Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 Timem604

Timem604

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 22 December 2008 - 06:14 PM

Random System Information
When I'm trying to install it, it's giving me an error

Posted Image

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

22/12/2008 2:55:51 PM
mbam-log-2008-12-22 (14-55-51).txt

Scan type: Quick Scan
Objects scanned: 64811
Time elapsed: 7 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Not selected for removal.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HiJackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:46 PM, on 22/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Steam\Steam.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: {cf450ee2-f07f-7ed8-0d24-afae4cd8f950} - {059f8dc4-eafa-42d0-8de7-f70f2ee054fc} - C:\WINDOWS\system32\ybsyua.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {81F3F8A6-7603-4F90-A2A2-26150703B071} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-1694689974-1048169671-4127071486-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1694689974-1048169671-4127071486-1008\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1694689974-1048169671-4127071486-1008\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://jumpoverthatsucka.spaces.msn.com//P...ad/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.gomtv.com/gom/GomWeb.cab
O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://www.file2you.net/applet.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/...age/pdrinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D6855164-25C2-40D2-BA39-D8A57FF0B49C} (RedbananaVistaPlay Class) - http://suddenattack.redbanana.jp/_include/...anaAutoPlay.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax4507.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll ybsyua.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: opnkklME - C:\WINDOWS\
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lmab_device - Lexmark International, Inc. - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 14768 bytes

Kaspersky Online Scanner
I cannot run it, everytime I tried running it a pop up comes out and I get an error.

Please help me

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 AM

Posted 23 December 2008 - 05:23 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • A second report, Attach.txt will open next.
  • Save both reports to your desktop.
Please copy and paste both logs into your next reply.


=============


The next log will show us any hidden files that are present.

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Timem604

Timem604
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 23 December 2008 - 08:39 PM

Hey Sam, Thanks for answering.

Here is my DDS Report

DDS.txt
DDS (Version 1.1.0) - NTFSx86
Run by HP_Administrator at 16:21:52.26 on 23/12/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://google.ca/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: Show Norton Toolbar: {90222687-F593-4738-B738-FBEE9C7B26DF} - Apartment
TB: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
Yahoo! Toolbar
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall pro\feedback.exe" /dump:os_startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link rangebooster n dwa-542\wirelesscm.exe
IE: &Search - ?p=ZN
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
IE: {44627E97-789B-40d4-B5C2-58BD171129A1} - {A1A7E22D-1587-4230-8F16-081C68D21448} - c:\program files\agnitum\outpost firewall pro\ie_bar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
SEH: SABShellExecuteHook Class: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvULcAR

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\kllclp9h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox
FF - prefs.js: keyword.URL - hxxp://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\kllclp9h.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\windows\system32\npmirage.dll

============= SERVICES / DRIVERS ===============

RSPR?S?C?P?P?01234RSPR?S?C?P?P?01234

=============== Created Last 30 ================

2008-12-22 02:29 234,640 a------- c:\windows\system32\drivers\afwcore.sys
2008-12-22 02:21 49 a------- c:\windows\transp.gif
2008-12-22 02:21 673,920 a------- c:\windows\system32\drivers\SandBox.sys
2008-12-22 02:21 30,864 a------- c:\windows\system32\drivers\afw.sys
2008-12-22 02:20 <DIR> --d----- c:\windows\system32\Filt
2008-12-22 02:20 <DIR> --d----- c:\program files\Agnitum
2008-12-22 02:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Agnitum
2008-12-22 01:18 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2008-12-22 01:18 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-22 01:18 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 01:18 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 01:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-22 00:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-22 00:38 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-22 00:38 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2008-12-21 17:44 <DIR> --d----- c:\program files\Trend Micro
2008-12-21 17:43 11,254 a------- c:\windows\system32\locate.com
2008-12-21 17:42 86,224 a------- C:\MGlogs.zip
2008-12-21 17:41 <DIR> --d----- C:\MGtools
2008-12-21 17:41 1,312,897 a------- C:\MGtools.exe
2008-12-21 17:31 607,947 a--sh--- c:\windows\system32\RAcLUvut.ini2
2008-12-21 17:31 607,947 a--sh--- c:\windows\system32\RAcLUvut.ini
2008-12-21 14:26 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-21 14:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-20 22:52 <DIR> --d----- C:\VundoFix Backups
2008-12-20 21:07 135,168 a------- c:\windows\system32\mrccewct.dll
2008-12-19 23:32 <DIR> --d----- c:\program files\VideoLAN
2008-12-19 23:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TVU Networks
2008-12-19 23:27 <DIR> --d----- c:\documents and settings\hp_administrator\LocalLow
2008-12-19 19:26 <DIR> --d----- c:\program files\VSTplugins
2008-12-04 11:56 107,864 a------- c:\windows\system32\tsccvid.dll
2008-12-04 11:56 <DIR> --d----- c:\windows\system32\QuickTime
2008-12-04 11:55 <DIR> --d----- c:\program files\common files\TechSmith Shared
2008-11-25 16:23 135,168 a------- c:\windows\system32\igfxres.dll

==================== Find3M ====================

2008-12-12 22:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-11-30 20:01 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-30 20:01 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-11-30 20:01 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-30 20:01 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-10-24 03:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 04:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:35 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2008-10-16 19:35 28,984 a------- c:\windows\system32\LMIport.dll
2008-10-16 19:35 10,040 a------- c:\windows\system32\lmimirr2.dll
2008-10-16 19:35 23,736 a------- c:\windows\system32\lmimirr.dll
2008-10-16 19:35 87,352 a------- c:\windows\system32\LMIinit.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 05:11 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 05:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 08:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 23:06 633,632 a------- c:\windows\system32\dllcache\iexplore.exe
2008-10-14 23:04 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 02:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 02:02 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-06-26 12:17 36,868 a------- c:\program files\uninst-Particular.exe
2007-11-18 11:10 1,946 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2008-08-27 13:09 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-08-27 13:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-08-27 13:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat
2008-08-27 13:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 16:23:08.42 ===============

Attach.txt
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Ad-Aware SE Personal
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe After Effects CS3 Third Party Content
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 7.0.9
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Agnitum Outpost Firewall Pro
AiO_Scan
AiOSoftware
AppCore
Apple Software Update
ArcSoft PhotoImpression 5
AutoUpdate
AV
BufferChm
CameraDrivers
Camtasia Studio 5
ccCommon
CCleaner (remove only)
Condition Zero
Counter-Strike
Counter-Strike: Source
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
CueTour
D-Link RangeBooster N DWA-542
DebugMode PluginPac (remove only)
Dedicated Server
Defraggler (remove only)
Destinations
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DocProc
DocumentViewer
DocumentViewerQFolder
Dynamics CGA 6.0
EPSON Printer Software
EPSON Scan
Fax
ffdshow [rev 2033] [2008-07-05]
Fraps (remove only)
FrostWire 4.17.2
GemMaster Mystic
GOM Player
GSC
GTK+ 2.8.18-1 runtime environment
High Definition Audio Driver Package - KB888111
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
HP Boot Optimizer
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 5.3
HP Game Console and games
HP Image Zone 5.3
HP Image Zone for Media Center PC
HP Imaging Device Functions 5.3
HP Multimedia Keyboard Software
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HP Tunes
HPProductAssistant
HpSdpAppCoreApp
I. Basics
II. Interfaces
III. Databases
InstantShareDevices
Intel® Graphics Media Accelerator Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
IV. ActiveX Programming
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
Lexmark Software Uninstall
Library
LightScribe 1.4.42.1
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Dreamweaver 8
Macromedia Extension Manager
Magic Bullet Editors 2.0 Vegas
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Sounds
Microsoft Office Standard Edition 2003
Microsoft Office Visio Professional 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft Visual Basic 2008 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32
Microsoft Works
mIRC
Morgan M-JPEG codec V3
Motorola SM56 Speakerphone Modem
Mozilla Firefox (3.0.5)
MSN Music Assistant
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
muvee autoProducer 4.0
muvee autoProducer unPlugged 1.1 - HPD
NamelessRO Eclipse
NewBlue Film Effects for Vegas
NewBlue Motion Effects 2.0 for Vegas
NewCopy
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Office 2003 Tour
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
Otto
PanoStandAlone
PC-Doctor 5 for Windows
PDF Settings
PhotoGallery
Programming Microsoft Visual Basic 6.0 eBook
PSPrinters08
PSTAPlugin
Python 2.2 pywin32 extensions (build 203)
QBFC3.0b
QFolder
QuickTime
Ragnarok Online
Ragnarok Sakray
RandMap
Readme
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Simply Accounting 2004 PRO
SkinsHP1
Smart Menus (Windows Live Toolbar)
SolutionCenter
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Sony Vegas Pro 8.0
SPBBC 32bit
Spybot - Search & Destroy
Status
Steam
SUPERAntiSpyware Free Edition
Symantec Real Time Storage Protection Component
SymNet
Team Fortress Classic
The GIMP 2.2.17
Trapcode Shine
TrayApp
Tweak UI
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
Updates from HP (remove only)
V. Internet Programming
VBA (2720)
Ventrilo Client
VI. Windows API
VideoLAN VLC media player 0.8.5
WebFldrs XP
WebReg
Windows API Library
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See KB889858 for more information]
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB890629
Windows XP Media Center Edition 2005 KB895678
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Xvid 1.1.3 final uninstall
Zune Desktop Theme

==== End Of File ===========================

Gmer Log
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2008-12-23 17:36:57
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.12 ----

SSDT 86C216C8 ZwAlertResumeThread
SSDT 864E63C0 ZwAlertThread
SSDT 86DF7308 ZwAllocateVirtualMemory
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwAssignProcessToJobObject
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwClose
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwConnectPort
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwCreateFile
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwCreateKey
SSDT 86C12230 ZwCreateMutant
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwCreateProcess
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwCreateProcessEx
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwCreateSection
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwCreateSymbolicLinkObject
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwCreateThread
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwDeleteFile
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwDeleteKey
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwDeleteValueKey
SSDT 86DFB5E8 ZwFreeVirtualMemory
SSDT 86D265E8 ZwImpersonateAnonymousToken
SSDT 86C17618 ZwImpersonateThread
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwLoadDriver
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwMakeTemporaryObject
SSDT 86D9F5D8 ZwMapViewOfSection
SSDT 86BA0BD0 ZwOpenEvent
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwOpenFile
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwOpenKey
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwOpenProcess
SSDT 86C88E90 ZwOpenProcessToken
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwOpenSection
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwOpenThread
SSDT 86E06DE0 ZwOpenThreadToken
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwProtectVirtualMemory
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwQueryDirectoryFile
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwQueryKey
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwQueryValueKey
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwQueueApcThread
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwRenameKey
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwReplaceKey
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwRequestPort
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwRestoreKey
SSDT 86CE6950 ZwResumeThread
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwSaveKey
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwSaveKeyEx
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwSecureConnectPort
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwSetContextThread
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwSetInformationFile
SSDT 86DF2610 ZwSetInformationProcess
SSDT 86D2BAA0 ZwSetInformationThread
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwSetSystemInformation
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwSetValueKey
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwSuspendProcess
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwSuspendThread
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwSystemDebugControl
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwTerminateThread
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwUnloadDriver
SSDT 86C211C8 ZwUnmapViewOfSection
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2BF4 80504490 8 Bytes [ C8, 16, C2, 86, C0, 63, 4E, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2C69 80504505 3 Bytes [ 5D, 75, AA ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2C80 8050451C 8 Bytes [ 46, 46, 76, AA, 5E, 51, 76, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2C94 80504530 8 Bytes [ 82, 56, 75, AA, C6, 2C, 76, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2CBC 80504558 8 Bytes [ 26, 3F, 75, AA, 4E, 7D, 75, ... ]
.text ...

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe[256] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 0078B84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe[256] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 0078B4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe[256] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 0078B508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe[256] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 0078B878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe[256] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 0078B534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[324] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[324] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[324] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[324] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[324] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe[364] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 00524834 C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
.text C:\WINDOWS\system32\PnkBstrA.exe[600] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\PnkBstrA.exe[600] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\PnkBstrA.exe[600] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\PnkBstrA.exe[600] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\PnkBstrA.exe[600] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[636] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[636] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[636] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[636] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe[636] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ALCMTR.EXE[652] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ALCMTR.EXE[652] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ALCMTR.EXE[652] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ALCMTR.EXE[652] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ALCMTR.EXE[652] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehtray.exe[656] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehtray.exe[656] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehtray.exe[656] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehtray.exe[656] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehtray.exe[656] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[784] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[784] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[784] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[784] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[784] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehRecvr.exe[864] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehRecvr.exe[864] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehRecvr.exe[864] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehRecvr.exe[864] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehRecvr.exe[864] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[948] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[948] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[948] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[948] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[948] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\winlogon.exe[1040] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\winlogon.exe[1040] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\winlogon.exe[1040] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\winlogon.exe[1040] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\winlogon.exe[1040] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\services.exe[1084] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\services.exe[1084] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\services.exe[1084] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\services.exe[1084] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\services.exe[1084] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system\hpsysdrv.exe[1272] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system\hpsysdrv.exe[1272] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system\hpsysdrv.exe[1272] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system\hpsysdrv.exe[1272] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system\hpsysdrv.exe[1272] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehSched.exe[1452] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehSched.exe[1452] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehSched.exe[1452] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehSched.exe[1452] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehSched.exe[1452] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\explorer.exe[1588] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\explorer.exe[1588] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\explorer.exe[1588] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\explorer.exe[1588] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\explorer.exe[1588] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1756] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1756] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1756] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1756] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1756] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe[1876] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe[1876] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe[1876] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe[1876] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe[1876] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\spoolsv.exe[2024] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\spoolsv.exe[2024] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\spoolsv.exe[2024] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\spoolsv.exe[2024] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\spoolsv.exe[2024] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\dllhost.exe[2088] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\dllhost.exe[2088] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\dllhost.exe[2088] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\dllhost.exe[2088] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\dllhost.exe[2088] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe[2132] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe[2132] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe[2132] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe[2132] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe[2132] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\hkcmd.exe[2248] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 009AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\hkcmd.exe[2248] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 009AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\hkcmd.exe[2248] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 009AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\hkcmd.exe[2248] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 009AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\hkcmd.exe[2248] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 009AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\igfxpers.exe[2288] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\igfxpers.exe[2288] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\igfxpers.exe[2288] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\igfxpers.exe[2288] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\igfxpers.exe[2288] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[2316] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[2316] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[2316] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[2316] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[2316] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ALCWZRD.EXE[2376] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ALCWZRD.EXE[2376] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ALCWZRD.EXE[2376] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ALCWZRD.EXE[2376] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ALCWZRD.EXE[2376] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehmsas.exe[2392] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehmsas.exe[2392] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehmsas.exe[2392] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehmsas.exe[2392] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\ehome\ehmsas.exe[2392] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2484] kernel32.dll!LoadResource 7C80A045 5 Bytes JMP 0056D260 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2484] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 00567184 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2484] user32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 005671DC C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2484] user32.dll!EnableWindow 7E429849 5 Bytes JMP 01641C24 C:\PROGRA~1\Agnitum\OUTPOS~1\op_cmn.dll
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2484] user32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 005671B0 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
.text C:\hp\KBD\kbd.exe[2824] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\hp\KBD\kbd.exe[2824] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\hp\KBD\kbd.exe[2824] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\hp\KBD\kbd.exe[2824] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\hp\KBD\kbd.exe[2824] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\notepad.exe[2916] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\notepad.exe[2916] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\notepad.exe[2916] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\notepad.exe[2916] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\notepad.exe[2916] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\ctfmon.exe[2984] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\ctfmon.exe[2984] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\ctfmon.exe[2984] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\ctfmon.exe[2984] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\system32\ctfmon.exe[2984] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3012] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3012] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3012] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3012] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3012] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe[3284] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 00F5B84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe[3284] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 00F5B4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe[3284] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 00F5B508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe[3284] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 00F5B878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe[3284] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 00F5B534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\SOUNDMAN.EXE[3940] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\SOUNDMAN.EXE[3940] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\SOUNDMAN.EXE[3940] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\SOUNDMAN.EXE[3940] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\WINDOWS\SOUNDMAN.EXE[3940] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Documents and Settings\HP_Administrator\Desktop\New Folder\gmer.exe[4052] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AB84C c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Documents and Settings\HP_Administrator\Desktop\New Folder\gmer.exe[4052] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AB4DC c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Documents and Settings\HP_Administrator\Desktop\New Folder\gmer.exe[4052] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AB508 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Documents and Settings\HP_Administrator\Desktop\New Folder\gmer.exe[4052] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AB878 c:\progra~1\agnitum\outpos~1\wl_hook.dll
.text C:\Documents and Settings\HP_Administrator\Desktop\New Folder\gmer.exe[4052] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100AB534 c:\progra~1\agnitum\outpos~1\wl_hook.dll

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F6A5115A] afwcore.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F6A51664] afwcore.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F6A514DC] afwcore.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F6A5124A] afwcore.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F6A5115A] afwcore.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F6A51664] afwcore.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6A514DC] afwcore.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F6A5124A] afwcore.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F6A5115A] afwcore.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F6A51664] afwcore.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6A514DC] afwcore.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F6A5124A] afwcore.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F6A5115A] afwcore.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F6A51664] afwcore.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6A514DC] afwcore.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F6A5124A] afwcore.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F6A5115A] afwcore.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F6A51664] afwcore.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F6A514DC] afwcore.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F6A5124A] afwcore.sys

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0F8F5844
ADS C:\Documents and Settings\All Users\Application Data\TEMP:13EDD51B
ADS C:\Documents and Settings\All Users\Application Data\TEMP:888AFB86
ADS C:\Documents and Settings\HP_Administrator\Favorites\0-9 Movies - Watch Movies Online For Free Full Movie Downloads.url:favicon
ADS C:\Documents and Settings\HP_Administrator\Favorites\Admin Command.url:favicon
ADS C:\Documents and Settings\HP_Administrator\Favorites\CIA - The World Factbook -- Philippines.url:favicon
ADS C:\Documents and Settings\HP_Administrator\Favorites\DarkSideRO.url:favicon
ADS C:\Documents and Settings\HP_Administrator\Favorites\MikoMew Forums (Powered by Invision Power Board).url:favicon
ADS C:\Documents and Settings\HP_Administrator\Favorites\newspaper Article.url:favicon
ADS C:\Documents and Settings\HP_Administrator\Favorites\Sciprt.url:favicon
ADS ...
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\00\100-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v100-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v100-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\01\10-{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}-v1-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\11\11-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v11-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\12\12-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v12-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\14\14-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v14-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\18\118-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v118-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v118-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\18\18-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v18-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v18-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\19\19-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v19-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v19-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\22\222-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v222-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v222-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\22\222-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v222-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v222-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\23\123-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v123-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v123-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\23\123-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v123-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v123-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\23\223-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v223-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v223-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\23\223-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v223-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v223-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\24\124-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v124-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v124-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\24\124-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v124-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v124-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\24\124-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v124-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v124-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\24\24-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v24-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v24-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\27\127-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v127-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v127-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\27\127-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v127-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v127-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\28\228-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v228-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v228-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\28\228-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v228-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v228-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\29\129-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v129-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v129-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\29\129-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v129-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v129-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\29\129-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v129-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v129-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\29\229-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v229-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v229-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\29\229-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v229-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v229-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\30\107-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v130-{A30FA39E-9D56-4096-BA7B-72C05E89F65A}-v107-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\30\107-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v130-{A30FA39E-9D56-4096-BA7B-72C05E89F65A}-v107-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\30\230-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v230-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v230-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\30\230-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v230-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v230-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\31\131-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v131-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v131-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\31\131-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v131-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v131-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\31\231-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v231-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v231-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\31\231-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v231-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v231-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\32\117-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v132-{A30FA39E-9D56-4096-BA7B-72C05E89F65A}-v117-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\32\117-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v132-{A30FA39E-9D56-4096-BA7B-72C05E89F65A}-v117-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\32\117-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v132-{A30FA39E-9D56-4096-BA7B-72C05E89F65A}-v117-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\32\232-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v232-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v232-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\32\232-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v232-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v232-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\33\133-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v133-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v133-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\33\133-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v133-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v133-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\33\233-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v233-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v233-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\33\233-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v233-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v233-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\34\134-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v134-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v134-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\34\134-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v134-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v134-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\34\234-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v234-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v234-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\34\234-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v234-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v234-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\34\34-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v34-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v34-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\35\135-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v135-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v135-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\35\135-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v135-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v135-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\35\135-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v135-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v135-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\36\136-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v136-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v136-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\36\136-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v136-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v136-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\36\136-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v136-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v136-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\37\137-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v137-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v137-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\37\137-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v137-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v137-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\38\138-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v138-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v138-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\38\138-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v138-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v138-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\40\140-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v140-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v140-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\40\140-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v140-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v140-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\41\141-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v141-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v141-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\41\141-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v141-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v141-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\42\142-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v142-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v142-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\42\142-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v142-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v142-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\43\143-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v143-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v143-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\43\143-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v143-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v143-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\44\144-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v144-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v144-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\44\144-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v144-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v144-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\45\145-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v145-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v145-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\45\145-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v145-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v145-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\46\46-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v46-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v46-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\49\149-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v149-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v149-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\49\149-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v149-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v149-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\51\151-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v151-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v151-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\51\151-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v151-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v151-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\51\51-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v51-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v51-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\52\52-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v52-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v52-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\58\58-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v58-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v58-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\58\58-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v58-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v58-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\59\59-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v59-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v59-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\59\59-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v59-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v59-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\62\62-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v62-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v62-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\64\164-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v164-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v164-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\64\164-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v164-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v164-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\65\165-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v165-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v165-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\65\165-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v165-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v165-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\66\166-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v166-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v166-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\68\68-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v68-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v68-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\75\275-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v275-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v275-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\75\75-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v75-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v75-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\80\280-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v280-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v280-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\85\285-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v285-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v285-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\90\290-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v290-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v290-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\98\198-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v198-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v198-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\girls_h8_jobs@hotmail.com\SharingMetadata\marcos_200027@hotmail.com\DFSR\Staging\CS{16BDD671-A90A-8EDD-BC83-9DB9B44FFE8D}\98\198-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v198-{DF531185-1FA4-4A32-A941-FCB256ABBDDE}-v198-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

---- EOF - GMER 1.0.12 ----

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 AM

Posted 24 December 2008 - 10:40 AM

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    c:\windows\system32\RAcLUvut.ini2
    c:\windows\system32\RAcLUvut.ini
    
    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):"msv1_0"
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System]
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



================



Now let's update Malwarebytes and run a new scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform quick scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Timem604

Timem604
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 24 December 2008 - 08:10 PM

========== FILES ==========
c:\windows\system32\RAcLUvut.ini2 moved successfully.
c:\windows\system32\RAcLUvut.ini moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Authentication Packages"|hex(7):"msv1_0" /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_yaQ1wicLYGoYxWUlZami scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kllclp9h.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kllclp9h.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kllclp9h.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kllclp9h.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kllclp9h.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kllclp9h.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12242008_164018

Files moved on Reboot...
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_yaQ1wicLYGoYxWUlZami not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kllclp9h.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kllclp9h.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kllclp9h.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kllclp9h.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kllclp9h.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kllclp9h.default\XUL.mfl moved successfully.








(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mrccewct.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 AM

Posted 25 December 2008 - 07:00 PM

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Timem604

Timem604
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 26 December 2008 - 06:36 PM

How is your computer behaving now?


There's no more pop ups, but my computer is still pretty slow. It wasn't slow before... also everytime I do google/yahoo search its not giving me the website I want to go to. For example, when I type "craiglist" it's redirecting me to "cheating housewifes"

Thanks alot of helping me Sam. Merry Christmas and Happy New Year.

Edited by Timem604, 26 December 2008 - 08:29 PM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 AM

Posted 27 December 2008 - 11:27 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 AM

Posted 02 January 2009 - 02:44 PM

Are you still with me?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 AM

Posted 05 January 2009 - 09:01 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users