,10,00,4d,61,73,6b,73,00,22,00,03,
00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,4d,00,61,00,73,00,6b,00,\
"8"=hex:46,00,31,00,00,00,00,00,9b,36,5c,15,10,00,4d,49,58,45,52,50,7e,31,00,
00,2e,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,4d,00,69,00,\
"9"=hex:50,00,31,00,00,00,00,00,9b,36,5c,15,10,00,4d,4f,4e,49,54,4f,7e,31,00,
00,38,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,4d,00,6f,00,\
"10"=hex:40,00,31,00,00,00,00,00,9b,36,5c,15,10,00,50,61,6c,65,74,74,65,73,00,
00,28,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,50,00,61,00,\
"11"=hex:40,00,31,00,00,00,00,00,9b,36,5c,15,10,00,50,61,74,74,65,72,6e,73,00,
00,28,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,50,00,61,00,\
"12"=hex:4c,00,31,00,00,00,00,00,9b,36,5c,15,10,00,50,49,43,54,55,52,7e,32,00,
00,34,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,50,00,69,00,\
"13"=hex:4a,00,31,00,00,00,00,00,9b,36,5c,15,10,00,50,49,43,54,55,52,7e,31,00,
00,32,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,50,00,69,00,\
"14"=hex:4a,00,31,00,00,00,00,00,9b,36,5c,15,10,00,50,52,45,53,45,54,7e,31,00,
00,32,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,50,00,72,00,\
"15"=hex:3c,00,31,00,00,00,00,00,9b,36,5c,15,10,00,50,72,65,73,65,74,73,00,26,
00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,50,00,72,00,65,00,\
"16"=hex:4e,00,31,00,00,00,00,00,9b,36,5c,15,10,00,50,52,49,4e,54,54,7e,31,00,
00,36,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,50,00,72,00,\
"17"=hex:54,00,31,00,00,00,00,00,9b,36,5c,15,10,00,53,43,52,49,50,54,7e,31,00,
00,3c,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,53,00,63,00,\
"18"=hex:4e,00,31,00,00,00,00,00,9b,36,5c,15,10,00,53,43,52,49,50,54,7e,32,00,
00,36,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,53,00,63,00,\
"19"=hex:44,00,31,00,00,00,00,00,9b,36,5c,15,10,00,53,45,4c,45,43,54,7e,31,00,
00,2c,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,53,00,65,00,\
"20"=hex:48,00,31,00,00,00,00,00,9b,36,5c,15,10,00,53,54,59,4c,45,44,7e,31,00,
00,30,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,53,00,74,00,\
"21"=hex:40,00,31,00,00,00,00,00,9b,36,5c,15,10,00,53,77,61,74,63,68,65,73,00,
00,28,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,53,00,77,00,\
"22"=hex:44,00,31,00,00,00,00,00,9b,36,67,15,10,00,57,4f,52,4b,53,50,7e,31,00,
00,2c,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,57,00,6f,00,\
"23"=hex:40,00,31,00,00,00,00,00,9b,36,5c,15,10,00,54,65,78,74,75,72,65,73,00,
00,28,00,03,00,04,00,ef,be,9b,36,5c,15,92,39,2e,bb,14,00,00,00,54,00,65,00,\
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\BagMRU\2]
@DACL=(02 0000)
@SACL=
"NodeSlot"=dword:00000024
"MRUListEx"=hex:ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\1]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\10]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\11]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\12]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\13]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\14]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\15]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\16]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\17]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\18]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\19]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\2]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\20]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\21]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\22]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\23]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\24]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\25]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\26]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\27]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\28]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\29]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\3]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\30]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\31]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\32]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\33]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\34]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\35]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\36]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\37]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\38]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\39]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\4]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\40]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\41]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\42]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\43]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\44]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\45]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\46]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\47]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\48]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\49]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\5]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\50]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\51]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\52]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\53]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\54]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\55]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\56]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\57]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\58]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\59]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\6]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\60]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\61]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\62]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\63]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\64]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\65]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\66]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\7]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\8]
@DACL=(02 0000)
@SACL=
.
[HKEY_USERS\S-1-5-21-105615621-1584330953-2930943117-1005\Software\Microsoft\Windows\ShellNoRoam\Bags\9]
@DACL=(02 0000)
@SACL=
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@SACL=
@=""
"waol.exe"=dword:00000001
"cs.exe"=dword:00000001
"wm.exe"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\MLS]
@DACL=(02 0000)
@SACL=
.
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\services]
@DACL=(02 0000)
@SACL=
"NoServices"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Realtek Semiconductor Corp.\Realtek High Definition Audio Driver]
@DACL=(02 0000)
@SACL=
.
[HKEY_LOCAL_MACHINE\software\TOSHIBA\Power Saver\Policies]
@DACL=(02 0000)
@SACL=
"MachinePolicies"=hex:01,00,00,00,04,00,00,00,04,00,00,00,04,00,00,00,04,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,32,32,00,00,02,00,00,00,\
"UserPolicies"=hex:01,00,00,00,00,00,00,00,03,00,00,00,00,00,00,00,00,00,00,00,
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,32,32,00,00,04,00,00,00,04,\
"ProcessorPolicies"=hex:01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,03,00,
00,00,a0,86,01,00,a0,86,01,00,a0,86,01,00,28,32,00,00,02,00,00,00,a0,86,01,\
.
[HKEY_LOCAL_MACHINE\software\Yahoo\YMP\InstallHistory\1.1.1.026]
@DACL=(02 0000)
@SACL=
@="2006.06.22.1"
"InstallTime"="08/11/06 14:36"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\PSIService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\TODDSrv.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-12-13 21:53:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-14 05:53
.
Pre-Run: 32,997,490,688 bytes free
Post-Run: 33,320,431,616 bytes free
.
- - End Of File - - B6E365F4180533641C359E1FA0970BE7

Edited by papa_A_D, 14 December 2011 - 12:45 AM.

#26
maliprog

Posted 14 December 2011 - 01:14 AM

Trusted Helper

Malware Removal
6,172 posts

As I expected, Combofix did great job! How is your system now? Do you have your Internet connection back? If not restart your system one more time and test connection.

Run OTL.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open notepad window. OTL.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of this file, and post it with your next reply.

#27
papa_A_D

Posted 14 December 2011 - 04:11 PM

Member

Topic Starter
Member
56 posts

Well, I re-booted and started the internet. Seems OK, maliprog. Here's the OTL log. Whaddya think?

papa_A_D

OTL logfile created on: 12/14/2011 12:54:11 PM - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Hemphill\Desktop\Virus Ware
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

501.98 Mb Total Physical Memory | 359.96 Mb Available Physical Memory | 71.71% Memory free
1.25 Gb Paging File | 1.02 Gb Available in Paging File | 81.52% Paging File free
Paging file location(s): C:\pagefile.sys 812 1792 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.23 Gb Total Space | 31.10 Gb Free Space | 41.89% Space Free | Partition Type: NTFS

Computer Name: WALLSTREAT | User Name: Hemphill | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/01 15:45:19 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Hemphill\Desktop\Virus Ware\OTL.scr
PRC - [2011/11/07 23:45:26 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe
PRC - [2011/11/07 18:19:43 | 000,174,656 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2011/11/07 16:51:37 | 000,114,688 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe
PRC - [2011/11/02 14:51:10 | 000,045,056 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2011/11/02 14:51:06 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2011/11/02 14:51:03 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe
PRC - [2008/04/13 16:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/02 15:52:46 | 000,364,544 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe
PRC - [2006/02/07 15:30:40 | 000,035,840 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
PRC - [2004/08/27 23:37:00 | 000,155,648 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\RAMASST.exe

========== Modules (No Company Name) ==========

MOD - [2011/11/07 18:19:43 | 000,174,656 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
MOD - [2011/11/02 14:51:10 | 000,045,056 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
MOD - [2011/11/02 14:51:03 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe
MOD - [2011/02/04 16:48:30 | 000,291,840 | ---- | M] () -- C:\WINDOWS\system32\sbe.dll
MOD - [2010/02/05 10:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2008/04/13 16:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 16:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2006/07/02 21:44:10 | 000,118,784 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\iWMSProv.dll
MOD - [2006/07/02 21:42:44 | 000,348,160 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\IntStngs.dll
MOD - [2006/01/04 17:14:36 | 000,049,152 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TouchPad_ONOFF.dll
MOD - [2004/07/20 16:04:00 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\TosBtHcrpAPI.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (IOLO_SRV)
SRV - [2011/11/08 06:08:49 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2011/11/07 23:45:26 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\TODDSrv.exe -- (TODDSrv)
SRV - [2011/11/07 18:19:43 | 000,174,656 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)
SRV - [2011/11/07 16:51:37 | 000,114,688 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)
SRV - [2011/11/02 14:51:10 | 000,045,056 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2011/11/02 14:51:06 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2011/11/02 14:51:03 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2008/04/13 16:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 16:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/13 16:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2006/02/07 15:30:40 | 000,035,840 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)

========== Driver Services (SafeList) ==========

DRV - [2008/01/31 13:53:34 | 000,194,320 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2006/12/16 12:37:50 | 000,027,136 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tapvpn.sys -- (tapvpn)
DRV - [2006/08/25 15:33:50 | 000,061,824 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EMS7SK.sys -- (EMSCR)
DRV - [2006/08/23 19:37:50 | 004,374,016 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/08/22 09:11:30 | 000,040,064 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ESD7SK.sys -- (ESDCR)
DRV - [2006/07/13 09:33:10 | 000,074,752 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ESM7SK.sys -- (ESMCR)
DRV - [2006/07/02 23:16:30 | 000,012,544 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2006/06/28 15:25:06 | 000,081,920 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2006/06/28 10:50:00 | 000,098,816 | ---- | M] (TOSHIBA Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tdudf.sys -- (tdudf)
DRV - [2006/05/30 15:42:52 | 000,045,696 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tvs.sys -- (Tvs)
DRV - [2006/03/18 06:36:42 | 001,155,584 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/03/02 17:49:50 | 000,015,360 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2005/12/20 15:54:34 | 000,027,008 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe)
DRV - [2005/12/20 15:54:28 | 000,069,376 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMOUKE.sys -- (LMouKE)
DRV - [2005/12/20 15:54:04 | 000,036,736 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidUsbK.sys -- (LHidUsbK)
DRV - [2005/12/20 15:53:44 | 000,013,440 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2005/10/20 13:03:42 | 000,006,144 | ---- | M] (Toshiba Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NBSMI.sys -- (TVALD)
DRV - [2005/09/09 13:47:10 | 000,009,344 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2005/08/24 14:20:28 | 000,009,472 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tbiosdrv.sys -- (tbiosdrv)
DRV - [2005/06/02 02:33:00 | 000,102,384 | ---- | M] (Matsushita Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2003/09/19 00:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2003/01/29 13:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)
DRV - [2003/01/10 12:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [1999/09/10 11:06:00 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ASPI32.SYS -- (ASPI32)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:52970

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.mozilla.org/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:0.7.5.5
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 52970
FF - prefs.js..network.proxy.type: 1

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@DictionaryBoss.com/Plugin: C:\Program Files\DictionaryBoss\bar\1.bin\NPv4Stub.dll File not found
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa2,version=2.0.0: C:\Program Files\Picasa2\npPicasa2.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Picasa2\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=4.0: C:\Program Files\Virtual Earth 3D\ [2009/04/14 21:06:00 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=13: C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\DictionaryBoss\bar\1.bin

[2008/11/05 20:47:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Hemphill\Application Data\Mozilla\Extensions
[2009/08/30 22:41:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Hemphill\Application Data\Mozilla\Firefox\Profiles\mqrzvjre.default\extensions
[2008/11/06 02:17:45 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Hemphill\Application Data\Mozilla\Firefox\Profiles\mqrzvjre.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/08/30 22:41:32 | 000,000,000 | ---D | M] (MediaBar) -- C:\Documents and Settings\Hemphill\Application Data\Mozilla\Firefox\Profiles\mqrzvjre.default\extensions\{E84D42CA-64EB-11DE-A65F-8C3656D89593}
[2009/01/01 12:02:32 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

O1 HOSTS File: ([2011/12/13 21:42:29 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {20001E7A-823D-4E19-ADE2-D6AB53C7C81E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [THotkey] C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe (TOSHIBA)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsushita Electric Industrial Co., Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MaxRecentDocs = 11
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll (Google Inc.)
O8 - Extra context menu item: Save Page As PDF ... - file://C:\Program Files\Nitro PDF\PDF Download\nitroweb.htm File not found
O9 - Extra 'Tools' menuitem : PDF Download - Options - {AD9E6088-E00B-42f9-9F0C-8480525D234E} - Reg Error: Key error. File not found
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: wordpress.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: wordpress.com ([support] http in Trusted sites)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} http://support.f-sec...m/ols/fscax.cab (F-Secure Online Scanner 3.1)
O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} http://download.micr...tualEarth3D.cab (Reg Error: Key error.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.s...abs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/b...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} http://www.maricopa....in/mgaxctrl.cab (Autodesk MapGuide ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://bigtrends.we...bex/ieatgpc.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Toshiba.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Toshiba.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/18 18:37:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (smrgdf C:\Program Files\iolo\System Mechanic 6",)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/14 12:35:59 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Hemphill\Recent
[2011/12/13 21:53:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/12/13 21:13:49 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/12/06 20:28:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/12/06 18:53:31 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/12/06 18:53:31 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/12/06 18:53:31 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/12/06 18:53:31 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/12/06 18:50:04 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/11/30 18:56:10 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/11/23 15:16:42 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/11/21 19:44:39 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/11/21 19:43:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/11/14 18:02:21 | 000,000,000 | ---D | C] -- C:\_OTM
[2006/07/19 14:49:10 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/14 12:37:36 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/12/14 12:37:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/14 12:37:18 | 526,438,400 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/13 21:42:29 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/12/13 18:22:23 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A00C3A91-1B39-4F57-A4C7-6A0B0F8DC435}.job
[2011/12/12 20:48:28 | 003,009,018 | ---- | M] () -- C:\Documents and Settings\Hemphill\My Documents\iewindow.bmp
[2011/12/12 18:26:22 | 000,035,480 | -HS- | M] () -- C:\WINDOWS\3816529drv.spi
[2011/12/11 13:09:42 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/05 19:53:16 | 000,000,000 | ---- | M] () -- C:\WINDOWS\ToDisc.INI
[2011/12/03 16:23:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/12/01 16:20:06 | 000,302,592 | ---- | M] () -- C:\is7cwtxh.exe
[2011/11/30 19:01:39 | 000,000,000 | ---- | M] () -- C:\WINDOWS\2557291154
[2011/11/23 15:38:32 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/11/21 21:28:54 | 000,496,004 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/21 21:28:54 | 000,090,796 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/19 18:42:14 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/19 15:17:23 | 005,410,816 | ---- | M] () -- C:\Documents and Settings\Hemphill\ntuser.bak
[2011/11/19 14:28:40 | 000,000,209 | -HS- | M] () -- C:\boot.ini
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/12 20:48:28 | 003,009,018 | ---- | C] () -- C:\Documents and Settings\Hemphill\My Documents\iewindow.bmp
[2011/12/12 15:48:14 | 000,035,480 | -HS- | C] () -- C:\WINDOWS\3816529drv.spi
[2011/12/06 18:53:31 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/12/06 18:53:31 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/12/06 18:53:31 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/12/06 18:53:31 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/12/06 18:53:31 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/12/05 19:53:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ToDisc.INI
[2011/12/01 17:05:38 | 000,302,592 | ---- | C] () -- C:\is7cwtxh.exe
[2011/11/09 20:41:28 | 000,281,336 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/06/11 21:54:29 | 000,011,310 | -HS- | C] () -- C:\Documents and Settings\Hemphill\Local Settings\Application Data\523i15k6q8ybe1q7n25tq08885823u42w2p3g6pwjy2
[2011/06/11 21:54:29 | 000,011,310 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\523i15k6q8ybe1q7n25tq08885823u42w2p3g6pwjy2
[2011/02/12 21:34:31 | 000,000,607 | ---- | C] () -- C:\WINDOWS\FCRCfg.ini
[2011/02/10 22:06:34 | 000,187,904 | ---- | C] () -- C:\WINDOWS\System32\Lame.exe
[2011/02/10 22:06:33 | 000,641,021 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2011/02/10 22:06:33 | 000,001,674 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2010/02/16 00:49:59 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2010/02/16 00:49:59 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2010/02/16 00:49:21 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2010/02/16 00:49:20 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2010/02/16 00:49:19 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2009/10/09 23:45:54 | 000,307,200 | ---- | C] () -- C:\WINDOWS\System32\AscSQLite.dll
[2009/08/25 00:59:33 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\evqla.sys
[2009/08/24 23:45:16 | 000,687,104 | ---- | C] () -- C:\WINDOWS\is-NMITE.exe
[2009/02/13 14:02:52 | 000,018,432 | ---- | C] () -- C:\WINDOWS\ss3unstl.exe
[2009/02/13 13:49:06 | 000,035,572 | R--- | C] () -- C:\WINDOWS\muscroll.dll
[2009/02/13 13:49:05 | 000,259,462 | R--- | C] () -- C:\WINDOWS\accusft5.dll
[2009/01/02 15:57:00 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/12/21 18:02:23 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\uhkec.sys
[2008/04/18 20:22:38 | 000,245,760 | ---- | C] () -- C:\WINDOWS\System32\ControlWZCS.exe
[2008/04/18 20:22:34 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\acs.exe
[2008/04/18 20:22:17 | 000,311,296 | ---- | C] () -- C:\WINDOWS\System32\AegisI5.exe
[2008/01/31 13:53:36 | 000,096,800 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2008/01/31 13:53:36 | 000,010,784 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2008/01/29 16:30:41 | 000,000,045 | ---- | C] () -- C:\WINDOWS\System32\RPVersion.ini
[2008/01/22 22:49:37 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2008/01/19 19:40:53 | 000,434,176 | ---- | C] () -- C:\WINDOWS\System32\MetaLib.dll
[2007/08/08 15:30:12 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerLang.dll
[2007/08/02 17:11:28 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLA.dll
[2007/08/02 17:11:14 | 000,241,664 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLW.dll
[2007/07/27 14:49:02 | 000,225,355 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiW.dll
[2007/07/27 14:49:02 | 000,196,683 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiA.dll
[2007/07/25 18:00:45 | 004,369,388 | -H-- | C] () -- C:\WINDOWS\System32\spython.bin
[2007/07/05 00:11:00 | 000,000,176 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/07/04 23:49:21 | 000,003,424 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/06/13 10:10:34 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerUninstaller.exe
[2007/05/27 13:20:39 | 000,000,251 | ---- | C] () -- C:\Program Files\wt3d.ini
[2007/04/26 18:39:12 | 000,002,828 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/04/26 18:39:12 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\A37964C185.sys
[2007/04/26 16:48:35 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2007/04/25 07:13:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcccfg.dll
[2007/04/12 19:06:23 | 000,047,366 | ---- | C] () -- C:\Documents and Settings\Hemphill\Application Data\wklnhst.dat
[2007/03/10 22:49:51 | 000,004,388 | ---- | C] () -- C:\WINDOWS\smflt.dll
[2007/02/19 19:33:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/02/09 01:35:27 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2007/02/01 14:07:56 | 000,000,068 | ---- | C] () -- C:\WINDOWS\NavWin.INI
[2007/01/31 22:09:09 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\G32_TICK.DLL
[2007/01/31 22:09:09 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\G32_rkey.dll
[2007/01/31 22:09:09 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\free_res.exe
[2007/01/27 19:42:35 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\vsppg.dll
[2007/01/27 19:40:00 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\VsPPG7.dll
[2007/01/27 19:35:40 | 000,000,194 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2007/01/27 19:20:43 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2007/01/27 19:20:04 | 000,235,520 | ---- | C] () -- C:\WINDOWS\System32\W048T32W.DLL
[2007/01/27 19:20:04 | 000,128,000 | ---- | C] () -- C:\WINDOWS\System32\W046T32W.DLL
[2007/01/27 19:20:04 | 000,096,768 | ---- | C] () -- C:\WINDOWS\System32\W801T32W.DLL
[2007/01/27 19:20:04 | 000,083,968 | ---- | C] () -- C:\WINDOWS\System32\W770T32W.DLL
[2007/01/27 19:20:03 | 000,202,752 | ---- | C] () -- C:\WINDOWS\System32\W042T32W.DLL
[2007/01/27 19:20:03 | 000,202,240 | ---- | C] () -- C:\WINDOWS\System32\W019T32W.DLL
[2007/01/27 19:20:03 | 000,168,960 | ---- | C] () -- C:\WINDOWS\System32\W037T32W.DLL
[2007/01/27 19:20:03 | 000,163,328 | ---- | C] () -- C:\WINDOWS\System32\W033T32W.DLL
[2007/01/27 19:20:03 | 000,137,216 | ---- | C] () -- C:\WINDOWS\System32\W043T32W.DLL
[2007/01/27 19:20:03 | 000,101,888 | ---- | C] () -- C:\WINDOWS\System32\W015T32W.DLL
[2007/01/27 19:20:03 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\W040T32W.DLL
[2007/01/27 19:20:01 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2007/01/27 19:20:00 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2007/01/26 19:30:03 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/01/26 12:13:09 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Hemphill\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/26 12:13:09 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Hemphill\Local Settings\Application Data\fusioncache.dat
[2007/01/26 11:59:54 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/11/02 19:40:12 | 000,174,656 | ---- | C] () -- C:\WINDOWS\System32\PSIService.exe
[2006/08/31 13:27:28 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/08/31 13:27:28 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2006/08/11 13:33:33 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/08/11 13:33:33 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/08/11 13:33:33 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/08/11 13:33:33 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/08/11 13:33:33 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/08/11 13:33:33 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/08/11 13:12:03 | 000,000,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTHDAEQ1.dat
[2006/08/11 13:12:03 | 000,000,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTHDAEQ0.dat
[2006/07/19 18:50:30 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2006/07/19 18:38:09 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/07/19 18:13:07 | 000,000,004 | ---- | C] () -- C:\WINDOWS\Pix11.dat
[2006/07/19 16:51:22 | 000,036,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys
[2006/07/19 16:51:22 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2006/07/19 15:18:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2006/07/19 15:02:31 | 000,356,352 | ---- | C] () -- C:\WINDOWS\EMCRI.dll
[2006/07/19 15:01:55 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2006/07/19 15:01:55 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2006/07/19 15:01:55 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2006/07/19 15:01:55 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2006/07/19 14:49:10 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2006/07/18 18:44:06 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/18 18:40:35 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/07/18 18:33:55 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/07/18 18:32:30 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/07/18 16:52:17 | 000,000,341 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/07/18 16:47:49 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/07/18 16:47:41 | 000,496,004 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/07/18 16:47:41 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/07/18 16:47:41 | 000,090,796 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/07/18 16:47:41 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/07/18 16:47:39 | 000,004,688 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/07/18 16:47:37 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/07/18 16:47:33 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/07/18 16:47:21 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/07/18 16:47:21 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/07/18 16:47:01 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/07/18 16:46:50 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/07/18 11:28:34 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/03/29 07:43:38 | 000,042,496 | ---- | C] () -- C:\WINDOWS\System32\ALZZip.BIN
[2006/03/29 07:43:36 | 000,062,464 | ---- | C] () -- C:\WINDOWS\System32\ALZALZ.BIN
[2005/12/05 19:25:22 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\lnod32umc.dll
[2005/12/05 12:37:10 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\lnod32upd.dll
[2005/09/02 13:44:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/08/24 14:20:28 | 000,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2005/08/05 13:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/07/22 20:30:00 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/12/20 10:08:28 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/12/20 10:03:26 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2004/07/20 16:04:00 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 13:43:00 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1999/01/22 10:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 00:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== LOP Check ==========

[2008/06/10 17:54:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AceReader Pro
[2009/10/09 23:52:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ascentive
[2011/11/21 19:44:39 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2008/01/19 10:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DassaultSystemes
[2011/02/04 23:11:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Driver Boost
[2008/02/08 13:11:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Gecko Software
[2008/01/22 21:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2011/11/21 19:53:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2008/01/16 12:52:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PKWARE
[2010/05/17 22:30:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegCure
[2010/12/20 00:27:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Systweak
[2008/01/29 16:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2008/01/25 17:14:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/07/19 15:50:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2007/01/26 19:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2011/01/27 21:26:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/01 22:38:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2011/04/20 00:59:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\Barnes & Noble
[2009/08/31 20:08:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2008/01/19 10:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\DassaultSystemes
[2010/05/19 15:21:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\ElevatedDiagnostics
[2011/02/12 19:38:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\Focus Mp3 Recorder
[2008/01/22 22:18:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\Grisoft
[2007/04/17 21:10:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\ICAClient
[2007/02/25 21:12:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\InterVideo
[2008/02/07 20:13:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\JGsoft
[2011/06/14 17:05:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\licenses
[2008/11/03 19:08:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\LimeWire
[2011/06/27 21:35:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\PandoraRecovery
[2007/03/20 22:11:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\papa_A_D
[2011/06/14 17:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\PCMM2009
[2011/06/14 17:04:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\PCMM2011
[2008/01/16 12:52:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\PKWARE
[2011/02/11 00:41:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\RipIt4Me
[2010/12/20 00:27:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\Systweak
[2007/04/12 19:06:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\Template
[2011/06/15 04:30:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\toshiba
[2008/02/07 18:29:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\Trading Applications
[2008/01/29 16:50:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\TuneUp Software
[2007/06/01 19:02:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\Viewpoint
[2007/04/26 16:48:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Hemphill\Application Data\webex
[2011/12/13 18:22:23 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A00C3A91-1B39-4F57-A4C7-6A0B0F8DC435}.job

========== Purity Check ==========

< End of report >

#28
maliprog

Posted 15 December 2011 - 12:13 AM

Trusted Helper

Malware Removal
6,172 posts

Hi papa_A_D,

Glad to hear that your system is fine now. There are still some leftovers we need to remove...

Step 1

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:52970
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 52970
FF - prefs.js..network.proxy.type: 1
[2011/06/11 21:54:29 | 000,011,310 | -HS- | C] () -- C:\Documents and Settings\Hemphill\Local Settings\Application Data\523i15k6q8ybe1q7n25tq08885823u42w2p3g6pwjy2
[2011/06/11 21:54:29 | 000,011,310 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\523i15k6q8ybe1q7n25tq08885823u42w2p3g6pwjy2

:Files
ipconfig /flushdns /c
C:\Documents and Settings\Hemphill\Local Settings\Application Data\523i15k6q8ybe1q7n25tq08885823u42w2p3g6pwjy2
C:\Documents and Settings\All Users\Application Data\523i15k6q8ybe1q7n25tq08885823u42w2p3g6pwjy2

:Commands
[purity]
[emptytemp]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 2

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 3

Run TDSSKiller one more time and post log for me.

Step 4

Please don't forget to include these items in your reply:

OTL fix log
Malwarebytes log
TDSSKiller log

It would be helpful if you could post each log in separate post

#29
papa_A_D

Posted 15 December 2011 - 05:15 PM

Member

Topic Starter
Member
56 posts

I'm having some problems running MBAM - again. I'm going to remove the program and re-install it in order to try again. Also, I'm not showing any stored ie history links after each session.

Here is the log for the OTL run:

All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 52970 removed from network.proxy.http_port
Prefs.js: 1 removed from network.proxy.type
C:\Documents and Settings\Hemphill\Local Settings\Application Data\523i15k6q8ybe1q7n25tq08885823u42w2p3g6pwjy2 moved successfully.
C:\Documents and Settings\All Users\Application Data\523i15k6q8ybe1q7n25tq08885823u42w2p3g6pwjy2 moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Hemphill\Desktop\Virus Ware\cmd.bat deleted successfully.
C:\Documents and Settings\Hemphill\Desktop\Virus Ware\cmd.txt deleted successfully.
File\Folder C:\Documents and Settings\Hemphill\Local Settings\Application Data\523i15k6q8ybe1q7n25tq08885823u42w2p3g6pwjy2 not found.
File\Folder C:\Documents and Settings\All Users\Application Data\523i15k6q8ybe1q7n25tq08885823u42w2p3g6pwjy2 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Hemphill
->Temp folder emptied: 217308 bytes
->Temporary Internet Files folder emptied: 30163220 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 814 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: NetworkService
->Temp folder emptied: 6386 bytes
->Temporary Internet Files folder emptied: 32835 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7872 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 20805760 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 49.00 mb

OTL by OldTimer - Version 3.2.31.0 log created on 12152011_124420

Files\Folders moved on Reboot...
C:\Documents and Settings\Hemphill\Local Settings\Temporary Internet Files\Content.IE5\9SR72NHG\page__st__15[1].htm moved successfully.
C:\Documents and Settings\Hemphill\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...

Edited by papa_A_D, 15 December 2011 - 11:50 PM.

#30
papa_A_D

Posted 16 December 2011 - 12:32 AM

Member

Topic Starter
Member
56 posts

Here is the MBAM:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8378

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/15/2011 10:24:51 PM
mbam-log-2011-12-15 (22-24-50).txt

Scan type: Quick scan
Objects scanned: 184713
Time elapsed: 14 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ac2e4ae7-2d16-45ea-991c-2441dfd05696} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ac2e4ae7-2d16-45ea-991c-2441dfd05696} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{488C2712-1482-42AD-BC4D-681E5832F0C2} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{488C2712-1482-42AD-BC4D-681E5832F0C2} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D0C6F55-E3EB-4D6B-8F52-996B4DA196D9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6D0C6F55-E3EB-4D6B-8F52-996B4DA196D9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8EB0AAA0-2FFE-4326-8331-EFE2D5D15EC7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8EB0AAA0-2FFE-4326-8331-EFE2D5D15EC7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EB2049F6-9DFA-4E51-B2A1-FC5A6E596C80} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EB2049F6-9DFA-4E51-B2A1-FC5A6E596C80} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9A402FD-82C8-4743-991E-BC77E62DA0E5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F9A402FD-82C8-4743-991E-BC77E62DA0E5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)